According LocalAccountAuth description in AccountService.v1_6_0 schema: "LocalAccountAuth": "Fallback": "The service authenticates users based on the Account Service-defined accounts collection only if any external account providers are currently unreachable." "LocalFirst": "The service first authenticates users based on the Account Service-defined accounts collection. If authentication fails, the Service authenticates by using external account providers."
Question1: If i created two account with same username but different password for external & local, like below. Account Service-defined account : Username: ADtest1, Password: Auto0001 External AD Account: Username: ADtest1, Password: Auto0000
When i switch to "LocalFirst" and try to login ADtest1 with password like Auto0002, Auto0003...etc to locked the account. When account locked, is External AD Account can access redfish?
Question2: If Question1 answer is NO, What is the real behavior for Fallback and LocalFirst?
If the local account "ADtest1" is locked out, that will not impact the usage of the external account with the same name. What I would expect to happen is when the mode is set to "LocalFirst", it will first fail the authentication with the local account "ADtest1", and then proceed to attempt to authenticate with the external account providers.
Thanks for your response. Lets consider the username doesn't exist in external account and in redfish lets say "LocalAccountAuth" is "LocalFirst" As you say irrespective of whether the local account is locked or not, to proceed to attempt to authenticate with the external account providers, we may never give up the response that the local account is locked to the user.
For example: Suppose if username doesn't exist in external account or the password doesn't match both local or external account then even after reaching "AccountLockoutThreshold", redfish service may end up in not showing account locked response for local account because of allowing external account access.
Is it the expected behaviour? Can you please make us understand on this?
Last Edit: Jun 12, 2020 9:31:11 GMT by mharishm: Update
In terms of the messaging in that scenario, that would likely be entirely up to the policy for responses you need to implement. Some implementations might not want to expose any details about why the authentication failed. Others could respond with multiple messages (one per authentication mechanism), so in your example you could have two messages (one stating account locked, another for account not found). You could also prioritize your handling of the response, so in your scenario, the "locked" condition is a higher priority than the account not found externally.
In the end though, the user will get some sort of response, and regardless of the message, I would expect them to double check their credentials, and if that doesn't work, contact an administrator.