Re: [Freeipa-users] Deny bind for external LDAP if password is expired

[Rob Crittenden]

Prashant Bapat wrote:

In our FreeIPA deployment the clients use pam_nss_ldapd with the
"compat" schema. No ipa-client.

I'm planning to apply the patched ipa_pwd_extop plugin to only 2 of the
replicas (out of 8) where the external app authenticates against IPA's
LDAP. These 2 replicas are more used like readonly. The Web UI where the
users login and change their profile is not on these replicas.

With this LDAP binds are denied to users with expired passwords from the
external app.

Will this setup have any issues, related to replication etc ?


I don't think it will cause any replication issues. You may want to 
remove them from the SRV entries if you have one. Clients outside of 
your external apps could end up connecting to them through autodiscovery 
otherwise (and maybe that's ok, up to you).


rob



On 11 July 2016 at 19:43, Rob Crittenden > wrote:

Prashant Bapat wrote:

I cherrypicked the commit id
3b7d5e7543a074d7d24556cadc6c95be9871cfc6
and compiled the ipa-pwd-extop slapi plugin.

Now the user is denied bind. But unable to reset the password.


Right, it's a tricky problem which is why it hasn't been resolved
yet. You have come full circle through the same steps we went through.

rob



On 8 July 2016 at 13:21, Martin Kosek 
>> wrote:

 On 07/07/2016 05:19 PM, Prashant Bapat wrote:
 > Anyone ?!
 >
 > On 6 July 2016 at 22:36, Prashant Bapat

>
 > 

 > Hi,
 >
 > We are using FreeIPA's LDAP as the base for user
authentication in a
 > different application. So far I have created a
sysaccount which does the
 > lookup etc for a user and things are working as
expected. I'm even able to
 > use OTP from the external app.
 >
 > One problem I'm struggling to fix is the expired
passwords. Is there a way
 > to deny bind to LDAP only from this application?
Obviously the user would
 > need to go to IPA's web UI and reset his password there.
 >
 > I came across this
tickethttps://fedorahosted.org/freeipa/ticket/1539
 but
 > looks like this is an old one.
 >
 > Thanks.
 > --Prashant

 Hello Prashant,

https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
 ticket, if
 you want users with expired passwords to be denied, but it
was not
 implemented
 yet. Help welcome!

 As a workaround, I assume you could simply leverage
Kerberos for
 authentication
 - it does respect expired passwords. We have advise on how to
 integrate that to
 external web applications here:

http://www.freeipa.org/page/Web_App_Authentication

 Martin








--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

[Prashant Bapat]

In our FreeIPA deployment the clients use pam_nss_ldapd with the "compat"
schema. No ipa-client.

I'm planning to apply the patched ipa_pwd_extop plugin to only 2 of the
replicas (out of 8) where the external app authenticates against IPA's
LDAP. These 2 replicas are more used like readonly. The Web UI where the
users login and change their profile is not on these replicas.

With this LDAP binds are denied to users with expired passwords from the
external app.

Will this setup have any issues, related to replication etc ?

On 11 July 2016 at 19:43, Rob Crittenden  wrote:

> Prashant Bapat wrote:
>
>> I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6
>> and compiled the ipa-pwd-extop slapi plugin.
>>
>> Now the user is denied bind. But unable to reset the password.
>>
>
> Right, it's a tricky problem which is why it hasn't been resolved yet. You
> have come full circle through the same steps we went through.
>
> rob
>
>
>>
>> On 8 July 2016 at 13:21, Martin Kosek > > wrote:
>>
>> On 07/07/2016 05:19 PM, Prashant Bapat wrote:
>> > Anyone ?!
>> >
>> > On 6 July 2016 at 22:36, Prashant Bapat > 
>> > >> wrote:
>> >
>> > Hi,
>> >
>> > We are using FreeIPA's LDAP as the base for user authentication
>> in a
>> > different application. So far I have created a sysaccount which
>> does the
>> > lookup etc for a user and things are working as expected. I'm
>> even able to
>> > use OTP from the external app.
>> >
>> > One problem I'm struggling to fix is the expired passwords. Is
>> there a way
>> > to deny bind to LDAP only from this application? Obviously the
>> user would
>> > need to go to IPA's web UI and reset his password there.
>> >
>> > I came across this tickethttps://
>> fedorahosted.org/freeipa/ticket/1539 but
>> > looks like this is an old one.
>> >
>> > Thanks.
>> > --Prashant
>>
>> Hello Prashant,
>>
>> https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
>> ticket, if
>> you want users with expired passwords to be denied, but it was not
>> implemented
>> yet. Help welcome!
>>
>> As a workaround, I assume you could simply leverage Kerberos for
>> authentication
>> - it does respect expired passwords. We have advise on how to
>> integrate that to
>> external web applications here:
>>
>> http://www.freeipa.org/page/Web_App_Authentication
>>
>> Martin
>>
>>
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

[Prashant Bapat]

Tough luck! If its tricky for you (FreeIPA core developers) then its pretty
much impossible to solve it for mere mortals like me !

On 11 July 2016 at 19:43, Rob Crittenden  wrote:

> Prashant Bapat wrote:
>
>> I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6
>> and compiled the ipa-pwd-extop slapi plugin.
>>
>> Now the user is denied bind. But unable to reset the password.
>>
>
> Right, it's a tricky problem which is why it hasn't been resolved yet. You
> have come full circle through the same steps we went through.
>
> rob
>
>
>>
>> On 8 July 2016 at 13:21, Martin Kosek > > wrote:
>>
>> On 07/07/2016 05:19 PM, Prashant Bapat wrote:
>> > Anyone ?!
>> >
>> > On 6 July 2016 at 22:36, Prashant Bapat > 
>> > >> wrote:
>> >
>> > Hi,
>> >
>> > We are using FreeIPA's LDAP as the base for user authentication
>> in a
>> > different application. So far I have created a sysaccount which
>> does the
>> > lookup etc for a user and things are working as expected. I'm
>> even able to
>> > use OTP from the external app.
>> >
>> > One problem I'm struggling to fix is the expired passwords. Is
>> there a way
>> > to deny bind to LDAP only from this application? Obviously the
>> user would
>> > need to go to IPA's web UI and reset his password there.
>> >
>> > I came across this tickethttps://
>> fedorahosted.org/freeipa/ticket/1539 but
>> > looks like this is an old one.
>> >
>> > Thanks.
>> > --Prashant
>>
>> Hello Prashant,
>>
>> https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
>> ticket, if
>> you want users with expired passwords to be denied, but it was not
>> implemented
>> yet. Help welcome!
>>
>> As a workaround, I assume you could simply leverage Kerberos for
>> authentication
>> - it does respect expired passwords. We have advise on how to
>> integrate that to
>> external web applications here:
>>
>> http://www.freeipa.org/page/Web_App_Authentication
>>
>> Martin
>>
>>
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

[Rob Crittenden]

Prashant Bapat wrote:

I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6
and compiled the ipa-pwd-extop slapi plugin.

Now the user is denied bind. But unable to reset the password.


Right, it's a tricky problem which is why it hasn't been resolved yet. 
You have come full circle through the same steps we went through.


rob




On 8 July 2016 at 13:21, Martin Kosek > wrote:

On 07/07/2016 05:19 PM, Prashant Bapat wrote:
> Anyone ?!
>
> On 6 July 2016 at 22:36, Prashant Bapat 
> >> wrote:
>
> Hi,
>
> We are using FreeIPA's LDAP as the base for user authentication in a
> different application. So far I have created a sysaccount which does 
the
> lookup etc for a user and things are working as expected. I'm even 
able to
> use OTP from the external app.
>
> One problem I'm struggling to fix is the expired passwords. Is there 
a way
> to deny bind to LDAP only from this application? Obviously the user 
would
> need to go to IPA's web UI and reset his password there.
>
> I came across this tickethttps://fedorahosted.org/freeipa/ticket/1539 
but
> looks like this is an old one.
>
> Thanks.
> --Prashant

Hello Prashant,

https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
ticket, if
you want users with expired passwords to be denied, but it was not
implemented
yet. Help welcome!

As a workaround, I assume you could simply leverage Kerberos for
authentication
- it does respect expired passwords. We have advise on how to
integrate that to
external web applications here:

http://www.freeipa.org/page/Web_App_Authentication

Martin






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

[Prashant Bapat]

I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6 and
compiled the ipa-pwd-extop slapi plugin.

Now the user is denied bind. But unable to reset the password.


On 8 July 2016 at 13:21, Martin Kosek  wrote:

> On 07/07/2016 05:19 PM, Prashant Bapat wrote:
> > Anyone ?!
> >
> > On 6 July 2016 at 22:36, Prashant Bapat  > > wrote:
> >
> > Hi,
> >
> > We are using FreeIPA's LDAP as the base for user authentication in a
> > different application. So far I have created a sysaccount which does
> the
> > lookup etc for a user and things are working as expected. I'm even
> able to
> > use OTP from the external app.
> >
> > One problem I'm struggling to fix is the expired passwords. Is there
> a way
> > to deny bind to LDAP only from this application? Obviously the user
> would
> > need to go to IPA's web UI and reset his password there.
> >
> > I came across this ticket
> https://fedorahosted.org/freeipa/ticket/1539 but
> > looks like this is an old one.
> >
> > Thanks.
> > --Prashant
>
> Hello Prashant,
>
> https://fedorahosted.org/freeipa/ticket/1539 seems to be the right
> ticket, if
> you want users with expired passwords to be denied, but it was not
> implemented
> yet. Help welcome!
>
> As a workaround, I assume you could simply leverage Kerberos for
> authentication
> - it does respect expired passwords. We have advise on how to integrate
> that to
> external web applications here:
>
> http://www.freeipa.org/page/Web_App_Authentication
>
> Martin
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

[Martin Kosek]

On 07/07/2016 05:19 PM, Prashant Bapat wrote:
> Anyone ?!
> 
> On 6 July 2016 at 22:36, Prashant Bapat  > wrote:
> 
> Hi,
> 
> We are using FreeIPA's LDAP as the base for user authentication in a
> different application. So far I have created a sysaccount which does the
> lookup etc for a user and things are working as expected. I'm even able to
> use OTP from the external app.
> 
> One problem I'm struggling to fix is the expired passwords. Is there a way
> to deny bind to LDAP only from this application? Obviously the user would
> need to go to IPA's web UI and reset his password there.
> 
> I came across this ticket https://fedorahosted.org/freeipa/ticket/1539 but
> looks like this is an old one.
> 
> Thanks.
> --Prashant

Hello Prashant,

https://fedorahosted.org/freeipa/ticket/1539 seems to be the right ticket, if
you want users with expired passwords to be denied, but it was not implemented
yet. Help welcome!

As a workaround, I assume you could simply leverage Kerberos for authentication
- it does respect expired passwords. We have advise on how to integrate that to
external web applications here:

http://www.freeipa.org/page/Web_App_Authentication

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

[Prashant Bapat]

Anyone ?!

On 6 July 2016 at 22:36, Prashant Bapat  wrote:

> Hi,
>
> We are using FreeIPA's LDAP as the base for user authentication in a
> different application. So far I have created a sysaccount which does the
> lookup etc for a user and things are working as expected. I'm even able to
> use OTP from the external app.
>
> One problem I'm struggling to fix is the expired passwords. Is there a way
> to deny bind to LDAP only from this application? Obviously the user would
> need to go to IPA's web UI and reset his password there.
>
> I came across this ticket https://fedorahosted.org/freeipa/ticket/1539
> but looks like this is an old one.
>
> Thanks.
> --Prashant
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Deny bind for external LDAP if password is expired

[Prashant Bapat]

Hi,

We are using FreeIPA's LDAP as the base for user authentication in a
different application. So far I have created a sysaccount which does the
lookup etc for a user and things are working as expected. I'm even able to
use OTP from the external app.

One problem I'm struggling to fix is the expired passwords. Is there a way
to deny bind to LDAP only from this application? Obviously the user would
need to go to IPA's web UI and reset his password there.

I came across this ticket https://fedorahosted.org/freeipa/ticket/1539 but
looks like this is an old one.

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project