Running freeipa 220.127.116.11 on rhel 6.6, all standard packages.
I also have freeradius installed which is used for network devices (cisco,
brocade, f5, ucs etc) to authenticate users. Freeradius is using the ldap store
in FreeIPA as an authentication backend.
All is working fine.
But I would like clarification on the following...
A user account in freeipa is showing up as having an expired password. This is
confirmed by logging into the freeipa web interface or ssh and seeing a prompt
to change password immediately.
If I choose to not set the password, it remains expired.
Now, if I try to access a network device that is using radius based auth, using
the account with the expired password, it successfully logs in even though the
password is expired.
Is this normal? i.e. a password can still be used even if it's in an expired
I understand that going via radius using freeipa as an ldap backend is not the
Is there a way to make password authentication fail if a password is expired
when used in this scenario?
Thanks in advance,
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project