Results 1 to 6 of 6

Thread: Locked status and error messages

  1. #1
    fconil is offline Active Member
    Join Date
    Apr 2008
    Location
    Melbourne, Australia
    Posts
    36
    Rep Power
    7

    Default Locked status and error messages

    I just noticed amongst other things that the Locked Status yield the loginerror message (The username or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current username and password.) when an user try to log in.

    Is where a way to define a specific message for this status, so the user knows what's going on? I reckon loginerror is also used when the login info is incorrect, so it might be a bit confusing.

  2. #2
    fconil is offline Active Member
    Join Date
    Apr 2008
    Location
    Melbourne, Australia
    Posts
    36
    Rep Power
    7

    Default

    Anyone? :/

  3. #3
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    From Bug 23625 - Account Lockout Option. yes I know original purpose of that bug has nothing to do with this but see this tidbit:
    Quote Originally Posted by vikas
    However I think it would be great it we change the display message after the allowed failure attempts to something like:

    "Your Account has been locked due to maximum allowed failure attempts and please contact your administrator" - Something like this.

    This happens with POP/IMAP also it keeps on popping and never says the account has been locked.

    ------- Additional Comment #1 From Anand 2008-01-15 14:54 PST -------
    also not disclosing reason for auth failed is a security measure
    Note: Most of our connectors should prompt an 'enter password dialog' if the password has been changed. Bug 27708 - Accounts locked out by connector login retries.

    We did decide to make errorMaintenanceMode = This account is currently in maintenance mode. (as well as force back to login screen) via Bug 9665 - poor error dialog when account is in maintenance mode

    What you could do in the meantime is modify the respective /opt/zimbra/mailboxd/webapps/zimbra/WEB-INF/classes/messages/ZmMsg.properties to contain:
    loginError = The username or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current username and password. \
    If you have attempted login more than 3 times in 5min, please wait 30min before attempting again as your account may be in temporary lockout. \
    If this message persists please contact the IT helpdesk via phone/ticket portal.

    However, you're certainly free to open a new RFE for re-consideration!
    You'll have more luck if you suggest that the new values still be defaulted to the same as the current loginError message; then our security mindset is taken care of and you can later configure as desired.

    As outlined by Anand, I seriously doubt we'd go so far as to list how many tries in x minutes it takes to force lockout and & how long it lasts (as this leaves room for abuse) but personally I feel an "Your account has been locked due to login failure attempts - please wait for it to re-enable or contact your administrator." isn't too far fetched for the webclient, and probably will do more good in reduced anguish or at least simpler helpdesk tickets/admin calls for most.

    Not trying to be negative - just trust me that we approach what can be the simplest of things with security in mind. It may seem paranoid, but we serve a wide variety of organizations with different needs and prior experience shows it's best to play it safe.
    Last edited by mmorse; 05-05-2008 at 10:46 PM.

  4. #4
    fconil is offline Active Member
    Join Date
    Apr 2008
    Location
    Melbourne, Australia
    Posts
    36
    Rep Power
    7

    Default

    Just the possibility to display:

    "account has been locked, please contact your helpdesk" would be nice

    I'd like to have the possibility to lock an account I suspect of wrong doing, and make sure the user will call me later on to get his mandatory scolding before unlocking his account, and thus would rely on the display of such a message.

  5. #5
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    For now, rather than opening a new one I've noted your above desires on Bug 23625 - Account Lockout Option. (cc watch / support ticket tag / vote as wanted)

  6. #6
    fconil is offline Active Member
    Join Date
    Apr 2008
    Location
    Melbourne, Australia
    Posts
    36
    Rep Power
    7

    Default

    Voted.

    Thanks again for you help.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •