Bug 759501

Summary: [RFE] Login failed attempts counter or locked out status are not displayed in WebUI or "ipa user-show" command
Product: Red Hat Enterprise Linux 6 Reporter: Rafael Godínez Pérez <rgodinez>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: dpal, jgalipea, mkosek, nsoman
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-11.el6 Doc Type: Enhancement
Doc Text:
Cause: When failed login attempts are more than maximum specified, the account is locked. However, an investigation of a lock out status of a particular user is difficult as the number of failed login attempts is not replicated. Consequence: PA administrator would need to get failed login attempt counts from all installed replicas to find out the user lock out status. Change: IPA provides a new CLI command "ipa user-status" which can provide number of failed login attempts on all configured IPA replicas along with a time of the last successful or failed authentication attempt. Result: Administrator can now much easier get overall status of particular lock status.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:18:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rafael Godínez Pérez 2011-12-02 14:47:58 UTC 
Description of problem:

When failed login attempts are more than maximum specified, the account is locked in all clients, no matter if the user is cached in that client or not (expected behaviour). But, in IdM server, 'ipa user-show' command, as well as WebUI, show the user account as still enabled.

For diagnose in case of account troubles, or if an administrator is needed to manually enable locked out accounts, the right status of the locked out account should be shown in WebUI and ipa command.

There is a distinction between a disabled account and one locked out due to too many failed logins.

We don't currently show the number of failed logins or that lockout status.



Version-Release number of selected component (if applicable):
RHEL 6.2

How reproducible:
Always

Steps to Reproduce:
1. log in with wrong password more times than allowed by configuration
2. 
3. 
  
Actual results:
Account is locked out, but this status isn't reflected in WebUI or by command "ipa user-show".
It does not reflect either the number of failed attempts.

Expected results:
The number of failed attempts should be displayed in WebUI or by command "ipa user-show"

Additional info:
Comment 2 Jenny Severance 2011-12-02 15:30:49 UTC 
need to add the --all flag ..

# ipa user-show --all admin
  dn: uid=admin,cn=users,cn=accounts,dc=testrelm
  User login: admin
  Last name: Administrator
  Full name: Administrator
  Home directory: /home/admin
  GECOS field: Administrator
  Login shell: /bin/bash
  Kerberos principal: admin@TESTRELM
  UID: 1426400000
  GID: 1426400000
  Account disabled: False
  Keytab: True
  Password: True
  Member of groups: admins
  ipauniqueid: 5be84044-d408-11e0-b9ce-5254008a96bf
  krbextradata: AAIf6NROYWRtaW5AVEVTVFJFTE0A, AAgBAA==
  krblastfailedauth: 20111202152839Z
  krblastpwdchange: 20111129141143Z
  krblastsuccessfulauth: 20111202152513Z
  krbloginfailedcount: 1   <==================================================
  krbpasswordexpiration: 20120227141143Z


haven't tried with locked out user .. but suspect it will show up.  at least with the UI ....
Comment 3 Jenny Severance 2011-12-02 15:31:49 UTC 
at least with the CLI ... not UI ...
Comment 4 Rob Crittenden 2011-12-02 16:20:24 UTC 
krbloginfailedcount is not replicated so it isn't a reliable to display status.
Comment 5 Dmitri Pal 2011-12-05 17:16:57 UTC 
I think we need to do a better job here.
For example we can have a CLI/UI that will show the status of the user lockout on the server the UI/CLI is connected to but have a special flag/button to query other servers. Since pinging ALL other servers might be a costly operation it should be done only when administrator consciously requests it.
Comment 6 Dmitri Pal 2011-12-05 17:17:38 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2162
Comment 7 Martin Kosek 2012-03-02 15:30:44 UTC 
We have a new CLI command "user-status".

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/d5c9f7bcaa257571fa9f4092876864df86876fd3
ipa-2-2: https://fedorahosted.org/freeipa/changeset/418cf117002cc44f475ebe9cbb946b9f7abb89f7
Comment 9 Jenny Severance 2012-04-18 16:41:53 UTC 
This fix is incomplete.  

Failed attempts are returned by showing the user with --all flag in the CLI and the "new" CLI user-status

# ipa user-status jennys
  Server: dhcp-185-247.testrelm.com
  Failed logins: 6
  Last successful authentication: 2012-04-18T15:46:40Z
  Last failed authentication: 2012-04-18T16:33:48Z
----------------------------
Number of entries returned 1
----------------------------


However lockout status is not ... this user is locked but you would not know that and it is not available anywhere.  Not in the User details in the WebUI, not from the User CLI user-show nor with the "new" user-status CLI.

I would expect the user-status CLI to display where or not the user was enable or disable and where or not the user was locked out or not.

version:
ipa-server-2.2.0-9.el6.x86_64
Comment 10 Rob Crittenden 2012-04-18 19:41:15 UTC 
The KDC is the final arbiter of this and it computes this on the fly and doesn't store the result. We could try to duplicate that behavior but it is prone to error. Rather I display the same information it uses and leave it to the user to interpret it.

We can't add this to user-show because a user may be locked in one KDC and not another. This data is not replicated.
Comment 12 Martin Kosek 2012-04-19 13:03:27 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When failed login attempts are more than maximum specified, the account is locked. However, an investigation of a lock out status of a particular user is difficult as the number of failed login attempts is not replicated.
Consequence: PA administrator would need to get failed login attempt counts from all installed replicas to find out the user lock out status.
Change: IPA provides a new CLI command "ipa user-status" which can provide number of failed login attempts on all configured IPA replicas along with a time of the last successful or failed authentication attempt.
Result: Administrator can now much easier get overall status of particular lock status.
Comment 13 Martin Kosek 2012-04-23 08:26:31 UTC 
The change that was requested by QE was fixed upstream:

master: https://fedorahosted.org/freeipa/changeset/d7f7bb11dfa62fbafbe3e0e321e32bad8da2ecf4
ipa-2-2: https://fedorahosted.org/freeipa/changeset/dbc7afcef5a73e86dab0450ca92abda622266df8
Comment 14 Jenny Severance 2012-04-25 12:27:19 UTC 
verified :: 
# ipa user-status jennys
-----------------------
Account disabled: False
-----------------------
  Server: dhcp-185-247.testrelm.com
  Failed logins: 6
  Last successful authentication: 2012-04-18T18:44:30Z
  Last failed authentication: 2012-04-25T12:25:50Z
  Time now: 2012-04-25T12:26:17Z
----------------------------
Number of entries returned 1
----------------------------

version ::

ipa-server-2.2.0-11.el6.x86_64
Comment 17 errata-xmlrpc 2012-06-20 13:18:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html