Prashant Bapat wrote:
I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6
and compiled the ipa-pwd-extop slapi plugin.

Now the user is denied bind. But unable to reset the password.

Right, it's a tricky problem which is why it hasn't been resolved yet. You have come full circle through the same steps we went through.

rob



On 8 July 2016 at 13:21, Martin Kosek <mko...@redhat.com
<mailto:mko...@redhat.com>> wrote:

    On 07/07/2016 05:19 PM, Prashant Bapat wrote:
    > Anyone ?!
    >
    > On 6 July 2016 at 22:36, Prashant Bapat <prash...@apigee.com 
<mailto:prash...@apigee.com>
    > <mailto:prash...@apigee.com <mailto:prash...@apigee.com>>> wrote:
    >
    >     Hi,
    >
    >     We are using FreeIPA's LDAP as the base for user authentication in a
    >     different application. So far I have created a sysaccount which does 
the
    >     lookup etc for a user and things are working as expected. I'm even 
able to
    >     use OTP from the external app.
    >
    >     One problem I'm struggling to fix is the expired passwords. Is there 
a way
    >     to deny bind to LDAP only from this application? Obviously the user 
would
    >     need to go to IPA's web UI and reset his password there.
    >
    >     I came across this tickethttps://fedorahosted.org/freeipa/ticket/1539 
but
    >     looks like this is an old one.
    >
    >     Thanks.
    >     --Prashant

    Hello Prashant,

    https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
    ticket, if
    you want users with expired passwords to be denied, but it was not
    implemented
    yet. Help welcome!

    As a workaround, I assume you could simply leverage Kerberos for
    authentication
    - it does respect expired passwords. We have advise on how to
    integrate that to
    external web applications here:

    http://www.freeipa.org/page/Web_App_Authentication

    Martin





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to