Unused lockout period for determining user lockout #1068
Description
The following issue is also affecting the modern WebUI and needs to be fix: https://pagure.io/freeipa/issue/9937
TL;DR
The code from UserSettings.tsx component affecting these lines:
const getUnlockStatus = (): boolean => {
let isLocked = false;
if (
props.user.krbloginfailedcount &&
props.pwPolicyData.krbpwdmaxfailure !== undefined
) {
// In case there is no permission to check password policy we
// allow to unlock user even if he has only one failed login.
const max_failure = props.pwPolicyData
? props.pwPolicyData.krbpwdmaxfailure[0]
: 1;
if (props.user.krbloginfailedcount[0] >= max_failure) {
isLocked = true;
}
}
return isLocked;
};
must be adapted to the code from ipa_lockout.c to reflect the right behavior. I.e.:
if (failedcount >= max_fail) {
if ((lockout_duration == 0) ||
(time_now < timegm(&tm) + lockout_duration)) {
/* Within lockout duration */
goto done;
}
}
if (time_now > timegm(&tm) + failcnt_interval) {
/* Not within lockout duration, outside of fail interval */
failedcount = 0;
}
}