On pe, 18 marras 2016, Brian Candler wrote:
Looking at FreeIPA 4.2 under CentOS 7: I find that LDAP simple binds
succeed even for DNs whose krbPasswordExpiration time has passed. Is
this fixed, or is it possible to change this?
Not yet. We have a ticket you can look at and read the history of
The reason I ask is because some applications use LDAP bind as a
password validation oracle: for example, if you configure a Sophos UTM
to use LDAP, it works this way.
I realise that an LDAP bind doesn't give a way to prompt the user to
change their password. However, a failure could be used to force the
user to go to the web UI to reset it (and you could always notify
people by E-mail if their password is about to expire)
The problem is in changing expired passwords -- if disable ability to do
LDAP bind for expired passwords, you will not be able to change
passwords as you'll not be able to bind to do the change. These are two
different LDAP operations but they are combined. In past we also lacked
support from 389-ds to allow us to handle expired password changes
without disabling the bind process.
See https://fedorahosted.org/freeipa/ticket/1539 for more details.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project