My fault from the maxfail, I was referencing some doc from side_control and mixed it up.
For the sysaccount part sounds doable. I will report back for that! thanks a lot! 2016-01-14 19:06 GMT+01:00 Rob Crittenden <[email protected]>: > Matt . wrote: >> OK, this looks good, but keeps the user locked from time to time: >> >> # ipa pwpolicy-show --user kinit-user >> Group: service_accounts >> Max lifetime (days): 1024 >> Min lifetime (hours): 0 >> Lockout duration: 0 > > As I said before, you need maxfail = 0 to disable lockout. > >> Can we make sure we apply a policy to the sysaccounts users or is that >> undoable ? > > You'd have to set krbPwdPolicyReference to the dn of the policy you want > to use for that sysaccount user. That requires the objectclass > krbPrincipalAux. > > rob > >> >> 2016-01-14 16:58 GMT+01:00 Rob Crittenden <[email protected]>: >>> Matt . wrote: >>>> OK, nice,but this user failed on kinit but is in the group where the >>>> policy is set to 0. >>>> >>>> Can I check on the commandline if it applies to that setting by >>>> querying ldap in some way ? It could be that some other group >>>> overrules in some way ? >>> >>> $ ipa pwpolicy-show --user <someuser> >>> >>>> What about sysaccounts ? They seem to be locked also with too many >>>> logins, and this concerns me as they are not POSIX. >>> >>> They may be getting the global policy applied. >>> >>> rob >>> >>>> >>>> >>>> >>>> 2016-01-14 15:16 GMT+01:00 Rob Crittenden <[email protected]>: >>>>> Matt . wrote: >>>>>> Hi Guys, >>>>>> >>>>>> I'm having an issue that a user which I use for the API is getting >>>>>> locked out from time to time. >>>>>> >>>>>> I have created a specific password policy for this user with: >>>>>> >>>>>> Lockout duration (seconds) 0 >>>>>> >>>>>> But this doesn't help much. >>>>>> >>>>>> Anyone an idea how I can make sure a user is not locked out in any way >>>>>> by lots of logins or tries, etc and be able to test it functions >>>>>> allright ? >>>>> >>>>> Setting maxfail to 0 should do it. As for testing, be creative, but be >>>>> sure to test both LDAP bind and kinit. >>>>> >>>>> rob >>>>> >>>> >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
