On Tue, Apr 19, 2016 at 11:57 AM, Jakub Hrozek <jhro...@redhat.com> wrote:
> Did you test that this actually fails with id_provider=ipa? I would
> assume the IPA KDC would kick you out and prompt for a new password..
If you're using a password, yes it kicks back and requires you to
change it. The problem is if you're not using a password to
authenticate, but instead using an SSH key, then it appears there's no
hooks to check with IPA if the password (or the principal itself) is
expired and the user is allowed to continue to login. The
"recommended" way to do this in RHEL6 is to set access_provider to
ldap in sssd, but that doesn't seem to cover all cases and doesn't
play well with other IPA things (like HBAC) from what I can tell.
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
Princeton University | ICBM Address: 40.346344 -74.652242
345 Lewis Library |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project