[Freeipa-users] LDAP bind permitted for expired passwords

[Alexander Bokovoy]

On pe, 18 marras 2016, Brian Candler wrote:
>Looking at FreeIPA 4.2 under CentOS 7: I find that LDAP simple binds 
>succeed even for DNs whose krbPasswordExpiration time has passed. Is 
>this fixed, or is it possible to change this?
Not yet. We have a ticket you can look at and read the history of
discussion there.

>The reason I ask is because some applications use LDAP bind as a 
>password validation oracle: for example, if you configure a Sophos UTM 
>to use LDAP, it works this way.
>
>I realise that an LDAP bind doesn't give a way to prompt the user to 
>change their password. However, a failure could be used to force the 
>user to go to the web UI to reset it (and you could always notify 
>people by E-mail if their password is about to expire)
The problem is in changing expired passwords -- if disable ability to do
LDAP bind for expired passwords, you will not be able to change
passwords as you'll not be able to bind to do the change. These are two
different LDAP operations but they are combined. In past we also lacked
support from 389-ds to allow us to handle expired password changes
without disabling the bind process.

See https://fedorahosted.org/freeipa/ticket/1539 for more details.
-- 
/ Alexander Bokovoy