[Freeipa-users] Deny bind for external LDAP if password is expired
Rob Crittenden
rcritten at redhat.com
Mon Jul 11 14:13:19 UTC 2016
Prashant Bapat wrote:
> I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6
> and compiled the ipa-pwd-extop slapi plugin.
>
> Now the user is denied bind. But unable to reset the password.
Right, it's a tricky problem which is why it hasn't been resolved yet.
You have come full circle through the same steps we went through.
rob
>
>
> On 8 July 2016 at 13:21, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
> On 07/07/2016 05:19 PM, Prashant Bapat wrote:
> > Anyone ?!
> >
> > On 6 July 2016 at 22:36, Prashant Bapat <prashant at apigee.com <mailto:prashant at apigee.com>
> > <mailto:prashant at apigee.com <mailto:prashant at apigee.com>>> wrote:
> >
> > Hi,
> >
> > We are using FreeIPA's LDAP as the base for user authentication in a
> > different application. So far I have created a sysaccount which does the
> > lookup etc for a user and things are working as expected. I'm even able to
> > use OTP from the external app.
> >
> > One problem I'm struggling to fix is the expired passwords. Is there a way
> > to deny bind to LDAP only from this application? Obviously the user would
> > need to go to IPA's web UI and reset his password there.
> >
> > I came across this tickethttps://fedorahosted.org/freeipa/ticket/1539 but
> > looks like this is an old one.
> >
> > Thanks.
> > --Prashant
>
> Hello Prashant,
>
> https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
> ticket, if
> you want users with expired passwords to be denied, but it was not
> implemented
> yet. Help welcome!
>
> As a workaround, I assume you could simply leverage Kerberos for
> authentication
> - it does respect expired passwords. We have advise on how to
> integrate that to
> external web applications here:
>
> http://www.freeipa.org/page/Web_App_Authentication
>
> Martin
>
>
>
>
More information about the Freeipa-users
mailing list