On 03/21/2016 06:56 PM, Rob Crittenden wrote:
> Bob wrote:
>> If each IPA server tracks time of last auth independently, then one ipa
>> server might disable an inactive account. But that account might be
>> active on another servers. In a fail over case where the server that
>> that account normally uses is down, the user would not have a usable
>> Is it possible to use the account policy plugin? Or is there a way to
>> track time of last auth that is replicated. I need to have accounts
>> that have been inactive for 90 days automatically disabled.
> You can't use the account policy plugin but it isn't aware of Kerberos so it
> would miss potentially a lot of authentications.
> You could modify replication agreements to not ignore this attribute but you
> potentially create a replication "storm", particularly early morning when
> everyone logs in at the same time.
> In any case IPA password policy doesn't currently handle inactivity. There is
> ticket open: https://fedorahosted.org/freeipa/ticket/4975 (with a potential
> short-term workaround).
JFTR, this is the ticket with failed login replication RFE:
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project