[Freeipa-users] Auto disable users
Dmitri Pal
dpal at redhat.com
Tue Mar 3 15:34:08 UTC 2015
On 03/03/2015 07:22 AM, Martin Kosek wrote:
> On 03/03/2015 05:38 AM, Jason Prouty wrote:
>>
>> Is there a method to auto disable users who have logged in 90 days.
>> I have a security requirement to auto disable users who have not logged in after 90 days.
>>
> There is no such facility implemented in vanilla FreeIPA. I think there was
> another user request, but I could not find any Bugzilla or Trac ticket.
>
> I see 3 options how to do what you propose:
>
> 1) Implement a cron script that will LDAP search for such users and disable
> them when the account is inactive for too long (based on krblastsuccessfulauth).
Yes this is probably the most recommended approach.
You do an ldap search on all the accounts that have
krblastsuccessfulauth more than 90 days ago and then disable them one by
one.
Should be a very simple script to write.
>
> 2) Configure 389 Directory Server Account Policy Plug-In to do what you want.
> This is it's doc:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html
>
> However, I am slightly afraid that it may collide with other FreeIPA user
> lockout or password policy plugins. CCing Ludwig and Thierry for reference.
>
> 3) File RFE and work with FreeIPA development team to help and implement an
> extension of the lockout policy, to implement what you want.
>
> Martin
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list