By default, FreeIPA uses a Password Policy (managed via ipa pwpolicy-show ) that defines: How many wrong guesses are allowed.

Use ipa user-show username --all to check the krbPasswordExpiration attribute.

In a centralized identity management system like FreeIPA (Identity, Policy, and Audit), security is a top priority. One of the primary security mechanisms is the account lockout policy, which prevents brute-force attacks by disabling a user’s access after a certain number of failed login attempts.

If you receive an "Insufficient access" error, ensure your current Kerberos ticket has the rights to modify user accounts. You can verify your current identity with the klist command. Unlocking via the Web UI If you prefer a graphical interface over the CLI: Log in to the . Navigate to the Identity tab -> Users . Search for and click on the locked User . Look for the Actions dropdown menu at the top right.

Select . (If the user isn't locked, this option may be greyed out or hidden). Best Practices for Administrators

If you run the command and see a message stating the user is not locked, but they still cannot log in, the issue is likely not a lockout. Check for: