On 25/01/2017 13:48, Georgijs Radovs wrote:
Is it possible to configure FreeIPA server so it does not mark new passwords, set by Keycloak's LDAP bind user, expired?

Yes, you need to configure the privileged LDAP bind user in passSyncManagersDNs:

dn: cn=ipa_pwd_extop,cn=plugins,cn=config
passSyncManagersDNs: uid=....

Note that this setting does not replicate - it needs to be applied to all replicas by hand.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to