On 25/10/2016 08:29, David Kupka wrote:
If I understood Brian correctly he was asking about expiration of NTLM password hashes.


Partly.

As long as the hash remains in the database and is readable via LDAP, I know it will continue to work for authentication. However I was also asking whether a long-expired password would prevent a user from logging into the webUI or obtaining a kerberos ticket.

Scenario is: a user who is mostly wireless-only, who very rarely uses IPA for anything else. Their password expires, and they never notice because it keeps working. However, (say) a year later, they decide to login to IPA for some reason - maybe because they've decided it's time to change their wireless password. Will their old expired password still be usable for this? I'm hoping it would simply tell them that the account has expired and force a password change.

Aside: I realise there are other ways I can handle this. Perhaps I *should* make passwords expire for wireless too, by checking the krbPasswordExpiration field in the RADIUS server. But then I need some way to warn people that their passwords are about to expire and give them an opportunity to change it - e.g. by mailing out a warning a couple of weeks before it does.

Regards,

Brian.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to