<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <meta name="Generator" content="Microsoft Exchange Server">  <style></style> </head> <body> <font face="Calibri" size="2"><span style="font-size:11pt;"> <div><font color="#1F497D"> </font></div> <div><font color="#1F497D"> </font></div> <div><font face="Tahoma" size="2"><span style="font-size:10pt;"><b>From:</b> freeipa-users-bounces@redhat.com [<a href="mailto:freeipa-users-bounces@redhat.com">mailto:freeipa-users-bounces@redhat.com</a>] <b>On Behalf Of </b>Dmitri Pal<br> <b>Sent:</b> Thursday, 26 March 2015 12:52 PM<br> <b>To:</b> freeipa-users@redhat.com<br> <b>Subject:</b> Re: [Freeipa-users] clarification on expired password behaviour</span></font></div> <div> </div> <div>On 03/25/2015 09:14 PM, Les Stott wrote:</div> <div>Hi All,</div> <div> </div> <div>Running freeipa 3.0.0.42 on rhel 6.6, all standard packages.</div> <div> </div> <div>I also have freeradius installed which is used for network devices (cisco, brocade, f5, ucs etc) to authenticate users. Freeradius is using the ldap store in FreeIPA as an authentication backend.</div> <div> </div> <div>All is working fine. </div> <div> </div> <div>But I would like clarification on the following…</div> <div> </div> <div>A user account in freeipa is showing up as having an expired password. This is confirmed by logging into the freeipa web interface or ssh and seeing a prompt to change password immediately.</div> <div> </div> <div>If I choose to not set the password, it remains expired.</div> <div> </div> <div>Now, if I try to access a network device that is using radius based auth, using the account with the expired password, it successfully logs in even though the password is expired.</div> <div> </div> <div>Is this normal? i.e. a password can still be used even if it’s in an expired state?</div> <div> </div> <div>I understand that going via radius using freeipa as an ldap backend is not the normal process.</div> <div> </div> <div>Is there a way to make password authentication fail if a password is expired when used in this scenario?</div> <div> </div> <div>Thanks in advance,</div> <div> </div> <div>Regards,</div> <div> </div> <div>Les</div> <div> </div> <div><br> </div> <div><br> <br> <a href="https://fedorahosted.org/freeipa/ticket/1539"><font face="Times New Roman" size="3" color="blue"><span style="font-size:12pt;"><u>https://fedorahosted.org/freeipa/ticket/1539</u></span></font></a><br> <br> <font face="Times New Roman" size="3"><span style="font-size:12pt;">You can see the details in the ticket.<br> <br> The workaround will be to use kinit instead of LDAP for authentication in freeradius or use pam and leverage SSSD as an IPA client on the RADIUS server.<br> <br> </span></font></div> <div><font face="Courier New" size="2" color="#1F497D"><span style="font-size:10pt;"> </span></font></div> <div style="padding-right:36pt;">Thanks Dmitri.</div> <div style="padding-right:36pt;padding-left:41.25pt;"> </div> <div style="padding-right:36pt;">In fact the radius server is installed on the freeipa server and talks locally via loopback.</div> <div style="padding-right:36pt;"> </div> <div style="padding-right:36pt;">I will look at kinit and sssd options.</div> <div style="padding-right:36pt;"> </div> <div style="padding-right:36pt;">Regards,</div> <div style="padding-right:36pt;"> </div> <div style="padding-right:36pt;">Les</div> <div style="padding-right:36pt;padding-left:41.25pt;"> </div> <div style="padding-right:36pt;padding-left:41.25pt;"> </div> </span></font> </body> </html>