Post by mharishm on Oct 31, 2022 15:51:29 GMT
Hi,
Based on "AccountLockoutThreshold" value the user gets locked for a specific period of time(till it reached the value specified in AccountLockoutDuration) on passing wrong password.
For example:
Lets say
"AccountLockoutCounterResetAfter": 30,
"AccountLockoutCounterResetEnabled": true,
"AccountLockoutDuration": 30,
"AccountLockoutThreshold": 5,
That means Redfish tries to protect the user accounts existent by imposing a 30 second account lockout whenever the password supplied is incorrect for a given user account 5 or more times.
i.e.,
For 4 login failue attempts, redfish will respond 401 - Unauthorised having message in error response like
"Message": "While attempting to establish a connection to /redfish/v1/AccountService, the service was denied access.",
On the 5th login failure attempt, redfish will respond 401 - Unauthorised having message in error response like
"Message": "Login for user Administrator was a failure because the number of unsuccessful login attempts has exceeded the set threshold. Administrator has been locked out for 30 seconds.",
Does the same behavior applicable even for non existing user.
Lets say user "xyz" is not a redfish account nor an external/remote account.
Does redfish should show account locked error message even on trying to access redfish API using non existent user after reaching the threshold limit? or is it ok to keep showing 401 -Unauthorised error meesage everytime without account locked error message(only for non existent account)?
"Locked" property from "ManagerAccount" schema specifies whether the account is locked or not. But for non existent user there will not be any information available in redfish server. So wondering how this situation can be handled if we are supposed to show account locked error message even when user tries to access redfish API using non existent user.
Please let us know your view on this?
Thanks,
Harish M
Based on "AccountLockoutThreshold" value the user gets locked for a specific period of time(till it reached the value specified in AccountLockoutDuration) on passing wrong password.
For example:
Lets say
"AccountLockoutCounterResetAfter": 30,
"AccountLockoutCounterResetEnabled": true,
"AccountLockoutDuration": 30,
"AccountLockoutThreshold": 5,
That means Redfish tries to protect the user accounts existent by imposing a 30 second account lockout whenever the password supplied is incorrect for a given user account 5 or more times.
i.e.,
For 4 login failue attempts, redfish will respond 401 - Unauthorised having message in error response like
"Message": "While attempting to establish a connection to /redfish/v1/AccountService, the service was denied access.",
On the 5th login failure attempt, redfish will respond 401 - Unauthorised having message in error response like
"Message": "Login for user Administrator was a failure because the number of unsuccessful login attempts has exceeded the set threshold. Administrator has been locked out for 30 seconds.",
Does the same behavior applicable even for non existing user.
Lets say user "xyz" is not a redfish account nor an external/remote account.
Does redfish should show account locked error message even on trying to access redfish API using non existent user after reaching the threshold limit? or is it ok to keep showing 401 -Unauthorised error meesage everytime without account locked error message(only for non existent account)?
"Locked" property from "ManagerAccount" schema specifies whether the account is locked or not. But for non existent user there will not be any information available in redfish server. So wondering how this situation can be handled if we are supposed to show account locked error message even when user tries to access redfish API using non existent user.
Please let us know your view on this?
Thanks,
Harish M
