[Freeipa-users] Deny bind for external LDAP if password is expired

Prashant Bapat prashant at apigee.com
Thu Jul 14 04:46:20 UTC 2016 

Tough luck! If its tricky for you (FreeIPA core developers) then its pretty
much impossible to solve it for mere mortals like me !

On 11 July 2016 at 19:43, Rob Crittenden <rcritten at redhat.com> wrote:

> Prashant Bapat wrote:
>
>> I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6
>> and compiled the ipa-pwd-extop slapi plugin.
>>
>> Now the user is denied bind. But unable to reset the password.
>>
>
> Right, it's a tricky problem which is why it hasn't been resolved yet. You
> have come full circle through the same steps we went through.
>
> rob
>
>
>>
>> On 8 July 2016 at 13:21, Martin Kosek <mkosek at redhat.com
>> <mailto:mkosek at redhat.com>> wrote:
>>
>>     On 07/07/2016 05:19 PM, Prashant Bapat wrote:
>>     > Anyone ?!
>>     >
>>     > On 6 July 2016 at 22:36, Prashant Bapat <prashant at apigee.com
>> <mailto:prashant at apigee.com>
>>     > <mailto:prashant at apigee.com <mailto:prashant at apigee.com>>> wrote:
>>     >
>>     >     Hi,
>>     >
>>     >     We are using FreeIPA's LDAP as the base for user authentication
>> in a
>>     >     different application. So far I have created a sysaccount which
>> does the
>>     >     lookup etc for a user and things are working as expected. I'm
>> even able to
>>     >     use OTP from the external app.
>>     >
>>     >     One problem I'm struggling to fix is the expired passwords. Is
>> there a way
>>     >     to deny bind to LDAP only from this application? Obviously the
>> user would
>>     >     need to go to IPA's web UI and reset his password there.
>>     >
>>     >     I came across this tickethttps://
>> fedorahosted.org/freeipa/ticket/1539 but
>>     >     looks like this is an old one.
>>     >
>>     >     Thanks.
>>     >     --Prashant
>>
>>     Hello Prashant,
>>
>>     https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
>>     ticket, if
>>     you want users with expired passwords to be denied, but it was not
>>     implemented
>>     yet. Help welcome!
>>
>>     As a workaround, I assume you could simply leverage Kerberos for
>>     authentication
>>     - it does respect expired passwords. We have advise on how to
>>     integrate that to
>>     external web applications here:
>>
>>     http://www.freeipa.org/page/Web_App_Authentication
>>
>>     Martin
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160714/db1acc68/attachment.htm>

More information about the Freeipa-users mailing list