On 07/07/2016 05:19 PM, Prashant Bapat wrote:
> Anyone ?!
> On 6 July 2016 at 22:36, Prashant Bapat <prash...@apigee.com 
> <mailto:prash...@apigee.com>> wrote:
>     Hi,
>     We are using FreeIPA's LDAP as the base for user authentication in a
>     different application. So far I have created a sysaccount which does the
>     lookup etc for a user and things are working as expected. I'm even able to
>     use OTP from the external app.
>     One problem I'm struggling to fix is the expired passwords. Is there a way
>     to deny bind to LDAP only from this application? Obviously the user would
>     need to go to IPA's web UI and reset his password there.
>     I came across this ticket https://fedorahosted.org/freeipa/ticket/1539 but
>     looks like this is an old one.
>     Thanks.
>     --Prashant

Hello Prashant,

https://fedorahosted.org/freeipa/ticket/1539 seems to be the right ticket, if
you want users with expired passwords to be denied, but it was not implemented
yet. Help welcome!

As a workaround, I assume you could simply leverage Kerberos for authentication
- it does respect expired passwords. We have advise on how to integrate that to
external web applications here:



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to