Looking at FreeIPA 4.2 under CentOS 7: I find that LDAP simple binds
succeed even for DNs whose krbPasswordExpiration time has passed. Is
this fixed, or is it possible to change this?
The reason I ask is because some applications use LDAP bind as a
password validation oracle: for example, if you configure a Sophos UTM
to use LDAP, it works this way.
I realise that an LDAP bind doesn't give a way to prompt the user to
change their password. However, a failure could be used to force the
user to go to the web UI to reset it (and you could always notify people
by E-mail if their password is about to expire)
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project