Post by AMI_SzuJin on Nov 14, 2022 5:47:53 GMT
Hi,
Based on "AccountLockoutThreshold" value the user gets locked for a specific period of time(till it reached the value specified in AccountLockoutDuration) on passing wrong password.
For example:
"AccountLockoutCounterResetAfter": 30,
"AccountLockoutCounterResetEnabled": true,
"AccountLockoutDuration": 30,
"AccountLockoutThreshold": 5,
That means Redfish tries to protect the user accounts existent by imposing a 30 second account lockout when the password supplied is incorrect for a given user account 5 or more times.
e.g.,
Case 1. For 4 login failure attempts, redfish will respond 401 - Unauthorized having message in error response like "Message": "While attempting to establish a connection to /redfish/v1/AccountService, the service was denied access.",
Case 2. On the 5th login failure attempt, redfish will respond 401 -Unauthorized having message in error response like "Message": "Login for user Administrator was a failure because the number of unsuccessful login attempts has exceeded the set threshold. Administrator has been locked out for 30 seconds.",
We know when create a session with incorrect password in request body will return status code 401 Unauthorized. Which error response will return if try to create session for 5 times (with incorrect password in request body) when "AccountLockoutThreshold" is set to 5? Will return Case 1 or Case 2 error response? and will the account be locked? Which situation the same as login Redfish URI with incorrect credentials.
POST Session request body:
{
"UserName":"Administrator",
"Password":"12345678" <- wrong password
}
Thanks
Based on "AccountLockoutThreshold" value the user gets locked for a specific period of time(till it reached the value specified in AccountLockoutDuration) on passing wrong password.
For example:
"AccountLockoutCounterResetAfter": 30,
"AccountLockoutCounterResetEnabled": true,
"AccountLockoutDuration": 30,
"AccountLockoutThreshold": 5,
That means Redfish tries to protect the user accounts existent by imposing a 30 second account lockout when the password supplied is incorrect for a given user account 5 or more times.
e.g.,
Case 1. For 4 login failure attempts, redfish will respond 401 - Unauthorized having message in error response like "Message": "While attempting to establish a connection to /redfish/v1/AccountService, the service was denied access.",
Case 2. On the 5th login failure attempt, redfish will respond 401 -Unauthorized having message in error response like "Message": "Login for user Administrator was a failure because the number of unsuccessful login attempts has exceeded the set threshold. Administrator has been locked out for 30 seconds.",
We know when create a session with incorrect password in request body will return status code 401 Unauthorized. Which error response will return if try to create session for 5 times (with incorrect password in request body) when "AccountLockoutThreshold" is set to 5? Will return Case 1 or Case 2 error response? and will the account be locked? Which situation the same as login Redfish URI with incorrect credentials.
POST Session request body:
{
"UserName":"Administrator",
"Password":"12345678" <- wrong password
}
Thanks
