[Freeipa-users] Auto disable users
Martin Kosek
mkosek at redhat.com
Tue Mar 3 12:22:33 UTC 2015
On 03/03/2015 05:38 AM, Jason Prouty wrote:
>
>
> Is there a method to auto disable users who have logged in 90 days.
> I have a security requirement to auto disable users who have not logged in after 90 days.
>
There is no such facility implemented in vanilla FreeIPA. I think there was
another user request, but I could not find any Bugzilla or Trac ticket.
I see 3 options how to do what you propose:
1) Implement a cron script that will LDAP search for such users and disable
them when the account is inactive for too long (based on krblastsuccessfulauth).
2) Configure 389 Directory Server Account Policy Plug-In to do what you want.
This is it's doc:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html
However, I am slightly afraid that it may collide with other FreeIPA user
lockout or password policy plugins. CCing Ludwig and Thierry for reference.
3) File RFE and work with FreeIPA development team to help and implement an
extension of the lockout policy, to implement what you want.
Martin
More information about the Freeipa-users
mailing list