This command clears the krbLoginFailedCount and krbLastFailedAuth attributes in the user's LDAP entry, effectively resetting the failure counter to zero. Troubleshooting Common Issues "User is not locked"
How long the system remembers failed attempts.
By default, FreeIPA uses a Password Policy (managed via ipa pwpolicy-show ) that defines: How many wrong guesses are allowed. ipa user-unlock
The syntax is straightforward. Replace username with the actual UID of the locked user: ipa user-unlock username Use code with caution.
A locked account is different from a disabled account. If an account is disabled, use ipa user-enable username . Insufficient Privileges The syntax is straightforward
When a user exceeds the max-failures limit, their LDAP entry is marked as locked, and they can no longer authenticate via SSH, Kerberos, or the Web UI. How to Use the ipa user-unlock Command
Understanding the ipa user-unlock Command: A Guide for FreeIPA Administrators If an account is disabled, use ipa user-enable username
Always verify the user's identity via a secondary method (like a callback or MFA) before unlocking an account to prevent social engineering attacks.
If you run the command and see a message stating the user is not locked, but they still cannot log in, the issue is likely not a lockout. Check for:
While this protects the network, it often leads to "locked out" tickets for the IT helpdesk. The ipa user-unlock command is the specific tool used to restore access. Why Do Accounts Get Locked?