diff options
author | Rob Crittenden <rcritten@redhat.com> | 2012-04-23 10:16:45 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-04-23 10:20:34 +0200 |
commit | d7f7bb11dfa62fbafbe3e0e321e32bad8da2ecf4 (patch) | |
tree | 07636b4f703d8d89a5eaab0c8a547f631db10118 /ipalib/plugins | |
parent | 0423213148a1a2f9762adf243f383398c1ec8b9e (diff) | |
download | freeipa-d7f7bb11dfa62fbafbe3e0e321e32bad8da2ecf4.tar.gz freeipa-d7f7bb11dfa62fbafbe3e0e321e32bad8da2ecf4.tar.xz freeipa-d7f7bb11dfa62fbafbe3e0e321e32bad8da2ecf4.zip |
Update docs for user-status, always show disabled, time for each server.
Provide some guidance on how to read and understand the output. Some
manual work is needed to identify which master the user is locked on.
Always display the enabled/disabled status.
Include the time that the master was contacted in the output for each
master as lockout is very time sensitive.
https://fedorahosted.org/freeipa/ticket/2162
Diffstat (limited to 'ipalib/plugins')
-rw-r--r-- | ipalib/plugins/user.py | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 64286555b..3bea7af6f 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -53,6 +53,10 @@ been issued. Password management is not a part of this module. For more information about this topic please see: ipa help passwd +Account lockout on password failure happens per IPA master. The user-status +command can be used to identify which master the user is locked out on. +It is on that master the the administrator must unlock the user. + EXAMPLES: Add a new user: @@ -97,6 +101,9 @@ status_output_params = ( Str('krblastfailedauth', label=_('Last failed authentication'), ), + Str('now', + label=_('Time now'), + ), ) # characters to be used for generating random user passwords @@ -725,7 +732,18 @@ class user_status(LDAPQuery): an administrator. This connects to each IPA master and displays the lockout status on - each one.""") + each one. + + To determine whether an account is locked on a given server you need + to compare the number of failed logins and the time of the last failure. + For an account to be locked it must exceed the maxfail failures within + the failinterval duration as specified in the password policy associated + with the user. + + The failed login counter is modified only when a user attempts a log in + so it is possible that an account may appear locked but the last failed + login attempt is older than the lockouttime of the password policy. This + means that the user may attempt a login again. """) has_output = output.standard_list_of_entries has_output_params = LDAPSearch.has_output_params + status_output_params @@ -733,8 +751,9 @@ class user_status(LDAPQuery): def execute(self, *keys, **options): ldap = self.obj.backend dn = self.obj.get_dn(*keys, **options) - attr_list = ['krbloginfailedcount', 'krblastsuccessfulauth', 'krblastfailedauth'] + attr_list = ['krbloginfailedcount', 'krblastsuccessfulauth', 'krblastfailedauth', 'nsaccountlock'] + disabled = False masters = [] # Get list of masters try: @@ -785,6 +804,14 @@ class user_status(LDAPQuery): pass newresult['dn'] = dn newresult['server'] = host + if options.get('raw', False): + time_format = '%Y%m%d%H%M%SZ' + else: + time_format = '%Y-%m-%dT%H:%M:%SZ' + newresult['now'] = unicode(strftime(time_format, gmtime())) + convert_nsaccountlock(entry[1]) + if 'nsaccountlock' in entry[1].keys(): + disabled = entry[1]['nsaccountlock'] entries.append(newresult) count += 1 except errors.NotFound: @@ -803,6 +830,8 @@ class user_status(LDAPQuery): return dict(result=entries, count=count, truncated=False, + summary=unicode(_('Account disabled: %(disabled)s' % + dict(disabled=disabled))), ) api.register(user_status) |