White, Daniel E. (GSFC-770.0)[NICS] wrote: > Rob Crittenden wrote: >> White, Daniel E. (GSFC-770.0)[NICS] wrote: ... >> > What controls these behaviors ? >> > >> >> As I said before, I think only krbprincipalexpiration would help here. >> There is no policy/setting in IPA to disable an account X days after a >> password has expired. >> >> That said, this is probably scriptable using LDAP to find the entries >> and call ipa user-disable <id> to mark inactive the users. >> >> rob > > Actually, I do not want to disable accounts at all. > > A user requested a password reset. I found out he was trying to log in to an > application that uses IdM for credentials - one of the few we were able to > get working. Based on this new information, I suspect that there were > multiple attempts to log in to the app, eventually causing a lockout due to > "failed" authentication. > > When authenticating to IdM/FreeIPA thru an app, I suspect it won't tell you > that your password expired, just that the login failed. Is that a reasonable > suspicion ?
Over LDAP, yes. https://pagure.io/freeipa/issue/1539 > Again, thanks to all you FreeIPA folks for being here to answer questions > that Tier One Red Hat support cannot answer. The advantage I have is that I wrote the password policy code. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org