There seems to be nothing in the documentation about a user being able to initiate a password change dialogue after their password has expired, yet it seems that one is able to do just that. There is a value in the ldap store, passwordGraceLimit, which is initialized to zero. I have modified that value but it seems to have no effect.
I would like to limit this ability to just a few days, or alternatively, completely lock out the account once the password has expired. Does anyone have any insight as to how to do this? If not, is it planned for a future release? I suppose I could look at a script running daily that would lock the account if the user's password has expired in the last X hours, but I was hoping for something builtin. Any help is appreciated. Dennis
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users