Hi Chris and all!

Chris, thanks for putting together the guide on integrating FreeIPA with Okta.
The integration works fine except for accounts with expired passwords.
Okta will allow login for an account with an expired password.
Although the guide says "This is all well documented and supported
within OKTA.", Okta's support team said they haven't tested the
integration with FreeIPA and for OKTA to recognize the password has
expired, the user has to have the pwdReset attribute set to TRUE (for
expired) or FALSE
(https://support.okta.com/help/Documentation/Knowledge_Article/Configuring-Your-LDAP-Password-Reset-Settings).
I can't find the pwdReset attribute anywhere in the FreeIPA schema
which will suggest me I'll have to extend it, unless Okta is willing
to recognize and honor the krbPasswordExpiration attribute used in the
guide.
Did you or someone in the list have gotten this to work properly?

Thanks so much in advance,
Guillermo

------------

From: Chris Whittle <cwhittl gmail com>
To: dpal redhat com
Cc: freeipa-users <freeipa-users redhat com>
Subject: Re: [Freeipa-users] Trying To Connect FreeIPA with OKTA/OneLogin/Bitium
Date: Tue, 12 Aug 2014 08:46:26 -0500


http://www.freeipa.org/page/HowTo/Integrate_With_Okta


On Sat, Aug 9, 2014 at 11:31 PM, Dmitri Pal <dpal redhat com> wrote:
>
> On 08/08/2014 04:26 PM, Chris Whittle wrote:
...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to