On 21/10/16 15:17, Brian Candler wrote:
Question: when a password expires, does it remain in a usable state in
the database indefinitely? For example, if someone comes along a year
after their password has expired, can they still login once with that
This is actually what I want, but I just want to confirm there's not
some sort of secondary threshold which means that an expired password is
not usable X days after it has expired. Or, if there is such a
secondary threshold, where I can find it.
The scenario is a RADIUS server for wifi which reads NTLM password
hashes out of the database to authenticate - this continues to work
after expiry. However I want users to be able to do a self-reset later
if and when they want to.
AFAIK, it will work. Your RADIUS server will retrieve the hash from LDAP
and do the validation locally. So FreeIPA has no way to say the password
When the user tries to obtain Kerberos ticket he will be forced to
change the password and NTLM hash will be also regenerated.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project