OK, this looks good, but keeps the user locked from time to time: # ipa pwpolicy-show --user kinit-user Group: service_accounts Max lifetime (days): 1024 Min lifetime (hours): 0 Lockout duration: 0
Can we make sure we apply a policy to the sysaccounts users or is that undoable ? 2016-01-14 16:58 GMT+01:00 Rob Crittenden <[email protected]>: > Matt . wrote: >> OK, nice,but this user failed on kinit but is in the group where the >> policy is set to 0. >> >> Can I check on the commandline if it applies to that setting by >> querying ldap in some way ? It could be that some other group >> overrules in some way ? > > $ ipa pwpolicy-show --user <someuser> > >> What about sysaccounts ? They seem to be locked also with too many >> logins, and this concerns me as they are not POSIX. > > They may be getting the global policy applied. > > rob > >> >> >> >> 2016-01-14 15:16 GMT+01:00 Rob Crittenden <[email protected]>: >>> Matt . wrote: >>>> Hi Guys, >>>> >>>> I'm having an issue that a user which I use for the API is getting >>>> locked out from time to time. >>>> >>>> I have created a specific password policy for this user with: >>>> >>>> Lockout duration (seconds) 0 >>>> >>>> But this doesn't help much. >>>> >>>> Anyone an idea how I can make sure a user is not locked out in any way >>>> by lots of logins or tries, etc and be able to test it functions >>>> allright ? >>> >>> Setting maxfail to 0 should do it. As for testing, be creative, but be >>> sure to test both LDAP bind and kinit. >>> >>> rob >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
