On 23/06/2023 01:50, Djerk Geurts via FreeIPA-users wrote:
What are the available options? Right now having to log into multiple
IPA servers to find lockouts is a real pita
I don't believe you can see this from the web console, but you can use
the 'ipa user-status' command which will show you the lockout status on
all servers.
and security wise it like
either failed Auth counters or the lockout status to be replicated.
Unfortuantely I don't think there's any updates past what is found at
<https://pagure.io/freeipa/issue/3700>.
Maybe you could modify each nsds5replicationagreement on each of your
IPA servers to remove krblastfailedauth and krbloginfailedcount from the
nsDS5ReplicatedAttributeList and nsDS5ReplicatedAttributeListTotal
attributes. But:
* you'd be stepping into unsupported territory
* you'd want to take careful note of the increase in replication
traffic between all your servers
* you'd have to remember to do it for any newly-created replication
agreements
* having never tried it, I expect there are other problems that I
don't know about ;)
The ability to unlock from a single IPA server would also be pretty sweet.
From the web console you can go to a user -> Actions -> Unlock, or you
can use the 'ipa user-unlock' command. This operation will unlock the
user on all servers.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
