Great summary of how it works, thanks! Sam Morris via FreeIPA-users wrote: > On 23/06/2023 01:50, Djerk Geurts via FreeIPA-users wrote: >> What are the available options? Right now having to log into multiple >> IPA servers to find lockouts is a real pita > > I don't believe you can see this from the web console, but you can use > the 'ipa user-status' command which will show you the lockout status on > all servers.
Yeah, I don't think there is a webui equivalent. IIRC we may do some work client-side. That or it can take so long the UI would time out. I forget. >> and security wise it like either failed Auth counters or the lockout >> status to be replicated. > > Unfortuantely I don't think there's any updates past what is found at > <https://pagure.io/freeipa/issue/3700>. > > Maybe you could modify each nsds5replicationagreement on each of your > IPA servers to remove krblastfailedauth and krbloginfailedcount from the > nsDS5ReplicatedAttributeList and nsDS5ReplicatedAttributeListTotal > attributes. But: > > * you'd be stepping into unsupported territory > * you'd want to take careful note of the increase in replication > traffic between all your servers > * you'd have to remember to do it for any newly-created replication > agreements > * having never tried it, I expect there are other problems that I don't > know about ;) I think that will do it. When this type of replication was enabled in the past users reported "storms" of replication activity when everyone showed up for work in the morning. If you have a small or TZ distributed org it could work fine. Or not. And remember this is for every single authentication so any issue would be unpredictable. It's just known to happen when everyone sits down at their desk at the beginning of the day. >> The ability to unlock from a single IPA server would also be pretty >> sweet. > > From the web console you can go to a user -> Actions -> Unlock, or you > can use the 'ipa user-unlock' command. This operation will unlock the > user on all servers. > Yup. The unlock attribute is replication so unlocked one place unlocks everywhere. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
