On Wed, Dec 4, 2013 at 11:44 AM, Natxo Asenjo <natxo.ase...@gmail.com> wrote:
> On Wed, Dec 4, 2013 at 10:59 AM, Исаев Виталий Анатольевич
> <is...@fintech.ru> wrote:
>> Dear Freeipa users and developers,
>> We need to alter the default behavior of the IdM server in the situation
>> when user exceeds the limit of incorrect password login attempts.
>> By default the user is getting locked in this case, but we need to disable
>> him fully.
> As in, delete the user? Because locking the account is disabling it
> unless I misunderstand it. I cannot log in, my cron jobs will fail, I
> cannot use any ldap/kerberos service because my account is disabled.
> What do you need exactly? Or maybe you refer to the fact that the lock
> is temporary (standard 600 seconds, after which you may try logging in
> again? In that case, change that in the password policies (in the web
> interface, policy tab, then password policy, then open the
> global_policy, then edit the lockout duration field and update it.

for completeness, the same in the cli as an admin user:

To get the values:
$ ipa pwpolicy-show
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

To change a value:
$ ipa pwpolicy-mod global_policy --lockouttime=INT

(where INT is the number of seconds you want the lock to be
implemented, set it to a huge number, like 946080000  in practice 30 (
3600 secs * 24 hours * 365 days * 30 years ) years is like a life
sentence ;-) - the accounts).

Freeipa-users mailing list

Reply via email to