[Freeipa-users] clarification on expired password behaviour
Dmitri Pal
dpal at redhat.com
Thu Mar 26 01:51:52 UTC 2015
On 03/25/2015 09:14 PM, Les Stott wrote:
>
> Hi All,
>
> Running freeipa 3.0.0.42 on rhel 6.6, all standard packages.
>
> I also have freeradius installed which is used for network devices
> (cisco, brocade, f5, ucs etc) to authenticate users. Freeradius is
> using the ldap store in FreeIPA as an authentication backend.
>
> All is working fine.
>
> But I would like clarification on the following...
>
> A user account in freeipa is showing up as having an expired password.
> This is confirmed by logging into the freeipa web interface or ssh and
> seeing a prompt to change password immediately.
>
> If I choose to not set the password, it remains expired.
>
> Now, if I try to access a network device that is using radius based
> auth, using the account with the expired password, it successfully
> logs in even though the password is expired.
>
> Is this normal? i.e. a password can still be used even if it's in an
> expired state?
>
> I understand that going via radius using freeipa as an ldap backend is
> not the normal process.
>
> Is there a way to make password authentication fail if a password is
> expired when used in this scenario?
>
> Thanks in advance,
>
> Regards,
>
> Les
>
>
>
https://fedorahosted.org/freeipa/ticket/1539
You can see the details in the ticket.
The workaround will be to use kinit instead of LDAP for authentication
in freeradius or use pam and leverage SSSD as an IPA client on the
RADIUS server.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150325/35d9ab41/attachment.htm>
More information about the Freeipa-users
mailing list