On Sun, May 1, 2016 at 4:53 AM, Joshua J. Kugler <jos...@azariah.com> wrote:


> We have a situation where the passwords in FreeIPA need to be synchronized
> with another system in the company (a database of users, which is the
> authoritative source for users and passwords).  But, from what I read, the
> documentation is telling me we can't do that, because if we followed this
> work
> flow:
>
> 1. Users goes to "master DB" and changes their password
> 2. master DB runs a script which sets password on FreeIPA system
> 3. User's login is now broken because the password is expired.
>

leaving the design/philosophy aside, you could modify your users'
krbpasswordexpiration ldap attribute in your script that changes the
freeipa password from your master DB password source. It's quite simple
using your ldap tools of choice.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to