On 03/03/2015 05:38 AM, Jason Prouty wrote:
> Is there a method to auto disable users who have logged in 90 days.
> I have a security requirement to auto disable users who have not logged in 
> after 90 days.

There is no such facility implemented in vanilla FreeIPA. I think there was
another user request, but I could not find any Bugzilla or Trac ticket.

I see 3 options how to do what you propose:

1) Implement a cron script that will LDAP search for such users and disable
them when the account is inactive for too long (based on krblastsuccessfulauth).

2) Configure 389 Directory Server Account Policy Plug-In to do what you want.
This is it's doc:


However, I am slightly afraid that it may collide with other FreeIPA user
lockout or password policy plugins. CCing Ludwig and Thierry for reference.

3) File RFE and work with FreeIPA development team to help and implement an
extension of the lockout policy, to implement what you want.


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to