Cannot update your password. 'krbloginfailedcount'

larrabee / freeipa-password-reset

Self-service password reset app for FreeIPA

GNU General Public License v3.0

88 stars 30 forks source link

Cannot update your password. 'krbloginfailedcount' #35

Closed istenik closed 4 years ago

istenik commented 4 years ago

I'm still getting error: Cannot update your password. 'krbloginfailedcount'

Password was changed, but there is some problem with krbloginfailedcount attribute check/update.

Problem seems to be in these lines in pwdmanager.py:

            if int(user['result']['krbloginfailedcount'][0]) > 0:
                api.Command.user_mod(uid=unicode(uid), setattr=unicode("krbloginfailedcount=0"))

Fresh installation of FreeIPA 4.6.5 on latest Centos7 7.7.1908 with default settings Tested on multiple instances.

I have tried to add attribute "krbloginfailedcount" to "System: Change User password" permission (not default) but without effect. Next finding is, that if the user never had failed login, this attribute doesn't exists in user record.

Regards

larrabee commented 4 years ago

Hello. Thank you for report. Fix committed to master.

istenik commented 4 years ago

Working. But krbLoginFailedCount still not resetting. Looks like the code not returning this atribute in __get_user func. Tried to explicitly add this attr to "System: Read Group Password Policy costemplate" permission in IPA, but without luck. Is it possible to somehow debug if the attr is returned in user['result'] ?

And next finding. After I 3 times successfully change the password of the same user, I'll get "Too many retries. Try later." I thought this was designed to restrict unsuccessfull retries only.

Please consider to redirect back to reset/ page after successfull pwd change - it will be more user-friendly.

Regards

istenik commented 4 years ago

I have found the solution for krbLoginFailedCount reset: It's needed to add few permissions in IPA:

ipa role-add-privilege "Self Password Reset" --privileges="Kerberos Ticket Policy Readers"
ipa permission-mod "System: Change User password" --includedattrs="krbloginfailedcount"

Please try to answer the rest of questions above.

Thanks

larrabee commented 4 years ago

And next finding. After I 3 times successfully change the password of the same user, I'll get "Too many retries. Try later." I thought this was designed to restrict unsuccessfull retries only.

Done

It's needed to add few permissions in IPA:

Done

Please consider to redirect back to reset/ page after successfull pwd change - it will be more user-friendly.

Sorry, but it's too much changes, i have no time for this now. You can submit PR.

Thank you for feedback;)