[Freeipa-users] Deny bind for external LDAP if password is expired
Rob Crittenden
rcritten at redhat.com
Tue Jul 26 21:24:35 UTC 2016
Prashant Bapat wrote:
> In our FreeIPA deployment the clients use pam_nss_ldapd with the
> "compat" schema. No ipa-client.
>
> I'm planning to apply the patched ipa_pwd_extop plugin to only 2 of the
> replicas (out of 8) where the external app authenticates against IPA's
> LDAP. These 2 replicas are more used like readonly. The Web UI where the
> users login and change their profile is not on these replicas.
>
> With this LDAP binds are denied to users with expired passwords from the
> external app.
>
> Will this setup have any issues, related to replication etc ?
I don't think it will cause any replication issues. You may want to
remove them from the SRV entries if you have one. Clients outside of
your external apps could end up connecting to them through autodiscovery
otherwise (and maybe that's ok, up to you).
rob
>
> On 11 July 2016 at 19:43, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Prashant Bapat wrote:
>
> I cherrypicked the commit id
> 3b7d5e7543a074d7d24556cadc6c95be9871cfc6
> and compiled the ipa-pwd-extop slapi plugin.
>
> Now the user is denied bind. But unable to reset the password.
>
>
> Right, it's a tricky problem which is why it hasn't been resolved
> yet. You have come full circle through the same steps we went through.
>
> rob
>
>
>
> On 8 July 2016 at 13:21, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>
> <mailto:mkosek at redhat.com <mailto:mkosek at redhat.com>>> wrote:
>
> On 07/07/2016 05:19 PM, Prashant Bapat wrote:
> > Anyone ?!
> >
> > On 6 July 2016 at 22:36, Prashant Bapat
> <prashant at apigee.com <mailto:prashant at apigee.com>
> <mailto:prashant at apigee.com <mailto:prashant at apigee.com>>
> > <mailto:prashant at apigee.com <mailto:prashant at apigee.com>
> <mailto:prashant at apigee.com <mailto:prashant at apigee.com>>>> wrote:
> >
> > Hi,
> >
> > We are using FreeIPA's LDAP as the base for user
> authentication in a
> > different application. So far I have created a
> sysaccount which does the
> > lookup etc for a user and things are working as
> expected. I'm even able to
> > use OTP from the external app.
> >
> > One problem I'm struggling to fix is the expired
> passwords. Is there a way
> > to deny bind to LDAP only from this application?
> Obviously the user would
> > need to go to IPA's web UI and reset his password there.
> >
> > I came across this
> tickethttps://fedorahosted.org/freeipa/ticket/1539
> <http://fedorahosted.org/freeipa/ticket/1539> but
> > looks like this is an old one.
> >
> > Thanks.
> > --Prashant
>
> Hello Prashant,
>
> https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
> ticket, if
> you want users with expired passwords to be denied, but it
> was not
> implemented
> yet. Help welcome!
>
> As a workaround, I assume you could simply leverage
> Kerberos for
> authentication
> - it does respect expired passwords. We have advise on how to
> integrate that to
> external web applications here:
>
> http://www.freeipa.org/page/Web_App_Authentication
>
> Martin
>
>
>
>
>
>
More information about the Freeipa-users
mailing list