Bug 1784592
Summary: | When one IdM server in a domain locks/unlocks an account, all IdM servers in the domain should lock/unlock that account | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Greg Scott <gscott> |
Component: | ipa | Assignee: | Thomas Woerner <twoerner> |
Status: | CLOSED DEFERRED | QA Contact: | ipa-qe <ipa-qe> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.0 | CC: | afarley, cheimes, dpal, fcami, pasik, pcech, rcritten, tscherf |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-31 08:50:26 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Greg Scott
2019-12-17 19:31:33 UTC
Seems like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=971087 Lockout is calculated based on failed logins over a period of time. This requires the number of failed attempts to be replicated. I just looked at that other bugzilla - it's more than 6 years old!
> Lockout is calculated based on failed logins over a period of time. This requires the number of failed attempts to be replicated.
So maybe don't replicate every failure attempt. When one server decides to lock an account, replicate what you need so all IdM servers are up to date. Or maybe don't replicate events, other than a few important ones like password updates. Instead of replicating individual events, maybe replicate an overall state periodically.
However you do it, we can't force admins to manually check every single IdM server to find the one that locks a user. Other domain authentication systems handle this issue automatically. IdM should too.
Upstream ticket: https://pagure.io/freeipa/issue/8250 Once the upstream community implements this feature (https://pagure.io/freeipa/issue/8250) it will be pulled into a corresponding Red Hat Enterprise Linux release following the corresponding schedules. From now on this issue will be tracked in the community issue tracker only. Closing this BZ. |