OK, this looks good, but keeps the user locked from time to time:

# ipa pwpolicy-show --user kinit-user
  Group: service_accounts
  Max lifetime (days): 1024
  Min lifetime (hours): 0
  Lockout duration: 0



Can we make sure we apply a policy to the sysaccounts users or is that
undoable ?

2016-01-14 16:58 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
> Matt . wrote:
>> OK, nice,but this user failed on kinit but is in the group where the
>> policy is set to 0.
>>
>> Can I check on the commandline if it applies to that setting by
>> querying ldap in some way ? It could be that some other group
>> overrules in some way ?
>
> $ ipa pwpolicy-show --user <someuser>
>
>> What about sysaccounts ? They seem to be locked also with too many
>> logins, and this concerns me as they are not POSIX.
>
> They may be getting the global policy applied.
>
> rob
>
>>
>>
>>
>> 2016-01-14 15:16 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
>>> Matt . wrote:
>>>> Hi Guys,
>>>>
>>>> I'm having an issue that a user which I use for the API is getting
>>>> locked out from time to time.
>>>>
>>>> I have created a specific password policy for this user with:
>>>>
>>>> Lockout duration (seconds) 0
>>>>
>>>> But this doesn't help much.
>>>>
>>>> Anyone an idea how I can make sure a user is not locked out in any way
>>>> by lots of logins or tries, etc and be able to test it functions
>>>> allright ?
>>>
>>> Setting maxfail to 0 should do it. As for testing, be creative, but be
>>> sure to test both LDAP bind and kinit.
>>>
>>> rob
>>>
>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to