By default, FreeIPA uses a Password Policy (managed via ipa pwpolicy-show ) that defines: How many wrong guesses are allowed.
To unlock a user, you must have administrative privileges (usually as the admin user or a member of a group with the "Stage User" or "User Administrator" roles). 1. Authenticate with Kerberos
This command clears the krbLoginFailedCount and krbLastFailedAuth attributes in the user's LDAP entry, effectively resetting the failure counter to zero. Troubleshooting Common Issues "User is not locked" ipa user-unlock
How long the system remembers failed attempts.
Select . (If the user isn't locked, this option may be greyed out or hidden). Best Practices for Administrators By default, FreeIPA uses a Password Policy (managed
While this protects the network, it often leads to "locked out" tickets for the IT helpdesk. The ipa user-unlock command is the specific tool used to restore access. Why Do Accounts Get Locked?
If lockouts are too frequent across the whole organization, consider adjusting the global password policy: ipa pwpolicy-mod --maxfail=10 --lockouttime=600 Use code with caution. (If the user isn't locked, this option may
Always verify the user's identity via a secondary method (like a callback or MFA) before unlocking an account to prevent social engineering attacks.