Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Locked Accounts not resetting

  1. #11
    Join Date
    Jul 2007
    Location
    Melbourne
    Posts
    11
    Rep Power
    8

    Default

    Thanks John,

    It's not that I object to upgrading, just the amount of testing and backups of data required (last backup I did I followed the instructions and lost my customised theme, which subsequently locked out all users, required COS changes and all users had to delete all cached data, etc).

    Just concerned about similar things now that system is in production.

    The level of urgency around upgrades normally directly relates to problems being experienced vs bugs/issues/features addresses/included in new versions/patch releases.

    I am certainly still pushing for an outage window in order to upgrade the system. Just need to make sure that if something goes wrong, that I can recover to the previous version with minimal problems.

    Thanks for your work.

    Michael

  2. #12
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Can you try
    zmprov -l ma user@pakenhamses.com.au zimbraAccountStatus active

  3. #13
    Join Date
    Jul 2007
    Location
    Melbourne
    Posts
    11
    Rep Power
    8

    Default

    Morning,

    I was always able to reset the account using either the admin console, or CLI. I have recently performed the upgrade to 4.5.6 and will test the automatic reset functionality again.

    Regards,
    Michael

  4. #14
    Join Date
    Jul 2007
    Location
    Melbourne
    Posts
    11
    Rep Power
    8

    Default

    John,

    I have tested the account lockout reset functionality again today with no luck.

    Account in lockout state (due to excess login attempts) is still not automatically resetting.

    [zimbra@mail ~]$ zmprov ga test@ccns.com.au | grep Password
    userPassword: VALUE-BLOCKED
    zimbraFeatureChangePasswordEnabled: TRUE
    zimbraPasswordEnforceHistory: 0
    zimbraPasswordLocked: FALSE
    zimbraPasswordLockoutDuration: 1h
    zimbraPasswordLockoutEnabled: TRUE
    zimbraPasswordLockoutFailureLifetime: 1h
    zimbraPasswordLockoutFailureTime: 20070815015759Z
    zimbraPasswordLockoutFailureTime: 20070815015801Z
    zimbraPasswordLockoutFailureTime: 20070815015804Z
    zimbraPasswordLockoutFailureTime: 20070815015806Z
    zimbraPasswordLockoutFailureTime: 20070815015809Z
    zimbraPasswordLockoutLockedTime: 20070815015806Z
    zimbraPasswordLockoutMaxFailures: 5
    zimbraPasswordMaxAge: 0
    zimbraPasswordMaxLength: 12
    zimbraPasswordMinAge: 0
    zimbraPasswordMinLength: 6
    zimbraPasswordMinLowerCaseChars: 0
    zimbraPasswordMinNumericChars: 1
    zimbraPasswordMinPunctuationChars: 0
    zimbraPasswordMinUpperCaseChars: 0
    zimbraPasswordModifiedTime: 20070815015441Z
    [zimbra@mail ~]$ zmprov ga test@ccns.com.au | grep Status
    zimbraAccountStatus: lockout
    zimbraMailStatus: enabled
    [zimbra@mail ~]$ date
    Wed Aug 15 13:24:54 EST 2007 (Melbourne - GMT+10hrs)


    Any further ideas on why this is still not working?

    Regards,
    Michael

  5. #15
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    hi michael,
    did you try with the -l switch?

  6. #16
    Join Date
    Jul 2007
    Location
    Melbourne
    Posts
    11
    Rep Power
    8

    Default

    John,

    What is the -l switch supposed to do?

    I have already stated that I am able to unlock the account via either the admin console or the zmprov command, yet the confguration under the accounts is for the lockout state to be automatically reset after 1hr.

    The problem is that the "automatic" reset is not automatic if an administrator has to execute a command to reset the account.

    Regards,
    Michael

  7. #17
    Join Date
    Jul 2007
    Location
    Melbourne
    Posts
    11
    Rep Power
    8

    Default

    Hi,

    I have been doing more digging in the system relgarding this problem.

    The -l switch appears to force the zmprov command to act directly on the ldap db.

    According to the ldap schema definitions, the PasswordLockout details are within the ldap process, but as I can re-enable the account manually I still don't see how this direction is relevant.

    according to the crontab files, it appears that there is no routine process defined that checks the relevant fields in the ldap tables and acts to re-enable the accounts.

    I would expect a routine that attempts to do the following process

    for each acct
    if status=locked
    if lockedTime + LockoutDuration >= currentSystemTime
    set status=active
    endif
    endif
    next acct


    Attached is the output from a crontab -l for the zimbra user.

    Regards,
    Michael.
    Attached Files Attached Files

  8. #18
    Join Date
    Dec 2006
    Location
    Minneapolis MN
    Posts
    777
    Rep Power
    9

    Default

    It will reset to active when the user attempts to provide successful login credentials after the LockoutDuration has passed.

    Make sure they're using the right password, that POP3 or IMAP is enabled for them (whatever mechanism they are using to login) or other things.. check the "wrong" password in the audit log and make sure its correct, or try resetting their password to ensure it matches what they think it is.

    This shows that the system will show "locked" even after the time has passed, but will automatically reset itself when they attempt after the Lifetime has passed.. it's not reset to active on a scheduled window of any sort - it's only checked when the login is attempted.

    Code:
    zimbra@rumpy:~$ zmprov ga test@kristofer.org|egrep -i 'zimbra(PasswordLockout|AccountStatus)'
    zimbraAccountStatus: lockout
    zimbraPasswordLockoutDuration: 1h
    zimbraPasswordLockoutEnabled: TRUE
    zimbraPasswordLockoutFailureLifetime: 1h
    zimbraPasswordLockoutFailureTime: 20070816172555Z
    zimbraPasswordLockoutFailureTime: 20070816172617Z
    zimbraPasswordLockoutFailureTime: 20070816172632Z
    zimbraPasswordLockoutLockedTime: 20070816172632Z
    zimbraPasswordLockoutMaxFailures: 3
    so it is locked out one hour three minutes ago, status is locked out..

    Code:
    zimbra@rumpy:~$ telnet rumpy 110
    Trying 127.0.1.1...
    Connected to rumpy..
    Escape character is '^]'.
    +OK rumpy.cybernetik.net Zimbra POP3 server ready
    user test@kristofer.org
    +OK hello test@kristofer.org, please enter your password
    pass <correctpassword>
    +OK server ready
    quit
    +OK rumpy.cybernetik.net closing connection
    Connection closed by foreign host.
    zimbra@rumpy:~$
    and now it's active

    Code:
    zimbra@rumpy:~$ zmprov ga test@kristofer.org|egrep -i 'zimbra(PasswordLockout|AccountStatus)'
    zimbraAccountStatus: active
    zimbraPasswordLockoutDuration: 1h
    zimbraPasswordLockoutEnabled: TRUE
    zimbraPasswordLockoutFailureLifetime: 1h
    zimbraPasswordLockoutMaxFailures: 3

  9. #19
    Join Date
    Jul 2007
    Location
    Melbourne
    Posts
    11
    Rep Power
    8

    Default

    Thank Krishopper,

    What you mentioned does appear to be the fact.
    I was able to login with the correct password.

    Based on this, I did some looking on the admin console pages.

    It would be great if the admin console listed the following fields for accounts in lockout.
    1. when the account was locked
    2. when the account is due to unlock.

    At this point, the only way I can find to get this info is either using zmprov or ldapsearch.

    ---------------
    Thanks to everybody for your help. The reset function does appear to be working although no indication is given that the account should work.

    Regards,
    Michael

  10. #20
    Join Date
    Dec 2006
    Location
    Minneapolis MN
    Posts
    777
    Rep Power
    9

    Default

    Search for it on http://bugzlila.zimbra.com/ to see if an enhancement request exists.. if one doesn't, file one.. if you find one or file one then vote on it, and let me know the number and I'll vote on it too because I would also like to see that in the admin console (probably not as bad as you, but it would help)

Similar Threads

  1. Multiple Mail Accounts, Folders
    By skwdenyer in forum Users
    Replies: 12
    Last Post: 12-01-2013, 08:52 PM
  2. Replies: 5
    Last Post: 08-16-2006, 06:18 AM
  3. Zimbra dies after some time
    By czaveri in forum Installation
    Replies: 17
    Last Post: 04-07-2006, 08:45 AM
  4. Replies: 2
    Last Post: 03-20-2006, 10:50 PM
  5. Internal Mails Stop Working After a While
    By mintra in forum Administrators
    Replies: 30
    Last Post: 02-02-2006, 08:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •