Sympa should not lock out users using password authentication with LDAP #1132
Comments
|
The description about
So you can suggest the locked-out user that they may select "Forgot password" link to renew password by their own. |
|
Yes - that is the case for a local password. This became an issue with an LDAP (AD) authentication, the user reset their LDAP password, verified it worked with other campus services using that approach but they were still locked out of Sympa because they exceeded the max_wrong_password value. The server param is set to 21 and the value in his user_table was 38. Aside: does that user_table value continually increment or is there a reset/timeout to take it back to the default, /N? In this case, it didn't reset over time or w.r.t. the session cookie. |
|
I think the policy of account lockout with LDAP authentication would be better to be managed by directory server instead of Sympa by its own. I'll submit a PR later. |
ikedas
changed the title
|
Hi @tmclaren , if possible, can you check this patch? It no longer may not increment If possible, this change will be included in the release in near feature. |
|
Will do. I’m traveling until next late week so I’ll test it when I get
back.
Thank you,
Terry McLaren
…On Thu, Mar 25, 2021 at 8:44 PM IKEDA Soji ***@***.***> wrote:
Hi @tmclaren <https://github.com/tmclaren> , if possible, can you check this
patch <https://github.com/sympa-community/sympa/commit/92c6309.patch>? It
no longer may not increment wrong_login_count_user field in database with
ldap authentication.
If possible, this change will be included in the release in near feature.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1132 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAXO2KRCSTRNETTATBIXKIDTFPRJFANCNFSM4ZOQWXCA>
.
|
|
I took a look at the patch and it looks straight forward locking the max_wrong_password increment to local / native login. We're currently running 6.1 and the Auth.pm logic is slightly different so I won't be able to apply it there. I'm in the process of creating a 6.2 server and will test it when it's up an running. |
Sympa should not lock out users using password authentication with LDAP (#1132)
Provide listmasters an ability to reset the 'max_wrong_password' value for a user through the user interface. The current approach requires backend interaction:
mysql> update user_table set wrong_login_count_user = 0 where email_user like "someone@somewhere.edu";
E.g. max_wrong_password 99
Expected Behavior
Listmasters can reset this user account setting from the web UI
Current Behavior
A CLI interaction with the backend as described above.
Possible Solution
An additional field in [Sympa admin] > Users
checkbox: [ ] Reset Wrong Password Count [input field: email@address.edu]
Context
An end user had their count incremented above the max allowed and was locked out from managing their mail lists for over a week.
see solution
The text was updated successfully, but these errors were encountered: