[Freeipa-users] LDAP bind permitted for expired passwords
Brian Candler
b.candler at pobox.com
Fri Nov 18 15:57:42 UTC 2016
Looking at FreeIPA 4.2 under CentOS 7: I find that LDAP simple binds
succeed even for DNs whose krbPasswordExpiration time has passed. Is
this fixed, or is it possible to change this?
The reason I ask is because some applications use LDAP bind as a
password validation oracle: for example, if you configure a Sophos UTM
to use LDAP, it works this way.
I realise that an LDAP bind doesn't give a way to prompt the user to
change their password. However, a failure could be used to force the
user to go to the web UI to reset it (and you could always notify people
by E-mail if their password is about to expire)
Thanks,
Brian.
More information about the Freeipa-users
mailing list