Re: [Freeipa-users] IPA-Server v3.0 Replication Broken

www.flbog.edu [BOG-wordmark-wideFOR EMAIL-color] Hi, this looks similar to: https://www.redhat.com/archives/freeipa-users/2015-January/msg00331.html and https://fedorahosted.org/freeipa/ticket/4807 Did you try to raise the nsslapd-sasl-max-buffer-size? -- David Kupka -- Manage your subscription

Re: [Freeipa-users] chrony support

Hello Bryan, I'm currently working on this. This feature should be available in freeipa-4.2. -- David Kupka On 02/13/2015 01:25 PM, Bryan Pearson wrote: One of our IPA servers, is in a virtualized environment and is continuously losing time, resulting in invalid credentials and breaking

Re: [Freeipa-users] Minimum rights to enrol a client

domain. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Adding external CA

/to/external_ca_certificate -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Power down all FreeIPA servers

them off and on normaly (with system or using ipactl stop/start) and after they start again the replication process should continue. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org

Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update

to solve similar issue: https://www.redhat.com/archives/freeipa-users/2013-January/msg00153.html -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Access to IPA Web-UI with different domain names

you need to decide whether your FreeIPA domain is internal or external. If it's internal it is inaccessible from outside and you need to first connect to the internal network (e.g. use VPN) and then connect to FreeIPA server. If it's external then everything works as expected. -- David Kupka

Re: [Freeipa-users] FreeIPA cluster shutdown sequence

/archives/freeipa-users/2015-April/msg00016.html) there is no special procedure. You just turn the servers off before the power outage and then turn them back on. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] time restricted access

. This is currently WIP, you can find more on freeipa-devel list. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Different shell for different systems

Hello, I think that it should be possible with ID View (http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust#ID_Views) but I'm not familiar with it. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo

Re: [Freeipa-users] GID, groups and ipa group-show

. On the other hand it would be useful to show these implicit members in group-show output. Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa sudden stop

-tomcatd fails and therefore ipactl start fails. Could you run # ipactl start -d and post its output? Also starting individual services is not a good idea as you can forget to start some (you actually did :-) -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https

Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

not sure if it is available in CentOS, yet. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IdM Password Expiration

variable where Directory Manager password is required but I know it's just name of the variable. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Primary certificates

on all ipa servers and clients to distribute the new certificate. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Why are some user's information not stored in the LDAP database?

On 16/10/15 15:26, Fujisan wrote: Hello, When I enter the email address, the phone number or the mailing address of ipa user 'smith' in the web ui "Identity/Users/smith", it does not appears in the output of ldapsearch. Sendmail can look into the ldap database and get the email address of a

Re: [Freeipa-users] Possible bug in ipa-replica-install/pkispawn - or maybe lib mismatch

repository (https://copr.fedoraproject.org/coprs/mkosek/freeipa/) with newer version of PKI packages and I tested replication between Fedora 21 and CentOS 7.1 (both FreeIPA 4.1.4) and it works for me as expected. Could you please try it again? -- David Kupka -- Manage your subscription for the

Re: [Freeipa-users] attempting to restore IPA

Hello Steven! I would like to help you but unfortunately I have no chance to guess what went wrong. To help us help you please report any issue in a way described on FreeIPA Troubleshooting page (http://www.freeipa.org/page/Troubleshooting). Most importantly we need the following: 1.

Re: [Freeipa-users] V6 and v4

that came to my mind would be having records in DNS and not having corresponding IPv6 on that host but that is general misconfiguration. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http

Re: [Freeipa-users] SSH login to client

on client? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] mod_nss FreeIPA

u,u,u EXAMPLE.TEST IPA CA CT,C,C Signing-Cert u,u,u If this is not what you was asking please try to explain what you want to achieve with more details. -- David Kupka -- Manage your

Re: [Freeipa-users] GID, groups and ipa group-show

.) David On Mon, Aug 24, 2015 at 5:01 AM, David Kupka <dku...@redhat.com <mailto:dku...@redhat.com>> wrote: On 21/08/15 15:21, bahan w wrote: Hello ! I contact you because I notice something strange with IPA environment. I cre

Re: [Freeipa-users] Recovering from data-only backup doesn't recover Kerberos keys properly

understand kerberos better will advice. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

Thanks Hello! I don't know why it does not work with ktutil but I've find other way how to get keytab for a user: $ kinit ttester $ ipa-getkeytab -p ttes...@example.test -k ttester.keytab -e aes256-cts-hmac-sha1-96 $ kdestroy ttester $ kinit ttes...@example.test -kt ttester.keytab HTH,

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

On 26/02/16 08:56, David Kupka wrote: On 26/02/16 02:22, Teik Hooi Beh wrote: Hi, I have manged to deployed 1 ipa master and 1 ipa client with success on centos 7.2 with freeipa v4.2. I also managed to create user and set sshd-rules to for ttester user and also successfully get krb ticket

Re: [Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

s used. When IP address is needed it can be resolved from the name included in SRV response. HTH, -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Split backup actions in stop - backup - start commands

stopped it before. It can result in inconsistent data in backup archive. [0] https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n293 [1] https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n316 -- David Kupka -- Manage your subscription

Re: [Freeipa-users] Logging configuration for ipa server

log on server: Feb 17 10:10:35 vm-248.example.test krb5kdc[11350](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.0.2.248: CLIENT_NOT_FOUND: nonexist...@example.test for krbtgt/example.t...@example.test, Client not found in Kerberos database -- David Kupka -- Manage your subscription

Re: [Freeipa-users] Split backup actions in stop - backup - start commands

on't see the need for stopping the server manually. ipa-backup calls "ipactl start" [0]. If you remove the else branch it will not start the server. [0 ]https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n316 HTH, David 2016-02-17 8:00 GMT+01:0

Re: [Freeipa-users] freeipa restore backup on a new server

rvices in FreeIPA depends on host names and resolve IP address from DNS when needed. But if DNS server is part of FreeIPA server you're trying to restore it is holding old records with old IP addresses. Maybe this is the cause but it's just wild guess. -- David Kupka -- Manage your subscr

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

On 27/04/16 13:15, barry...@gmail.com wrote: Do u meant use ldapmodify? I tried update the dse.ldif but it will fall back after a while. 2016年4月27日 下午7:10 於 "David Kupka" <dku...@redhat.com <mailto:dku...@redhat.com>> 寫道： On 27/04/16 12:48, barry...@gmail.com <

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

g nsslapd-requiresrestart I don't see nsslapd-security listed so it should be possible to change it in runtime. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best practice for requesting a certificate in Kickstart?

illa.redhat.com/show_bug.cgi?id=1271551 HTH, -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa -v ping lies about the cert database

db Please check the permission on your system. If it's different and you (or system admin) haven't changed it please file a ticket (https://fedorahosted.org/freeipa/newticket). -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/fre

Re: [Freeipa-users] Object class violation

reproducer? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] howto ldapsearch for disabled/enabled users?

hint is highly welcome Harri Hello Harri, the attribute you're looking for is 'nsaccountlock'. This command should give you uids of all disabled users: $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test "(nsaccountlock=TRUE)" uid -- David Kupka -- M

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

auto-renew: yes -- Thanks, Anthony Hello Anthony! After stopping NTP (or other time synchronizing service) and setting time manually server really don't have a way to determine that its time differs from the real one. I think this might be issue with Kerberos ticket. You can show content of

Re: [Freeipa-users] Moving from ca to ca-less without pki

the opposite (installing CS on CA-less freeipa server). Feel free to file an RFE https://fedorahosted.org/freeipa/newticket -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info

Re: [Freeipa-users] How to unset a user's kerberos principal expiration date?

RFE (https://fedorahosted.org/freeipa/newticket)? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] client in many IPA domains

domains), c) will likely result in weird behavior, d) is definitelly not supported nor encouraged. -- David Kupka signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to change kerberos key lifetime?

ORG Principal "krbtgt/example@example.org" modified. : exit To increase 3) you need to change 'max_life' in /var/kerberos/krb5kdc/kdc.conf and restart krb5kdc service. But generally I don't think it's a good idea to have such long tickets. Would it make sense in your use case to deploy

Re: [Freeipa-users] Looking for instructions on one way subtree sync IPA->IPA

d in [2]? Why is separate deployment of FreeIPA for the project required? [1] https://technet.microsoft.com/en-us/library/cc730749(v=ws.11).aspx [2] https://www.redhat.com/archives/freeipa-users/2017-February/msg00136.html -- David Kupka signature.asc Description: PGP signature -- Man

Re: [Freeipa-users] sysaccounts max length

ilman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project Hello! From man 8 useradd: Usernames may only be up to 32 characters long. -- David Kupka signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: htt

Re: [Freeipa-users] Looking for instructions on one way subtree sync IPA->IPA

te accounts for all the users involved in Project in Enterprise IPA and assign them to Project group. You can also enroll all Project hosts to Enterprise IPA and add them to Project hostgroup. Then you can use HBAC rules [1] to: * disable the default allow_all rule * allow everyone in Proje

Re: [Freeipa-users] How to change kerberos key lifetime?

renew the ticket for the user until the ticket renew life time expires. Given this you can keep ticket life time reasonable short (~1 day) set ticket renewable life time to longer period (~2 weeks) and maintain reasonable security level without negative impact on user's daily work. Look for krb5_renew_interv

Re: [Freeipa-users] How to change kerberos key lifetime?

he logs-out in the end of the workday (after 8~10 hours). So there's no need to refresh it. But feel free to open a ticket for SSSD [1] and describe you use case. I don't know SSSD that well and maybe there's no reason against setting it by default. [1] https://fedorahosted.org/sssd/newticket -

Re: [Freeipa-users] Limit regular user access only to self service portal

le Based Access Control->Permissions (eg. System: Read User Addressbook Attributes) and change "Bind rule type" from all to "permission". But be aware that modifying the permissions may result in SSSD being unable to resolve users unless you add those permissions to hos

Re: [Freeipa-users] 32 bit netmask detection and error during install

ora instead. [1] https://fedorahosted.org/freeipa/ticket/5814 -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.4 plugin migration path

ine interactive_prompt_callback (like dns plugin) or forward (like vault plugin) you will need to split the client and server part of the plugin. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more i

Re: [Freeipa-users] FreeIPA 4.4 plugin migration path

On 17/01/17 11:30, Peter Fern wrote: On 17/01/17 20:39, David Kupka wrote: in 4.4 we split the plugins to the server and client plugins. Simple plugins (like server plugin) needs to exist only on server and all what is needed is to move it from ipalib/plugins to ipaserver/plugins

Re: [Freeipa-users] FreeIPA 4.4 plugin migration path

On 17/01/17 12:16, Peter Fern wrote: On 17/01/17 21:48, David Kupka wrote: Ok, your plugin is not really a plugin but that should not be a problem. To make it work: 1) replace "from ipalib.plugins.user import user" with "from ipaserver.plugins.user import use

Re: [Freeipa-users] manually apply patches from upstream

wnstream git clone [1] add the desired patches and build your own package. [1] https://git.centos.org/commit/rpms!ipa.git -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to make a FreeIPA node replica become Master?

led on first master that is installed with CA. Here you can find more information and how to: https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master HTH, -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/free

Re: [Freeipa-users] bind-dyndb-ldap and replication requirements

-configuration-of-dns/ The article is about CentOS 6 and more than 3 years old but still might be helpful because it's mainly about Bind 9 configuration. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http

Re: [Freeipa-users] Certmonger (or similar) for FreeBSD?

On 24/10/16 19:26, Gilbert Wilson wrote: On Oct 24, 2016, at 5:51 AM, David Kupka <dku...@redhat.com> wrote: On 22/10/16 00:15, Gilbert Wilson wrote: We have a lot of FreeBSD systems that I would like to streamline certificate issuance and renewal. Ideally, we could leverage our F

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

or the account's expiration. My /var/log/secure has messages like "pam_sss(sshd:auth): received for user uname: 13 (User account has expired)". Is there a setting for default expiration of user accounts ? I don't remember setting it anywhere. On Mon, Oct 24, 2016 at 8:13 AM, David

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

no way to say the password is expired. When the user tries to obtain Kerberos ticket he will be forced to change the password and NTLM hash will be also regenerated. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa

Re: [Freeipa-users] Certmonger (or similar) for FreeBSD?

certmonger using FreeBSD's Linux Binary Compatibility [1]? Though I don't know what are the limitations or possible issues it could be a way. [1] http://www.freebsd.cz/doc/handbook/linuxemu.html -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https

Re: [Freeipa-users] help

? Create pull request on GitHub (https://github.com/freeipa/freeipa ). Do you want to contribute the translations? Submit it via zanata (https://fedora.zanata.org/project/view/freeipa ). HTH, -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

/dirsrv/slapd-$REALM/ -L # ausearch -m avc -i -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] nfsv4+kerberos: group ID not mapped on newly create users, however user id is correct

at's wrong. SSSD is taking care of resolving users and groups on enrolled systems. "id mgm" should output something like "id=1414(mgm) gid=1414(mgm) groups=1414(mgm)" if it works properly. [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases -- David Kupka -- Manage yo

Re: [Freeipa-users] Kerberos realm for different domain

the realm different from the domain? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to disable First time password change on IPA user

))" +'%Y%m%d%H%M%S'Z) END_LDIF It works but I would not recommend using it in production environment. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos realm for different domain

On 13/12/16 07:52, Stephen Ingram wrote: On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dku...@redhat.com> wrote: yes you can do it. DNS domain and Kerberos realm are two different things. It's common and AFAIK recommended to capitalize DNS domain to get the realm but it's not re

Re: [Freeipa-users] Failed ipa-client-install with IPA Replica

ca-install [client] # ipa-client-install -p admin -w Secret123 --domain example.test --server replica.example.test -U [client] # id admin Is there anything you've done differently? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listin

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

tate dbus.String(u'CA_UNREACHABLE', variant_level=1) in replica install log. 2016-11-29 12:09 GMT+01:00 David Kupka <dku...@redhat.com>: On 29/11/16 11:51, David Dejaeghere wrote: Hi, I have a setup where i want to add a replica. The first master setup has an externally signed cer

Re: [Freeipa-users] OTP Algorithm

On 30/11/16 10:13, David Kupka wrote: On 29/11/16 12:57, Callum Guy wrote: Hi Alexander, I can confirm that I am using version 4.2.0. The bug link provided mentions that it caused GA to fail to scan the codes. In my situation it is FreeIPA (or related service) which appears to fail

Re: [Freeipa-users] One kerberos realm, two dns zones and SSHFP records

istinfo/freeipa-users > Go to http://freeipa.org for more info on the project Hello Ranbir, are other records (A, , PTR, ...) created for the client in random.ipa and just SSHFP missing? Is the domain random.ipa properly delegated? Is sshd installed and keys generated on client in random.ipa?

Re: [Freeipa-users] ldap connector from IIQ to ipa

and update user entries there and once the entry is complete you can call stageuser-activate to create user entry with using values from stageuser entry. You can find description of the feature and examples on design page [1]. [1] http://www.freeipa.org/page/V4/User_Life-Cycle_Management -- David

Re: [Freeipa-users] Options for existing CA/DNS infrastructure

red during ipa-server-install to track and renew certificates. [1] https://www.freeipa.org/page/V4/External_DNS_integration_with_installer [2] https://pagure.io/certmonger -- David Kupka signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list

Re: [Freeipa-users] Use SQLite format NSS database?

. Generally I would not recommend touching this on production system. Why do you want to change the database format? (1) certutil -d sql:HTTPD_ALIAS_DIR --upgrade-merge --source-dir HTTPD_ALIAS_DIR --upgrade-id 1 -- David Kupka signature.asc Description: PGP signature -- Manage your subsc

Re: [Freeipa-users] Original master lost, cannot create additional CA clones

need to be brought back. I can provide further > log excerpts if needed. > > Thank you in advance, > Paul Brennan > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.or

Re: [Freeipa-users] IPA domain level is 1, so replica prepare fails (new installation)

've posted ipa-replica-prepare is no longer used when domain level is above 0. Since domain level 1 new replica is first joined to FreeIPA domain as client using ipa-client-install and then promoted to replica using ipa-replica-install. You can find out more about Replica Promotion on design page [1]. [1

Re: [Freeipa-users] IPA domain level is 1, so replica prepare fails (new installation)

tion: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html -- David Kupka signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa 4.4 creating users with expiration

Lock the user account after period of time or at specified time. You need to call "ipa user-disable LOGIN" manually. You can file ticket and describe your use-case here: https://pagure.io/freeipa/new_issue -- David Kupka signature.asc Description: PGP signature -- Manage your su