Closed istenik closed 4 years ago
Hello. Thank you for report. Fix committed to master.
Working. But krbLoginFailedCount still not resetting. Looks like the code not returning this atribute in __get_user func. Tried to explicitly add this attr to "System: Read Group Password Policy costemplate" permission in IPA, but without luck. Is it possible to somehow debug if the attr is returned in user['result'] ?
And next finding. After I 3 times successfully change the password of the same user, I'll get "Too many retries. Try later." I thought this was designed to restrict unsuccessfull retries only.
Please consider to redirect back to reset/ page after successfull pwd change - it will be more user-friendly.
Regards
I have found the solution for krbLoginFailedCount reset: It's needed to add few permissions in IPA:
ipa role-add-privilege "Self Password Reset" --privileges="Kerberos Ticket Policy Readers"
ipa permission-mod "System: Change User password" --includedattrs="krbloginfailedcount"
Please try to answer the rest of questions above.
Thanks
And next finding. After I 3 times successfully change the password of the same user, I'll get "Too many retries. Try later." I thought this was designed to restrict unsuccessfull retries only.
Done
It's needed to add few permissions in IPA:
Done
Please consider to redirect back to reset/ page after successfull pwd change - it will be more user-friendly.
Sorry, but it's too much changes, i have no time for this now. You can submit PR.
Thank you for feedback;)
Hi
I'm still getting error: Cannot update your password. 'krbloginfailedcount'
Password was changed, but there is some problem with krbloginfailedcount attribute check/update.
Problem seems to be in these lines in pwdmanager.py:
Fresh installation of FreeIPA 4.6.5 on latest Centos7 7.7.1908 with default settings Tested on multiple instances.
I have tried to add attribute "krbloginfailedcount" to "System: Change User password" permission (not default) but without effect. Next finding is, that if the user never had failed login, this attribute doesn't exists in user record.
Regards