summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2012-04-23 10:16:45 +0200
committerMartin Kosek <mkosek@redhat.com>2012-04-23 10:20:34 +0200
commitd7f7bb11dfa62fbafbe3e0e321e32bad8da2ecf4 (patch)
tree07636b4f703d8d89a5eaab0c8a547f631db10118 /ipalib/plugins
parent0423213148a1a2f9762adf243f383398c1ec8b9e (diff)
downloadfreeipa-d7f7bb11dfa62fbafbe3e0e321e32bad8da2ecf4.tar.gz
freeipa-d7f7bb11dfa62fbafbe3e0e321e32bad8da2ecf4.tar.xz
freeipa-d7f7bb11dfa62fbafbe3e0e321e32bad8da2ecf4.zip
Update docs for user-status, always show disabled, time for each server.
Provide some guidance on how to read and understand the output. Some manual work is needed to identify which master the user is locked on. Always display the enabled/disabled status. Include the time that the master was contacted in the output for each master as lockout is very time sensitive. https://fedorahosted.org/freeipa/ticket/2162
Diffstat (limited to 'ipalib/plugins')
-rw-r--r--ipalib/plugins/user.py33
1 files changed, 31 insertions, 2 deletions
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 64286555b..3bea7af6f 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -53,6 +53,10 @@ been issued.
Password management is not a part of this module. For more information
about this topic please see: ipa help passwd
+Account lockout on password failure happens per IPA master. The user-status
+command can be used to identify which master the user is locked out on.
+It is on that master the the administrator must unlock the user.
+
EXAMPLES:
Add a new user:
@@ -97,6 +101,9 @@ status_output_params = (
Str('krblastfailedauth',
label=_('Last failed authentication'),
),
+ Str('now',
+ label=_('Time now'),
+ ),
)
# characters to be used for generating random user passwords
@@ -725,7 +732,18 @@ class user_status(LDAPQuery):
an administrator.
This connects to each IPA master and displays the lockout status on
- each one.""")
+ each one.
+
+ To determine whether an account is locked on a given server you need
+ to compare the number of failed logins and the time of the last failure.
+ For an account to be locked it must exceed the maxfail failures within
+ the failinterval duration as specified in the password policy associated
+ with the user.
+
+ The failed login counter is modified only when a user attempts a log in
+ so it is possible that an account may appear locked but the last failed
+ login attempt is older than the lockouttime of the password policy. This
+ means that the user may attempt a login again. """)
has_output = output.standard_list_of_entries
has_output_params = LDAPSearch.has_output_params + status_output_params
@@ -733,8 +751,9 @@ class user_status(LDAPQuery):
def execute(self, *keys, **options):
ldap = self.obj.backend
dn = self.obj.get_dn(*keys, **options)
- attr_list = ['krbloginfailedcount', 'krblastsuccessfulauth', 'krblastfailedauth']
+ attr_list = ['krbloginfailedcount', 'krblastsuccessfulauth', 'krblastfailedauth', 'nsaccountlock']
+ disabled = False
masters = []
# Get list of masters
try:
@@ -785,6 +804,14 @@ class user_status(LDAPQuery):
pass
newresult['dn'] = dn
newresult['server'] = host
+ if options.get('raw', False):
+ time_format = '%Y%m%d%H%M%SZ'
+ else:
+ time_format = '%Y-%m-%dT%H:%M:%SZ'
+ newresult['now'] = unicode(strftime(time_format, gmtime()))
+ convert_nsaccountlock(entry[1])
+ if 'nsaccountlock' in entry[1].keys():
+ disabled = entry[1]['nsaccountlock']
entries.append(newresult)
count += 1
except errors.NotFound:
@@ -803,6 +830,8 @@ class user_status(LDAPQuery):
return dict(result=entries,
count=count,
truncated=False,
+ summary=unicode(_('Account disabled: %(disabled)s' %
+ dict(disabled=disabled))),
)
api.register(user_status)