Matt . wrote: > OK, this looks good, but keeps the user locked from time to time: > > # ipa pwpolicy-show --user kinit-user > Group: service_accounts > Max lifetime (days): 1024 > Min lifetime (hours): 0 > Lockout duration: 0
As I said before, you need maxfail = 0 to disable lockout. > Can we make sure we apply a policy to the sysaccounts users or is that > undoable ? You'd have to set krbPwdPolicyReference to the dn of the policy you want to use for that sysaccount user. That requires the objectclass krbPrincipalAux. rob > > 2016-01-14 16:58 GMT+01:00 Rob Crittenden <[email protected]>: >> Matt . wrote: >>> OK, nice,but this user failed on kinit but is in the group where the >>> policy is set to 0. >>> >>> Can I check on the commandline if it applies to that setting by >>> querying ldap in some way ? It could be that some other group >>> overrules in some way ? >> >> $ ipa pwpolicy-show --user <someuser> >> >>> What about sysaccounts ? They seem to be locked also with too many >>> logins, and this concerns me as they are not POSIX. >> >> They may be getting the global policy applied. >> >> rob >> >>> >>> >>> >>> 2016-01-14 15:16 GMT+01:00 Rob Crittenden <[email protected]>: >>>> Matt . wrote: >>>>> Hi Guys, >>>>> >>>>> I'm having an issue that a user which I use for the API is getting >>>>> locked out from time to time. >>>>> >>>>> I have created a specific password policy for this user with: >>>>> >>>>> Lockout duration (seconds) 0 >>>>> >>>>> But this doesn't help much. >>>>> >>>>> Anyone an idea how I can make sure a user is not locked out in any way >>>>> by lots of logins or tries, etc and be able to test it functions >>>>> allright ? >>>> >>>> Setting maxfail to 0 should do it. As for testing, be creative, but be >>>> sure to test both LDAP bind and kinit. >>>> >>>> rob >>>> >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
