diff options
-rw-r--r-- | ipalib/plugins/user.py | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 64286555b..3bea7af6f 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -53,6 +53,10 @@ been issued. Password management is not a part of this module. For more information about this topic please see: ipa help passwd +Account lockout on password failure happens per IPA master. The user-status +command can be used to identify which master the user is locked out on. +It is on that master the the administrator must unlock the user. + EXAMPLES: Add a new user: @@ -97,6 +101,9 @@ status_output_params = ( Str('krblastfailedauth', label=_('Last failed authentication'), ), + Str('now', + label=_('Time now'), + ), ) # characters to be used for generating random user passwords @@ -725,7 +732,18 @@ class user_status(LDAPQuery): an administrator. This connects to each IPA master and displays the lockout status on - each one.""") + each one. + + To determine whether an account is locked on a given server you need + to compare the number of failed logins and the time of the last failure. + For an account to be locked it must exceed the maxfail failures within + the failinterval duration as specified in the password policy associated + with the user. + + The failed login counter is modified only when a user attempts a log in + so it is possible that an account may appear locked but the last failed + login attempt is older than the lockouttime of the password policy. This + means that the user may attempt a login again. """) has_output = output.standard_list_of_entries has_output_params = LDAPSearch.has_output_params + status_output_params @@ -733,8 +751,9 @@ class user_status(LDAPQuery): def execute(self, *keys, **options): ldap = self.obj.backend dn = self.obj.get_dn(*keys, **options) - attr_list = ['krbloginfailedcount', 'krblastsuccessfulauth', 'krblastfailedauth'] + attr_list = ['krbloginfailedcount', 'krblastsuccessfulauth', 'krblastfailedauth', 'nsaccountlock'] + disabled = False masters = [] # Get list of masters try: @@ -785,6 +804,14 @@ class user_status(LDAPQuery): pass newresult['dn'] = dn newresult['server'] = host + if options.get('raw', False): + time_format = '%Y%m%d%H%M%SZ' + else: + time_format = '%Y-%m-%dT%H:%M:%SZ' + newresult['now'] = unicode(strftime(time_format, gmtime())) + convert_nsaccountlock(entry[1]) + if 'nsaccountlock' in entry[1].keys(): + disabled = entry[1]['nsaccountlock'] entries.append(newresult) count += 1 except errors.NotFound: @@ -803,6 +830,8 @@ class user_status(LDAPQuery): return dict(result=entries, count=count, truncated=False, + summary=unicode(_('Account disabled: %(disabled)s' % + dict(disabled=disabled))), ) api.register(user_status) |