Hello.
I'm having an issue where we have passwordMaxFailure
set to "5" in the global policy but users are getting locked out after 3 attempts.
Right now, when a user is locked out the only way I can tell is by looking at the attributes below.
One is likely to assume that once the "accountUnlockTime" attribute has been set on an account, the account is indeed locked out.
accountUnlockTime: 20210920190503Z
passwordRetryCount: 3
retryCountResetTime: 20210920181413Z
[mstarling@dsa101 ~]$ dsconf -W -D cn=manager ldaps://dsa101.mydomain.com:636 pwpolicy get
Global Password Policy: cn=config
------------------------------------
nsslapd-pwpolicy-local: on
passwordstoragescheme: SSHA512
passwordchange: on
passwordmustchange: off
passwordhistory: on
passwordinhistory: 10
passwordadmindn: cn=Generic_PasswordPolicy_Override,ou=LDAPadmin,dc=mydomain,dc=com
passwordtrackupdatetime: on
passwordwarning: 86400
passwordisglobalpolicy: on
passwordexp: on
passwordmaxage: 7776000
passwordminage: 86400
passwordgracelimit: 0
passwordsendexpiringtime: off
passwordlockout: on
passwordunlock: on
passwordlockoutduration: 600
passwordmaxfailure: 5
passwordresetfailurecount: 600
passwordchecksyntax: off
passwordminlength: 48
passwordmindigits: 0
passwordminalphas: 0
passwordminuppers: 0
passwordminlowers: 0
passwordminspecials: 0
passwordmin8bit: 0
passwordmaxrepeats: 0
passwordpalindrome: off
passwordmaxsequence: 0
passwordmaxseqsets: 0
passwordmaxclasschars: 0
passwordmincategories: 5
passwordmintokenlength: 3
passwordbadwords: athena health interface
passworduserattributes: cn uid sn givenName mail gecos homeDirectory
passworddictcheck: on
passworddictpath: /usr/lib64/security/pam_cracklib.so
nsslapd-allow-hashed-passwords: on
nsslapd-pwpolicy-inherit-global: on
dsconf -W -D cn=manager ldaps://dsa101.mydomain.com:636 localpwp get "ou=People,dc=mydomain,dc=com"
Local Subtree Policy Policy for "ou=People,dc=mydomain,dc=com": cn=cn\3DnsPwPolicyEntry_subtree\2Cou\3DPeople\2Cdc\3Dmydomain\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=mydomain,dc=com
------------------------------------
passwordstoragescheme: SSHA512
passwordmustchange: off
passwordhistory: on
passwordtrackupdatetime: on
passwordexp: on
passwordmaxage: 7776000
passwordlockout: on
passwordchecksyntax: on
passwordminlength: 14
passwordmincategories: 4
passworddictcheck: on |
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure