<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 25/01/2017 13:48, Georgijs Radovs
      wrote:<br>
    </div>
    <blockquote
      cite="mid:%3C9ce77113-9e77-d422-a81e-566e67a13dd4@scandiweb.com%3E"
      type="cite">Is it possible to configure FreeIPA server so it does
      not mark new passwords, set by Keycloak's LDAP bind user, expired?
      <br>
    </blockquote>
    <p>Yes, you need to configure the privileged LDAP bind user in
      passSyncManagersDNs:<br>
    </p>
    <p>
      <meta charset="utf-8">
    </p>
    <tt>dn: cn=ipa_pwd_extop,cn=plugins,cn=config
    </tt><tt><br>
    </tt><tt>
      passSyncManagersDNs: uid=....</tt><tt><br>
    </tt><br>
    Note that this setting does not replicate - it needs to be applied
    to all replicas by hand.<br>
    <br>
    See:<br>
<a class="moz-txt-link-freetext" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync</a><br
      class="Apple-interchange-newline">
  </body>
</html>