<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 04/10/2014 08:03 AM, Matthew Symonds wrote:<br> </div> <blockquote cite="mid:CAFBREJb5cG_aOy1_A3v3ckeDqS8P8vOJNkiVWThJR5Owip9_SA@mail.gmail.com" type="cite"> <div dir="ltr"> <div>We have a few services using IPA via LDAP.</div> <div><br> </div> <div>E.G. Apache connecting to <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><snip>/cn=users,cn=accounts,dc=ipa,dc=<snip>?uid</div> <div><br> </div> <div>This works fine but users with expired passwords are still able to authenticate.</div> <div><br> </div> <div>Is there any way to stop this in FreeIPA, or do I have to check krbPasswordExpiration in my user filter?</div> </div> </blockquote> <br> There is no way to stop it.<br> You can read about the reasons in the ticket and mentioned threads.<br> <a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/1539#comment:13">https://fedorahosted.org/freeipa/ticket/1539#comment:13</a><br> <br> Using it in the access control filter would be a reasonable workaround.<br> <br> <blockquote cite="mid:CAFBREJb5cG_aOy1_A3v3ckeDqS8P8vOJNkiVWThJR5Owip9_SA@mail.gmail.com" type="cite"> <div dir="ltr"> <div><br> </div> <div>Thanks</div> <div>Matt</div> <div> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>