Hi Chris and all! Chris, thanks for putting together the guide on integrating FreeIPA with Okta. The integration works fine except for accounts with expired passwords. Okta will allow login for an account with an expired password. Although the guide says "This is all well documented and supported within OKTA.", Okta's support team said they haven't tested the integration with FreeIPA and for OKTA to recognize the password has expired, the user has to have the pwdReset attribute set to TRUE (for expired) or FALSE (https://support.okta.com/help/Documentation/Knowledge_Article/Configuring-Your-LDAP-Password-Reset-Settings). I can't find the pwdReset attribute anywhere in the FreeIPA schema which will suggest me I'll have to extend it, unless Okta is willing to recognize and honor the krbPasswordExpiration attribute used in the guide. Did you or someone in the list have gotten this to work properly?
Thanks so much in advance, Guillermo ------------ From: Chris Whittle <cwhittl gmail com> To: dpal redhat com Cc: freeipa-users <freeipa-users redhat com> Subject: Re: [Freeipa-users] Trying To Connect FreeIPA with OKTA/OneLogin/Bitium Date: Tue, 12 Aug 2014 08:46:26 -0500 http://www.freeipa.org/page/HowTo/Integrate_With_Okta On Sat, Aug 9, 2014 at 11:31 PM, Dmitri Pal <dpal redhat com> wrote: > > On 08/08/2014 04:26 PM, Chris Whittle wrote: ... _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org