Prashant Bapat wrote:
I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6
and compiled the ipa-pwd-extop slapi plugin.

Now the user is denied bind. But unable to reset the password.

Right, it's a tricky problem which is why it hasn't been resolved yet. You have come full circle through the same steps we went through.


On 8 July 2016 at 13:21, Martin Kosek <
<>> wrote:

    On 07/07/2016 05:19 PM, Prashant Bapat wrote:
    > Anyone ?!
    > On 6 July 2016 at 22:36, Prashant Bapat < 
    > < <>>> wrote:
    >     Hi,
    >     We are using FreeIPA's LDAP as the base for user authentication in a
    >     different application. So far I have created a sysaccount which does 
    >     lookup etc for a user and things are working as expected. I'm even 
able to
    >     use OTP from the external app.
    >     One problem I'm struggling to fix is the expired passwords. Is there 
a way
    >     to deny bind to LDAP only from this application? Obviously the user 
    >     need to go to IPA's web UI and reset his password there.
    >     I came across this ticket 
    >     looks like this is an old one.
    >     Thanks.
    >     --Prashant

    Hello Prashant, seems to be the right
    ticket, if
    you want users with expired passwords to be denied, but it was not
    yet. Help welcome!

    As a workaround, I assume you could simply leverage Kerberos for
    - it does respect expired passwords. We have advise on how to
    integrate that to
    external web applications here:


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to