Looking at FreeIPA 4.2 under CentOS 7: I find that LDAP simple binds succeed even for DNs whose krbPasswordExpiration time has passed. Is this fixed, or is it possible to change this?

The reason I ask is because some applications use LDAP bind as a password validation oracle: for example, if you configure a Sophos UTM to use LDAP, it works this way.


I realise that an LDAP bind doesn't give a way to prompt the user to change their password. However, a failure could be used to force the user to go to the web UI to reset it (and you could always notify people by E-mail if their password is about to expire)

Thanks,

Brian.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to