Prashant Bapat wrote:
I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6
and compiled the ipa-pwd-extop slapi plugin.
Now the user is denied bind. But unable to reset the password.
Right, it's a tricky problem which is why it hasn't been resolved yet.
You have come full circle through the same steps we went through.
rob
On 8 July 2016 at 13:21, Martin Kosek <mko...@redhat.com
<mailto:mko...@redhat.com>> wrote:
On 07/07/2016 05:19 PM, Prashant Bapat wrote:
> Anyone ?!
>
> On 6 July 2016 at 22:36, Prashant Bapat <prash...@apigee.com
<mailto:prash...@apigee.com>
> <mailto:prash...@apigee.com <mailto:prash...@apigee.com>>> wrote:
>
> Hi,
>
> We are using FreeIPA's LDAP as the base for user authentication in a
> different application. So far I have created a sysaccount which does
the
> lookup etc for a user and things are working as expected. I'm even
able to
> use OTP from the external app.
>
> One problem I'm struggling to fix is the expired passwords. Is there
a way
> to deny bind to LDAP only from this application? Obviously the user
would
> need to go to IPA's web UI and reset his password there.
>
> I came across this tickethttps://fedorahosted.org/freeipa/ticket/1539
but
> looks like this is an old one.
>
> Thanks.
> --Prashant
Hello Prashant,
https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
ticket, if
you want users with expired passwords to be denied, but it was not
implemented
yet. Help welcome!
As a workaround, I assume you could simply leverage Kerberos for
authentication
- it does respect expired passwords. We have advise on how to
integrate that to
external web applications here:
http://www.freeipa.org/page/Web_App_Authentication
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project