On 03/03/2015 07:22 AM, Martin Kosek wrote:
On 03/03/2015 05:38 AM, Jason Prouty wrote:

Is there a method to auto disable users who have logged in 90 days.
I have a security requirement to auto disable users who have not logged in 
after 90 days.

There is no such facility implemented in vanilla FreeIPA. I think there was
another user request, but I could not find any Bugzilla or Trac ticket.

I see 3 options how to do what you propose:

1) Implement a cron script that will LDAP search for such users and disable
them when the account is inactive for too long (based on krblastsuccessfulauth).

Yes this is probably the most recommended approach.
You do an ldap search on all the accounts that have krblastsuccessfulauth more than 90 days ago and then disable them one by one.
Should be a very simple script to write.

2) Configure 389 Directory Server Account Policy Plug-In to do what you want.
This is it's doc:


However, I am slightly afraid that it may collide with other FreeIPA user
lockout or password policy plugins. CCing Ludwig and Thierry for reference.

3) File RFE and work with FreeIPA development team to help and implement an
extension of the lockout policy, to implement what you want.


Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to