Prashant Bapat wrote:
In our FreeIPA deployment the clients use pam_nss_ldapd with the
"compat" schema. No ipa-client.

I'm planning to apply the patched ipa_pwd_extop plugin to only 2 of the
replicas (out of 8) where the external app authenticates against IPA's
LDAP. These 2 replicas are more used like readonly. The Web UI where the
users login and change their profile is not on these replicas.

With this LDAP binds are denied to users with expired passwords from the
external app.

Will this setup have any issues, related to replication etc ?

I don't think it will cause any replication issues. You may want to remove them from the SRV entries if you have one. Clients outside of your external apps could end up connecting to them through autodiscovery otherwise (and maybe that's ok, up to you).

rob


On 11 July 2016 at 19:43, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Prashant Bapat wrote:

        I cherrypicked the commit id
        3b7d5e7543a074d7d24556cadc6c95be9871cfc6
        and compiled the ipa-pwd-extop slapi plugin.

        Now the user is denied bind. But unable to reset the password.


    Right, it's a tricky problem which is why it hasn't been resolved
    yet. You have come full circle through the same steps we went through.

    rob



        On 8 July 2016 at 13:21, Martin Kosek <mko...@redhat.com
        <mailto:mko...@redhat.com>
        <mailto:mko...@redhat.com <mailto:mko...@redhat.com>>> wrote:

             On 07/07/2016 05:19 PM, Prashant Bapat wrote:
             > Anyone ?!
             >
             > On 6 July 2016 at 22:36, Prashant Bapat
        <prash...@apigee.com <mailto:prash...@apigee.com>
        <mailto:prash...@apigee.com <mailto:prash...@apigee.com>>
             > <mailto:prash...@apigee.com <mailto:prash...@apigee.com>
        <mailto:prash...@apigee.com <mailto:prash...@apigee.com>>>> wrote:
             >
             >     Hi,
             >
             >     We are using FreeIPA's LDAP as the base for user
        authentication in a
             >     different application. So far I have created a
        sysaccount which does the
             >     lookup etc for a user and things are working as
        expected. I'm even able to
             >     use OTP from the external app.
             >
             >     One problem I'm struggling to fix is the expired
        passwords. Is there a way
             >     to deny bind to LDAP only from this application?
        Obviously the user would
             >     need to go to IPA's web UI and reset his password there.
             >
             >     I came across this
        tickethttps://fedorahosted.org/freeipa/ticket/1539
        <http://fedorahosted.org/freeipa/ticket/1539> but
             >     looks like this is an old one.
             >
             >     Thanks.
             >     --Prashant

             Hello Prashant,

        https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
             ticket, if
             you want users with expired passwords to be denied, but it
        was not
             implemented
             yet. Help welcome!

             As a workaround, I assume you could simply leverage
        Kerberos for
             authentication
             - it does respect expired passwords. We have advise on how to
             integrate that to
             external web applications here:

        http://www.freeipa.org/page/Web_App_Authentication

             Martin







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to