On Wed, Dec 4, 2013 at 11:44 AM, Natxo Asenjo <[email protected]> wrote: > On Wed, Dec 4, 2013 at 10:59 AM, Исаев Виталий Анатольевич > <[email protected]> wrote: >> Dear Freeipa users and developers, >> >> >> >> We need to alter the default behavior of the IdM server in the situation >> when user exceeds the limit of incorrect password login attempts. >> >> By default the user is getting locked in this case, but we need to disable >> him fully. > > As in, delete the user? Because locking the account is disabling it > unless I misunderstand it. I cannot log in, my cron jobs will fail, I > cannot use any ldap/kerberos service because my account is disabled. > > What do you need exactly? Or maybe you refer to the fact that the lock > is temporary (standard 600 seconds, after which you may try logging in > again? In that case, change that in the password policies (in the web > interface, policy tab, then password policy, then open the > global_policy, then edit the lockout duration field and update it.
for completeness, the same in the cli as an admin user: To get the values: $ ipa pwpolicy-show Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 To change a value: $ ipa pwpolicy-mod global_policy --lockouttime=INT (where INT is the number of seconds you want the lock to be implemented, set it to a huge number, like 946080000 in practice 30 ( 3600 secs * 24 hours * 365 days * 30 years ) years is like a life sentence ;-) - the accounts). _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
