[Freeipa-users] Do expired passwords remain usable indefinitely?
Brian Candler
b.candler at pobox.com
Tue Oct 25 08:46:14 UTC 2016
On 25/10/2016 08:29, David Kupka wrote:
> If I understood Brian correctly he was asking about expiration of NTLM
> password hashes.
Partly.
As long as the hash remains in the database and is readable via LDAP, I
know it will continue to work for authentication. However I was also
asking whether a long-expired password would prevent a user from logging
into the webUI or obtaining a kerberos ticket.
Scenario is: a user who is mostly wireless-only, who very rarely uses
IPA for anything else. Their password expires, and they never notice
because it keeps working. However, (say) a year later, they decide to
login to IPA for some reason - maybe because they've decided it's time
to change their wireless password. Will their old expired password
still be usable for this? I'm hoping it would simply tell them that the
account has expired and force a password change.
Aside: I realise there are other ways I can handle this. Perhaps I
*should* make passwords expire for wireless too, by checking the
krbPasswordExpiration field in the RADIUS server. But then I need some
way to warn people that their passwords are about to expire and give
them an opportunity to change it - e.g. by mailing out a warning a
couple of weeks before it does.
Regards,
Brian.
More information about the Freeipa-users
mailing list