Hebert, Henry wrote:
Aha!  See Max failures below...

[root@hostname ~]# ipa pwpolicy-show --user=admin
   Group: global_policy
   Max lifetime (days): 365
   Min lifetime (hours): 1
   History size: 1
   Character classes: 1
   Min length: 8
   Max failures: 12
   Failure reset interval: 0
   Lockout duration: 0

is there a command like pam_tally2 for ipa to reset the number of failed
logins?

ipa user-unlock <user>

You need to be in the admins group to execute this. The account is permanently lock (until unlocked) because the lockout duration is 0, meaning forever.

If you have the DM password we can use that account to unlock admin if you have no other users in the admins group.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to