Looking at FreeIPA 4.2 under CentOS 7: I find that LDAP simple binds succeed even for DNs whose krbPasswordExpiration time has passed. Is this fixed, or is it possible to change this?

The reason I ask is because some applications use LDAP bind as a password validation oracle: for example, if you configure a Sophos UTM to use LDAP, it works this way.

I realise that an LDAP bind doesn't give a way to prompt the user to change their password. However, a failure could be used to force the user to go to the web UI to reset it (and you could always notify people by E-mail if their password is about to expire)



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to