With #2608 user is notified if password is expired or password is incorrect. If user account is locket, user is told that his password is incorrect which is not a desired behaviour.
User should be told that the account is locked.
Server already sends four variations of 401 unauthorized messages:
1) Invalid password: - kinit message: {{{kinit: Password incorrect while getting initial credentials}}} - http header: {{{X-IPA-Rejection-Reason:invalid-password}}} 2) Password expired: - kinit message: {{{kinit: Cannot read password while getting initial credentials}}} - http header: {{{X-IPA-Rejection-Reason:password-expired}}} 3) Account locked - invalid or valid password: - kinit message: {{{kinit: Clients credentials have been revoked while getting initial credentials}}} - http header: {{{X-IPA-Rejection-Reason:invalid-password}}} 4) Account locked - expired password: - kinit message: {{{kinit: Clients credentials have been revoked while getting initial credentials}}} - http header: {{{X-IPA-Rejection-Reason:password-expired}}}
Note: UI uses it's own messages not the kinit ones. They are dependant on http header.
You can see that there is already a distinction between invalid password and locked account. So this ticket is about adding proper http header and UI message for locked account.
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: Tickets Deferred
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.