Locked Accounts not resetting

[michaelb]

Thanks John,

It's not that I object to upgrading, just the amount of testing and backups of data required (last backup I did I followed the instructions and lost my customised theme, which subsequently locked out all users, required COS changes and all users had to delete all cached data, etc).

Just concerned about similar things now that system is in production.

The level of urgency around upgrades normally directly relates to problems being experienced vs bugs/issues/features addresses/included in new versions/patch releases.

I am certainly still pushing for an outage window in order to upgrade the system. Just need to make sure that if something goes wrong, that I can recover to the previous version with minimal problems.

Thanks for your work.

Michael

[jholder]

Can you try
zmprov -l ma user@pakenhamses.com.au zimbraAccountStatus active

[michaelb]

Morning,

I was always able to reset the account using either the admin console, or CLI. I have recently performed the upgrade to 4.5.6 and will test the automatic reset functionality again.

Regards,
Michael

[michaelb]

John,

I have tested the account lockout reset functionality again today with no luck.

Account in lockout state (due to excess login attempts) is still not automatically resetting.

[zimbra@mail ~]$ zmprov ga test@ccns.com.au | grep Password
userPassword: VALUE-BLOCKED
zimbraFeatureChangePasswordEnabled: TRUE
zimbraPasswordEnforceHistory: 0
zimbraPasswordLocked: FALSE
zimbraPasswordLockoutDuration: 1h
zimbraPasswordLockoutEnabled: TRUE
zimbraPasswordLockoutFailureLifetime: 1h
zimbraPasswordLockoutFailureTime: 20070815015759Z
zimbraPasswordLockoutFailureTime: 20070815015801Z
zimbraPasswordLockoutFailureTime: 20070815015804Z
zimbraPasswordLockoutFailureTime: 20070815015806Z
zimbraPasswordLockoutFailureTime: 20070815015809Z
zimbraPasswordLockoutLockedTime: 20070815015806Z
zimbraPasswordLockoutMaxFailures: 5
zimbraPasswordMaxAge: 0
zimbraPasswordMaxLength: 12
zimbraPasswordMinAge: 0
zimbraPasswordMinLength: 6
zimbraPasswordMinLowerCaseChars: 0
zimbraPasswordMinNumericChars: 1
zimbraPasswordMinPunctuationChars: 0
zimbraPasswordMinUpperCaseChars: 0
zimbraPasswordModifiedTime: 20070815015441Z
[zimbra@mail ~]$ zmprov ga test@ccns.com.au | grep Status
zimbraAccountStatus: lockout
zimbraMailStatus: enabled
[zimbra@mail ~]$ date
Wed Aug 15 13:24:54 EST 2007 (Melbourne - GMT+10hrs)


Any further ideas on why this is still not working?

Regards,
Michael

[jholder]

hi michael,
did you try with the -l switch?

[michaelb]

John,

What is the -l switch supposed to do?

I have already stated that I am able to unlock the account via either the admin console or the zmprov command, yet the confguration under the accounts is for the lockout state to be automatically reset after 1hr.

The problem is that the "automatic" reset is not automatic if an administrator has to execute a command to reset the account.

Regards,
Michael

[michaelb]

Hi,

I have been doing more digging in the system relgarding this problem.

The -l switch appears to force the zmprov command to act directly on the ldap db.

According to the ldap schema definitions, the PasswordLockout details are within the ldap process, but as I can re-enable the account manually I still don't see how this direction is relevant.

according to the crontab files, it appears that there is no routine process defined that checks the relevant fields in the ldap tables and acts to re-enable the accounts.

I would expect a routine that attempts to do the following process

for each acct
if status=locked
if lockedTime + LockoutDuration >= currentSystemTime
set status=active
endif
endif
next acct


Attached is the output from a crontab -l for the zimbra user.

Regards,
Michael.

[Krishopper]

It will reset to active when the user attempts to provide successful login credentials after the LockoutDuration has passed.

Make sure they're using the right password, that POP3 or IMAP is enabled for them (whatever mechanism they are using to login) or other things.. check the "wrong" password in the audit log and make sure its correct, or try resetting their password to ensure it matches what they think it is.

This shows that the system will show "locked" even after the time has passed, but will automatically reset itself when they attempt after the Lifetime has passed.. it's not reset to active on a scheduled window of any sort - it's only checked when the login is attempted.

Code:

zimbra@rumpy:~$ zmprov ga test@kristofer.org|egrep -i 'zimbra(PasswordLockout|AccountStatus)'
zimbraAccountStatus: lockout
zimbraPasswordLockoutDuration: 1h
zimbraPasswordLockoutEnabled: TRUE
zimbraPasswordLockoutFailureLifetime: 1h
zimbraPasswordLockoutFailureTime: 20070816172555Z
zimbraPasswordLockoutFailureTime: 20070816172617Z
zimbraPasswordLockoutFailureTime: 20070816172632Z
zimbraPasswordLockoutLockedTime: 20070816172632Z
zimbraPasswordLockoutMaxFailures: 3

so it is locked out one hour three minutes ago, status is locked out..

Code:

zimbra@rumpy:~$ telnet rumpy 110
Trying 127.0.1.1...
Connected to rumpy..
Escape character is '^]'.
+OK rumpy.cybernetik.net Zimbra POP3 server ready
user test@kristofer.org
+OK hello test@kristofer.org, please enter your password
pass <correctpassword>
+OK server ready
quit
+OK rumpy.cybernetik.net closing connection
Connection closed by foreign host.
zimbra@rumpy:~$

and now it's active

Code:

zimbra@rumpy:~$ zmprov ga test@kristofer.org|egrep -i 'zimbra(PasswordLockout|AccountStatus)'
zimbraAccountStatus: active
zimbraPasswordLockoutDuration: 1h
zimbraPasswordLockoutEnabled: TRUE
zimbraPasswordLockoutFailureLifetime: 1h
zimbraPasswordLockoutMaxFailures: 3

[michaelb]

Thank Krishopper,

What you mentioned does appear to be the fact.
I was able to login with the correct password.

Based on this, I did some looking on the admin console pages.

It would be great if the admin console listed the following fields for accounts in lockout.
1. when the account was locked
2. when the account is due to unlock.

At this point, the only way I can find to get this info is either using zmprov or ldapsearch.

---------------
Thanks to everybody for your help. The reset function does appear to be working although no indication is given that the account should work.

Regards,
Michael

[Krishopper]

Search for it on http://bugzlila.zimbra.com/ to see if an enhancement request exists.. if one doesn't, file one.. if you find one or file one then vote on it, and let me know the number and I'll vote on it too because I would also like to see that in the admin console (probably not as bad as you, but it would help)