I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6 and compiled the ipa-pwd-extop slapi plugin.
Now the user is denied bind. But unable to reset the password. On 8 July 2016 at 13:21, Martin Kosek <mko...@redhat.com> wrote: > On 07/07/2016 05:19 PM, Prashant Bapat wrote: > > Anyone ?! > > > > On 6 July 2016 at 22:36, Prashant Bapat <prash...@apigee.com > > <mailto:prash...@apigee.com>> wrote: > > > > Hi, > > > > We are using FreeIPA's LDAP as the base for user authentication in a > > different application. So far I have created a sysaccount which does > the > > lookup etc for a user and things are working as expected. I'm even > able to > > use OTP from the external app. > > > > One problem I'm struggling to fix is the expired passwords. Is there > a way > > to deny bind to LDAP only from this application? Obviously the user > would > > need to go to IPA's web UI and reset his password there. > > > > I came across this ticket > https://fedorahosted.org/freeipa/ticket/1539 but > > looks like this is an old one. > > > > Thanks. > > --Prashant > > Hello Prashant, > > https://fedorahosted.org/freeipa/ticket/1539 seems to be the right > ticket, if > you want users with expired passwords to be denied, but it was not > implemented > yet. Help welcome! > > As a workaround, I assume you could simply leverage Kerberos for > authentication > - it does respect expired passwords. We have advise on how to integrate > that to > external web applications here: > > http://www.freeipa.org/page/Web_App_Authentication > > Martin >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project