Hi Harry,
sorry for long delay. The feature it working quite well for me.
For instance, user0 binding three times with wrong password is locked:
[root@rh6 ~]# ldapsearch -p 1389 -h localhost -D "cn=user0,ou=people,o=redhat"
-w wrong -b "o=redhat" cn=user0
ldap_bind: Invalid credentials (49)
[root@rh6 ~]# ldapsearch -p 1389 -h localhost -D "cn=user0,ou=people,o=redhat"
-w wrong -b "o=redhat" cn=user0
ldap_bind: Invalid credentials (49)
[root@rh6 ~]# ldapsearch -p 1389 -h localhost -D "cn=user0,ou=people,o=redhat"
-w wrong -b "o=redhat" cn=user0
ldap_bind: Invalid credentials (49)
[root@rh6 ~]# ldapsearch -p 1389 -h localhost -D "cn=user0,ou=people,o=redhat"
-w wrong -b "o=redhat" cn=user0
ldap_bind: Constraint violation (19)
additional info: Exceed password retry limit. Please try later.
I can see in audit logs after the third wrong bind:
time: 20150217151208
dn: cn=user0,ou=people,o=redhat
changetype: modify
replace: passwordRetryCount
passwordRetryCount: 3
-
replace: accountUnlockTime
accountUnlockTime: 20150217141508Z
If I try to bind with right credentials:
ldapsearch -p 1389 -h localhost -D "cn=user0,ou=people,o=redhat" -w user0 -b
"o=redhat" cn=user0
ldap_bind: Constraint violation (19)
additional info: Exceed password retry limit. Please try later.
NOTE: in my case, passwordLockoutDuration: 180
So, more than three minutes later:
ldapsearch -xLLL -p 1389 -h localhost -D "cn=user0,ou=people,o=redhat" -w user0
-b "o=redhat" cn=user0
[root@rh6 ~]#
user0 arrives to bind ok.
We can see in audit logs that the password retry count has been reset'd (we check
accounts locked only if the retry count is greater than the max failures allowed).
time: 20150217151719
dn: cn=user0,ou=people,o=redhat
changetype: modify
replace: passwordRetryCount
passwordRetryCount: 0
-
My settings:
nsslapd-pwpolicy-local: on
passwordChange: off
passwordLockout: on
passwordUnlock: on
passwordLockoutDuration: 180
passwordResetFailureCount: 660
and
passwordmaxfailure: 3
Thanks and regards,
German.
----- Original Message -----
From: "harry devine" <harry.devine(a)faa.gov>
To: 389-users(a)lists.fedoraproject.org
Sent: Friday, 13 February, 2015 7:27:10 PM
Subject: Re: [389-users] Question about accountunlocktime
passwordunlock is set to On, and passwordunlockduration is set to 1800.
Thanks,
Harry
-----Original Message-----
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of German
Parente
Sent: Friday, February 13, 2015 11:51 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Question about accountunlocktime
Hi Harry,
could you check the value of attribute type "passwordUnlock" under cn=config
?
thanks and regards,
German.
----- Original Message -----
> From: "harry devine" <harry.devine(a)faa.gov>
> To: 389-users(a)lists.fedoraproject.org
> Sent: Friday, February 13, 2015 1:31:04 PM
> Subject: Re: [389-users] Question about accountunlocktime
>
> OK, I get that. What I don't get is why it won't automatically UNLOCK
> after lockout duration. The accountunlocktime stays set forever, and
> as long as that's set, the user can't log in and one of the admins has
> to clear the accountunlock time attribute manually.
>
> Thanks,
> Harry
>
> -----Original Message-----
> From: 389-users-bounces(a)lists.fedoraproject.org
> [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of
> William
> Sent: Thursday, February 12, 2015 9:54 PM
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] Question about accountunlocktime
>
> On Fri, 2015-02-13 at 01:49 +0000, harry.devine(a)faa.gov wrote:
> > Any insight on this????
> >
>
>
> The value is utc. My current time is 13:16 UTC+10:30. When I lock the
> account I get:
>
>
> accountUnlockTime: 20150213031647Z
>
> Split up is
>
> 2015-02-13 0316.47 UTC
>
> Which is 1316 - 1030 = 0246
>
>
> Add to this that my passwordLockoutDuration is 1800 aka 30 minutes:
>
> 0246 + 0030 = 0316.
>
> Thus:
>
> 2015-02-13 0316.47 UTC
>
> This is why you may see the accountUnlockTime in the past.
>
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users