[] On Behalf Of Dmitri Pal
Sent: Thursday, 26 March 2015 12:52 PM
Subject: Re: [Freeipa-users] clarification on expired password behaviour

On 03/25/2015 09:14 PM, Les Stott wrote:
Hi All,

Running freeipa on rhel 6.6, all standard packages.

I also have freeradius installed which is used for network devices (cisco, 
brocade, f5, ucs etc) to authenticate users. Freeradius is using the ldap store 
in FreeIPA as an authentication backend.

All is working fine.

But I would like clarification on the following...

A user account in freeipa is showing up as having an expired password. This is 
confirmed by logging into the freeipa web interface or ssh and seeing a prompt 
to change password immediately.

If I choose to not set the password, it remains expired.

Now, if I try to access a network device that is using radius based auth, using 
the account with the expired password, it successfully logs in even though the 
password is expired.

Is this normal? i.e. a password can still be used even if it's in an expired 

I understand that going via radius using freeipa as an ldap backend is not the 
normal process.

Is there a way to make password authentication fail if a password is expired 
when used in this scenario?

Thanks in advance,



You can see the details in the ticket.

The workaround will be to use kinit instead of LDAP for authentication in 
freeradius or use pam and leverage SSSD as an IPA client on the RADIUS server.

Thanks Dmitri.

In fact the radius server is installed on the freeipa server and talks locally 
via loopback.

I will look at kinit and sssd options.



Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to