freeipa

Clone
Source Code
GIT

#2162 Login failed attempts counter or locked out status are not displayed in WebUI or "ipa user-show" command
Closed: Fixed None Opened 12 years ago by dpal.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=759501

Description of problem:

When failed login attempts are more than maximum specified, the account is
locked in all clients, no matter if the user is cached in that client or not
(expected behaviour). But, in IdM server, 'ipa user-show' command, as well as
WebUI, show the user account as still enabled.

For diagnose in case of account troubles, or if an administrator is needed to
manually enable locked out accounts, the right status of the locked out account
should be shown in WebUI and ipa command.

There is a distinction between a disabled account and one locked out due to too
many failed logins.

We don't currently show the number of failed logins or that lockout status.



Version-Release number of selected component (if applicable):
RHEL 6.2

How reproducible:
Always

Steps to Reproduce:
1. log in with wrong password more times than allowed by configuration
2.
3.

Actual results:
Account is locked out, but this status isn't reflected in WebUI or by command
"ipa user-show".
It does not reflect either the number of failed attempts.

Expected results:
The number of failed attempts should be displayed in WebUI or by command "ipa
user-show"

Additional info:

Display "locked until X"

The attributes we care about are:

- krbLastSuccessfulAuth: 20120213203655Z
- krbLastFailedAuth: 20120213203413Z
- krbLoginFailedCount: 0

Will add a new command to return status of user on all replicas. Question is whether we'll be able to make authenticated queries against other LDAP servers with S4U2Proxy.

(In #2334) krbLastSuccessfulAuth and krbLastFailedAuth are not being set either.

Going to implement this as a separate command, user-status, which will return a list that will look something like:

server: foo
failed login count: 1
last successful authentication: <date>
last failed authentication: <date>

server: bar
failed login count: 0
last successful authentication: <date>
last failed authentication: <date>

We have the list of masters in cn=masters,cn=ipa,cn=etc,$SUFFIX.

Moving to next month iteration.

master: d5c9f7b[[BR]]
ipa-2-2: 418cf11

QE has asked for a few improvements. Because this is called "user-status" they would like it to include the account enable/disabled status.

Simo suggested adding the time that each master was contacted as lockout is very time sensitive.

I will add some guidance on how to read the output to the help.

master: d7f7bb1[[BR]]
ipa-2-2: dbc7afc

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
2334
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=759501
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.