First Last Prev Next    This bug is not in your last search results.
Bug 54319 - user accounts locked out in UDM don't get automatically unlocked after some time
user accounts locked out in UDM don't get automatically unlocked after some time
Status: NEW
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-10 22:17 CET by Arvid Requate
Modified: 2023-06-16 17:14 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.046
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021121421000141
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2022-01-10 22:17:20 CET 
user accounts locked out in UDM don't get automatically unlocked after some time.

For example if an account lockout gets triggered via Samba/AD and is synchronized to UDM, then that account state will appear as "locked" until either the Administrator unlocks manually via UDM/UCM or when the user performs a valid logon after the lockout time configured (samba-tool domain passwordsettings) has passed. That's mainly a user experience issue in UDM/UMC at this point.

But if we fix Bug #54317, then this becomes critical in these cases:

1. Samba/AD triggered lockout would lock the user from OpenLDAP-binds until the user either performs a valid Samba-Logon or Kinit again after the lockout time has passed or until the Administrator unlocks manually

2. With enabled ppolicy overlay an OpenLDAP triggered lockout would lock the user from OpenLDAP-binds until the user either performs a valid Samba-Logon or Kinit again after the lockout time has passed or until the Administrator unlocks manually. If the customer has no Samba then the administrative manual unlock is the only option.

So it may well be that my proposal to solve Bug #54317 (for Bug #54318) may not be such a good idea and we should work with ppolicy related attributes there instead.


But this still leaves the point of UDM/UMC user experience for the administrator, that shows a user as "locked" until that user does a new successful Samba/Kerberos auth.
Comment 1 Arvid Requate univentionstaff 2022-01-10 22:19:45 CET 
One possible solution would be a cron job that looks for locked accounts and checks if they should be unlocked because the lockout time has passed.
Comment 2 Stefan Gohmann univentionstaff 2022-12-19 07:58:33 CET 
I set the "Waiting Support" flag because of Ticket #2021121421000141.
Comment 3 Dirk Schnick 2023-06-16 17:14:25 CEST 
Happened in a school environment. Teacher forgot password; ran into lockout but account was not unlocked AND... the school admin was not able to reset the password as the account was still locked (but time to unlock was reached)
First Last Prev Next    This bug is not in your last search results.