Tough luck! If its tricky for you (FreeIPA core developers) then its pretty much impossible to solve it for mere mortals like me !
On 11 July 2016 at 19:43, Rob Crittenden <rcrit...@redhat.com> wrote: > Prashant Bapat wrote: > >> I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6 >> and compiled the ipa-pwd-extop slapi plugin. >> >> Now the user is denied bind. But unable to reset the password. >> > > Right, it's a tricky problem which is why it hasn't been resolved yet. You > have come full circle through the same steps we went through. > > rob > > >> >> On 8 July 2016 at 13:21, Martin Kosek <mko...@redhat.com >> <mailto:mko...@redhat.com>> wrote: >> >> On 07/07/2016 05:19 PM, Prashant Bapat wrote: >> > Anyone ?! >> > >> > On 6 July 2016 at 22:36, Prashant Bapat <prash...@apigee.com >> <mailto:prash...@apigee.com> >> > <mailto:prash...@apigee.com <mailto:prash...@apigee.com>>> wrote: >> > >> > Hi, >> > >> > We are using FreeIPA's LDAP as the base for user authentication >> in a >> > different application. So far I have created a sysaccount which >> does the >> > lookup etc for a user and things are working as expected. I'm >> even able to >> > use OTP from the external app. >> > >> > One problem I'm struggling to fix is the expired passwords. Is >> there a way >> > to deny bind to LDAP only from this application? Obviously the >> user would >> > need to go to IPA's web UI and reset his password there. >> > >> > I came across this tickethttps:// >> fedorahosted.org/freeipa/ticket/1539 but >> > looks like this is an old one. >> > >> > Thanks. >> > --Prashant >> >> Hello Prashant, >> >> https://fedorahosted.org/freeipa/ticket/1539 seems to be the right >> ticket, if >> you want users with expired passwords to be denied, but it was not >> implemented >> yet. Help welcome! >> >> As a workaround, I assume you could simply leverage Kerberos for >> authentication >> - it does respect expired passwords. We have advise on how to >> integrate that to >> external web applications here: >> >> http://www.freeipa.org/page/Web_App_Authentication >> >> Martin >> >> >> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project