On 09/14/2012 02:52 PM, Rob Crittenden wrote: > Ott, Dennis wrote: >> There seems to be nothing in the documentation about a user being able >> to initiate a password change dialogue after their password has expired, >> yet it seems that one is able to do just that. There is a value in the >> ldap store, passwordGraceLimit, which is initialized to zero. I have >> modified that value but it seems to have no effect. > > This value is not used by IPA. > > I don't believe we have the ability to do this right now. As you > suggest, some automation may be required to find expired passwords and > lock them out. > >> I would like to limit this ability to just a few days, or alternatively, >> completely lock out the account once the password has expired. > > This would be difficult because administratively-reset accounts have > their passwords expired to force users to set a new one (so that only > the end-user knows their password). This would effectively lock > everyone out. > >> >> Does anyone have any insight as to how to do this? If not, is it planned >> for a future release? > > No plans for this AFAIK. Feel free to file an enhancement request > ticket on our Trac site, https://fedorahosted.org/freeipa/ > >> I suppose I could look at a script running daily that would lock the >> account if the user’s password has expired in the last X hours, but I >> was hoping for something builtin. >
This is related https://fedorahosted.org/freeipa/ticket/1539 > regards > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users