Document the lockout-related options in kadmin (modprinc -unlock and

addpol/modpol -maxfailure, -failurecountinterval, and
-lockoutduration), in the man page and in admin.texinfo.  Based on
text submitted by shawn.emery@oracle.com.

ticket: 6910

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24932 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 21 insertions, 0 deletions

diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M
index 7e6db2c61b..f847c8235d 100644
--- a/src/kadmin/cli/kadmin.M
+++ b/src/kadmin/cli/kadmin.M
@@ -526,6 +526,11 @@ Associates a Kerberos principal with a LDAP object. This option is honored only
 if the Kerberos principal is not already associated with a LDAP object. 
 .RE
 .TP
+.B \-unlock
+Unlocks a locked principal (one which has received too many failed
+authentication attempts without enough time between them according to
+its password policy) so that it can successfully authenticate.
+.TP
 ERRORS:
 KADM5_AUTH_MODIFY (requires "modify" privilege)
 KADM5_UNK_PRINC (principal does not exist)
@@ -689,6 +694,22 @@ sets the minimum number of character classes allowed in a password
 .TP
 \fB\-history\fP \fInumber\fP
 sets the number of past keys kept for a principal. This option is not supported for LDAP database
+.TP
+\fB\-maxfailure\fP \fImaxnumber\fP
+sets the maximum number of authentication failures before the
+principal is locked.  Authentication failures are only tracked for
+principals which require preauthentication.
+.TP
+\fB\-failurecountinterval\fP \fIfailuretime\fP
+sets the allowable time between authentication failures.  If an
+authentication failure happens after \fIfailuretime\fP has elapsed
+since the previous failure, the number of authentication failures is
+reset to 1.
+.TP
+\fB\-lockoutduration\fP \fIlockouttime\fP
+sets the duration for which the principal is locked from
+authenticating if too many authentication failures occur without the
+specified failure count interval elapsing.
 .sp
 .nf
 .TP