Resolution was a little different than the URL fedora project url. ldapmodify -x -D "cn=directory manager" -w *your bind password (for simple authentication)* dn: uid=admin,cn=users,cn=accounts,dc=XXX,dc=XXX,dc=com changetype: modify delete: krbLoginFailedCount (Ctrl-D)
ipa user-status admin now shows zero. Thanks for all your help Rob. Henry On Fri, Aug 2, 2013 at 10:55 AM, Henry Hebert <henry.heb...@roche.com>wrote: > I found this. http://directory.fedoraproject.org/wiki/Howto:PasswordReset > Still trying to get the syntax down correctly but I think this is what I > am looking for. > > > > > > > > On Fri, Aug 2, 2013 at 10:15 AM, Henry Hebert <henry.heb...@roche.com>wrote: > >> Rob I tried the command. How do I unlock the account using the DM? >> >> [hhebertXXX@hostname ~]$ kinit hhebertXXX >> Password for hhebert...@dc.com: >> >> [hhebertXXX@hostname ~]$* ipa user-unlock admin* >> ipa: ERROR: Server is unwilling to perform: Entry permanently locked. >> [hhebertXXX@hostname ~]$ >> >> and now my username is permanently locked. >> >> [hhebertXXX@hostname ~]$ ipa user-status hhebertXXX >> ipa: ERROR: Server is unwilling to perform: Entry permanently locked. >> >> >> >> >> On Thu, Aug 1, 2013 at 4:52 PM, Henry Hebert <henry.heb...@roche.com>wrote: >> >>> I have the DM password how do i unlock with it? ipa user-find doesn't >>> show any user named Directory Manager? >>> >>> >>> On Thu, Aug 1, 2013 at 4:43 PM, Henry Hebert <henry.heb...@roche.com>wrote: >>> >>>> My user is in the admins group however not in the "trust admins" >>>> >>>> Group name: admins >>>> Description: Account administrators group >>>> GID: 988200000 >>>> Member users: admin, XXXXXXXXX, hhebertXXX >>>> Member of HBAC rule: hostname >>>> >>>> Group name: trust admins >>>> Description: Trusts administrators group >>>> Member users: admin >>>> >>>> I ran the above command to the same results. >>>> >>>> [hhebertXXX@hostname ~]$ ipa user-unlock admin >>>> ipa: ERROR: did not receive Kerberos credentials >>>> >>>> I am asking the installer about the DM password. >>>> >>>> Again thx for all your help. >>>> Henry >>>> >>>> >>>> >>>> On Thu, Aug 1, 2013 at 4:24 PM, Rob Crittenden <rcrit...@redhat.com>wrote: >>>> >>>>> Hebert, Henry wrote: >>>>> >>>>>> Aha! See Max failures below... >>>>>> >>>>>> [root@hostname ~]# ipa pwpolicy-show --user=admin >>>>>> Group: global_policy >>>>>> Max lifetime (days): 365 >>>>>> Min lifetime (hours): 1 >>>>>> History size: 1 >>>>>> Character classes: 1 >>>>>> Min length: 8 >>>>>> Max failures: 12 >>>>>> Failure reset interval: 0 >>>>>> Lockout duration: 0 >>>>>> >>>>>> is there a command like pam_tally2 for ipa to reset the number of >>>>>> failed >>>>>> logins? >>>>>> >>>>> >>>>> ipa user-unlock <user> >>>>> >>>>> You need to be in the admins group to execute this. The account is >>>>> permanently lock (until unlocked) because the lockout duration is 0, >>>>> meaning forever. >>>>> >>>>> If you have the DM password we can use that account to unlock admin if >>>>> you have no other users in the admins group. >>>>> >>>>> rob >>>>> >>>> >>>> >>> >>> >>> -- >>> >>> Henry Hebert >>> System Administrator III >>> 454 Life Sciences >>> A Roche Company >>> >>> 15 Commercial Street >>> Branford, CT 06405 >>> Phone +1 203 871 2249 >>> Mobile +1 203 215 5904 >>> e-mail henry.heb...@roche.com**** >>> >>> *Visit our new webpage, featuring the “454 Sequencing breakthrough >>> community webinar series” at www.454.com***** >>> >>> *Confidentiality Note* >>> This message is intended only for the use of the named recipient(s) and >>> may contain confidential and/or privileged information. If you are not the >>> intended recipient, please contact the sender and delete the message. Any >>> unauthorized use of the information contained in this message is prohibited. >>> >> >> >> >> -- >> >> Henry Hebert >> System Administrator III >> 454 Life Sciences >> A Roche Company >> >> 15 Commercial Street >> Branford, CT 06405 >> Phone +1 203 871 2249 >> Mobile +1 203 215 5904 >> e-mail henry.heb...@roche.com**** >> >> *Visit our new webpage, featuring the “454 Sequencing breakthrough >> community webinar series” at www.454.com***** >> >> *Confidentiality Note* >> This message is intended only for the use of the named recipient(s) and >> may contain confidential and/or privileged information. If you are not the >> intended recipient, please contact the sender and delete the message. Any >> unauthorized use of the information contained in this message is prohibited. >> > > > > -- > > Henry Hebert > System Administrator III > 454 Life Sciences > A Roche Company > > 15 Commercial Street > Branford, CT 06405 > Phone +1 203 871 2249 > Mobile +1 203 215 5904 > e-mail henry.heb...@roche.com**** > > *Visit our new webpage, featuring the “454 Sequencing breakthrough > community webinar series” at www.454.com***** > > *Confidentiality Note* > This message is intended only for the use of the named recipient(s) and > may contain confidential and/or privileged information. If you are not the > intended recipient, please contact the sender and delete the message. Any > unauthorized use of the information contained in this message is prohibited. > -- Henry Hebert System Administrator III 454 Life Sciences A Roche Company 15 Commercial Street Branford, CT 06405 Phone +1 203 871 2249 Mobile +1 203 215 5904 e-mail henry.heb...@roche.com**** *Visit our new webpage, featuring the “454 Sequencing breakthrough community webinar series” at www.454.com***** *Confidentiality Note* This message is intended only for the use of the named recipient(s) and may contain confidential and/or privileged information. If you are not the intended recipient, please contact the sender and delete the message. Any unauthorized use of the information contained in this message is prohibited.
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users