Univention Bugzilla – Bug 54319
user accounts locked out in UDM don't get automatically unlocked after some time
Last modified: 2023-06-16 17:14:25 CEST
user accounts locked out in UDM don't get automatically unlocked after some time. For example if an account lockout gets triggered via Samba/AD and is synchronized to UDM, then that account state will appear as "locked" until either the Administrator unlocks manually via UDM/UCM or when the user performs a valid logon after the lockout time configured (samba-tool domain passwordsettings) has passed. That's mainly a user experience issue in UDM/UMC at this point. But if we fix Bug #54317, then this becomes critical in these cases: 1. Samba/AD triggered lockout would lock the user from OpenLDAP-binds until the user either performs a valid Samba-Logon or Kinit again after the lockout time has passed or until the Administrator unlocks manually 2. With enabled ppolicy overlay an OpenLDAP triggered lockout would lock the user from OpenLDAP-binds until the user either performs a valid Samba-Logon or Kinit again after the lockout time has passed or until the Administrator unlocks manually. If the customer has no Samba then the administrative manual unlock is the only option. So it may well be that my proposal to solve Bug #54317 (for Bug #54318) may not be such a good idea and we should work with ppolicy related attributes there instead. But this still leaves the point of UDM/UMC user experience for the administrator, that shows a user as "locked" until that user does a new successful Samba/Kerberos auth.
One possible solution would be a cron job that looks for locked accounts and checks if they should be unlocked because the lockout time has passed.
I set the "Waiting Support" flag because of Ticket #2021121421000141.
Happened in a school environment. Teacher forgot password; ran into lockout but account was not unlocked AND... the school admin was not able to reset the password as the account was still locked (but time to unlock was reached)