There seems to be nothing in the documentation about a user being able to 
initiate a password change dialogue after their password has expired, yet it 
seems that one is able to do just that. There is a value in the ldap store, 
passwordGraceLimit, which is initialized to zero. I have modified that value 
but it seems to have no effect.

I would like to limit this ability to just a few days, or alternatively, 
completely lock out the account once the password has expired.

Does anyone have any insight as to how to do this? If not, is it planned for a 
future release?

I suppose I could look at a script running daily that would lock the account if 
the user's password has expired in the last X hours, but I was hoping for 
something builtin.

Any help is appreciated.

Freeipa-users mailing list

Reply via email to