Tough luck! If its tricky for you (FreeIPA core developers) then its pretty
much impossible to solve it for mere mortals like me !
On 11 July 2016 at 19:43, Rob Crittenden <rcrit...@redhat.com> wrote:
> Prashant Bapat wrote:
>> I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6
>> and compiled the ipa-pwd-extop slapi plugin.
>> Now the user is denied bind. But unable to reset the password.
> Right, it's a tricky problem which is why it hasn't been resolved yet. You
> have come full circle through the same steps we went through.
>> On 8 July 2016 at 13:21, Martin Kosek <mko...@redhat.com
>> <mailto:mko...@redhat.com>> wrote:
>> On 07/07/2016 05:19 PM, Prashant Bapat wrote:
>> > Anyone ?!
>> > On 6 July 2016 at 22:36, Prashant Bapat <prash...@apigee.com
>> > <mailto:prash...@apigee.com <mailto:prash...@apigee.com>>> wrote:
>> > Hi,
>> > We are using FreeIPA's LDAP as the base for user authentication
>> in a
>> > different application. So far I have created a sysaccount which
>> does the
>> > lookup etc for a user and things are working as expected. I'm
>> even able to
>> > use OTP from the external app.
>> > One problem I'm struggling to fix is the expired passwords. Is
>> there a way
>> > to deny bind to LDAP only from this application? Obviously the
>> user would
>> > need to go to IPA's web UI and reset his password there.
>> > I came across this tickethttps://
>> fedorahosted.org/freeipa/ticket/1539 but
>> > looks like this is an old one.
>> > Thanks.
>> > --Prashant
>> Hello Prashant,
>> https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
>> ticket, if
>> you want users with expired passwords to be denied, but it was not
>> yet. Help welcome!
>> As a workaround, I assume you could simply leverage Kerberos for
>> - it does respect expired passwords. We have advise on how to
>> integrate that to
>> external web applications here:
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project