Bug 759501 - [RFE] Login failed attempts counter or locked out status are not displayed in WebUI or "ipa user-show" command
Summary: [RFE] Login failed attempts counter or locked out status are not displayed in...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-02 14:47 UTC by Rafael Godínez Pérez
Modified: 2018-12-02 15:05 UTC (History)
4 users (show)

Fixed In Version: ipa-2.2.0-11.el6
Doc Type: Enhancement
Doc Text:
Cause: When failed login attempts are more than maximum specified, the account is locked. However, an investigation of a lock out status of a particular user is difficult as the number of failed login attempts is not replicated. Consequence: PA administrator would need to get failed login attempt counts from all installed replicas to find out the user lock out status. Change: IPA provides a new CLI command "ipa user-status" which can provide number of failed login attempts on all configured IPA replicas along with a time of the last successful or failed authentication attempt. Result: Administrator can now much easier get overall status of particular lock status.
Clone Of:
Environment:
Last Closed: 2012-06-20 13:18:08 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Rafael Godínez Pérez 2011-12-02 14:47:58 UTC
Description of problem:

When failed login attempts are more than maximum specified, the account is locked in all clients, no matter if the user is cached in that client or not (expected behaviour). But, in IdM server, 'ipa user-show' command, as well as WebUI, show the user account as still enabled.

For diagnose in case of account troubles, or if an administrator is needed to manually enable locked out accounts, the right status of the locked out account should be shown in WebUI and ipa command.

There is a distinction between a disabled account and one locked out due to too many failed logins.

We don't currently show the number of failed logins or that lockout status.



Version-Release number of selected component (if applicable):
RHEL 6.2

How reproducible:
Always

Steps to Reproduce:
1. log in with wrong password more times than allowed by configuration
2. 
3. 
  
Actual results:
Account is locked out, but this status isn't reflected in WebUI or by command "ipa user-show".
It does not reflect either the number of failed attempts.

Expected results:
The number of failed attempts should be displayed in WebUI or by command "ipa user-show"

Additional info:

Comment 2 Jenny Severance 2011-12-02 15:30:49 UTC
need to add the --all flag ..

# ipa user-show --all admin
  dn: uid=admin,cn=users,cn=accounts,dc=testrelm
  User login: admin
  Last name: Administrator
  Full name: Administrator
  Home directory: /home/admin
  GECOS field: Administrator
  Login shell: /bin/bash
  Kerberos principal: admin@TESTRELM
  UID: 1426400000
  GID: 1426400000
  Account disabled: False
  Keytab: True
  Password: True
  Member of groups: admins
  ipauniqueid: 5be84044-d408-11e0-b9ce-5254008a96bf
  krbextradata: AAIf6NROYWRtaW5AVEVTVFJFTE0A, AAgBAA==
  krblastfailedauth: 20111202152839Z
  krblastpwdchange: 20111129141143Z
  krblastsuccessfulauth: 20111202152513Z
  krbloginfailedcount: 1   <==================================================
  krbpasswordexpiration: 20120227141143Z


haven't tried with locked out user .. but suspect it will show up.  at least with the UI ....

Comment 3 Jenny Severance 2011-12-02 15:31:49 UTC
at least with the CLI ... not UI ...

Comment 4 Rob Crittenden 2011-12-02 16:20:24 UTC
krbloginfailedcount is not replicated so it isn't a reliable to display status.

Comment 5 Dmitri Pal 2011-12-05 17:16:57 UTC
I think we need to do a better job here.
For example we can have a CLI/UI that will show the status of the user lockout on the server the UI/CLI is connected to but have a special flag/button to query other servers. Since pinging ALL other servers might be a costly operation it should be done only when administrator consciously requests it.

Comment 6 Dmitri Pal 2011-12-05 17:17:38 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2162

Comment 9 Jenny Severance 2012-04-18 16:41:53 UTC
This fix is incomplete.  

Failed attempts are returned by showing the user with --all flag in the CLI and the "new" CLI user-status

# ipa user-status jennys
  Server: dhcp-185-247.testrelm.com
  Failed logins: 6
  Last successful authentication: 2012-04-18T15:46:40Z
  Last failed authentication: 2012-04-18T16:33:48Z
----------------------------
Number of entries returned 1
----------------------------


However lockout status is not ... this user is locked but you would not know that and it is not available anywhere.  Not in the User details in the WebUI, not from the User CLI user-show nor with the "new" user-status CLI.

I would expect the user-status CLI to display where or not the user was enable or disable and where or not the user was locked out or not.

version:
ipa-server-2.2.0-9.el6.x86_64

Comment 10 Rob Crittenden 2012-04-18 19:41:15 UTC
The KDC is the final arbiter of this and it computes this on the fly and doesn't store the result. We could try to duplicate that behavior but it is prone to error. Rather I display the same information it uses and leave it to the user to interpret it.

We can't add this to user-show because a user may be locked in one KDC and not another. This data is not replicated.

Comment 12 Martin Kosek 2012-04-19 13:03:27 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When failed login attempts are more than maximum specified, the account is locked. However, an investigation of a lock out status of a particular user is difficult as the number of failed login attempts is not replicated.
Consequence: PA administrator would need to get failed login attempt counts from all installed replicas to find out the user lock out status.
Change: IPA provides a new CLI command "ipa user-status" which can provide number of failed login attempts on all configured IPA replicas along with a time of the last successful or failed authentication attempt.
Result: Administrator can now much easier get overall status of particular lock status.

Comment 14 Jenny Severance 2012-04-25 12:27:19 UTC
verified :: 
# ipa user-status jennys
-----------------------
Account disabled: False
-----------------------
  Server: dhcp-185-247.testrelm.com
  Failed logins: 6
  Last successful authentication: 2012-04-18T18:44:30Z
  Last failed authentication: 2012-04-25T12:25:50Z
  Time now: 2012-04-25T12:26:17Z
----------------------------
Number of entries returned 1
----------------------------

version ::

ipa-server-2.2.0-11.el6.x86_64

Comment 17 errata-xmlrpc 2012-06-20 13:18:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html


Note You need to log in before you can comment on or make changes to this bug.