If you run the command and see a message stating the user is not locked, but they still cannot log in, the issue is likely not a lockout. Check for:
To unlock a user, you must have administrative privileges (usually as the admin user or a member of a group with the "Stage User" or "User Administrator" roles). 1. Authenticate with Kerberos ipa user-unlock
A locked account is different from a disabled account. If an account is disabled, use ipa user-enable username . Insufficient Privileges If you run the command and see a
If lockouts are too frequent across the whole organization, consider adjusting the global password policy: ipa pwpolicy-mod --maxfail=10 --lockouttime=600 Use code with caution. Authenticate with Kerberos A locked account is different
This command clears the krbLoginFailedCount and krbLastFailedAuth attributes in the user's LDAP entry, effectively resetting the failure counter to zero. Troubleshooting Common Issues "User is not locked"
In a centralized identity management system like FreeIPA (Identity, Policy, and Audit), security is a top priority. One of the primary security mechanisms is the account lockout policy, which prevents brute-force attacks by disabling a user’s access after a certain number of failed login attempts.
While this protects the network, it often leads to "locked out" tickets for the IT helpdesk. The ipa user-unlock command is the specific tool used to restore access. Why Do Accounts Get Locked?