<div dir="ltr">Thank you very much, Brian!<div><br><div><div><br></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><br><div dir="ltr"><img src="https://d3szvo6oju4cp5.cloudfront.net/portraits/Georgijs_Radovs.gif" style="vertical-align:bottom" border="0" width="58" height="58" align="bottom"><span><span><br></span></span><span style="font-size:12px;line-height:12px;font-family:Arial,Helvetica,sans-serif;color:rgb(149,149,149)">Georgijs Radovs</span><span></span><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"> <div style="height:14px;padding-top:4px;font-size:13px;line-height:13px"> <span style="font-size:13px;line-height:13px;color:#cf0c0c;font-family:Arial,Helvetica,sans-serif">Junior Sysadmin</span><span><span><span><span><div style="height:14px;padding-top:4px;font-size:13px;line-height:13px"><span><span><div style="height:14px;padding-top:4px;font-size:13px;line-height:13px"><a href="http://scandiweb.com/services" target="_blank"><img src="https://s3-eu-west-1.amazonaws.com/scandiweb-assets/mail/f8b9c4d7666068d269ee26c65d574b67.png" alt=""></a> </div></span></span></div></span></span></span></span><span><span><span></span></span></span></div><div style="height:14px;padding-top:4px;font-size:13px;line-height:13px"> </div> <span></span> </div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div> <br><div class="gmail_quote">On Wed, Jan 25, 2017 at 7:13 PM, Brian Candler <span dir="ltr"><<a href="mailto:b.candler@pobox.com" target="_blank">b.candler@pobox.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div text="#000000" bgcolor="#FFFFFF"><span class=""> <div class="m_1622688739090178737moz-cite-prefix">On 25/01/2017 13:48, Georgijs Radovs wrote:<br> </div> <blockquote type="cite">Is it possible to configure FreeIPA server so it does not mark new passwords, set by Keycloak's LDAP bind user, expired? <br> </blockquote> </span><p>Yes, you need to configure the privileged LDAP bind user in passSyncManagersDNs:<br> </p> <p> </p> <tt>dn: cn=ipa_pwd_extop,cn=plugins,<wbr>cn=config </tt><tt><br> </tt><tt> passSyncManagersDNs: uid=....</tt><tt><br> </tt><br> Note that this setting does not replicate - it needs to be applied to all replicas by hand.<br> <br> See:<br> <a class="m_1622688739090178737moz-txt-link-freetext" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync" target="_blank">https://access.redhat.com/<wbr>documentation/en-US/Red_Hat_<wbr>Enterprise_Linux/7/html/<wbr>Windows_Integration_Guide/<wbr>pass-sync.html#password-sync</a><br class="m_1622688739090178737Apple-interchange-newline"> </div> </blockquote></div><br></div> <br> <a href="https://www.youtube.com/watch?v=coVJlV1LJ84" target="_blank"><img src="https://s3-eu-west-1.amazonaws.com/scandiweb-assets/mail/7bc4b0e6c0a8378e6bc82d14fec07068.png"></a>