On 07/07/2016 05:19 PM, Prashant Bapat wrote: > Anyone ?! > > On 6 July 2016 at 22:36, Prashant Bapat <prash...@apigee.com > <mailto:prash...@apigee.com>> wrote: > > Hi, > > We are using FreeIPA's LDAP as the base for user authentication in a > different application. So far I have created a sysaccount which does the > lookup etc for a user and things are working as expected. I'm even able to > use OTP from the external app. > > One problem I'm struggling to fix is the expired passwords. Is there a way > to deny bind to LDAP only from this application? Obviously the user would > need to go to IPA's web UI and reset his password there. > > I came across this ticket https://fedorahosted.org/freeipa/ticket/1539 but > looks like this is an old one. > > Thanks. > --Prashant
Hello Prashant, https://fedorahosted.org/freeipa/ticket/1539 seems to be the right ticket, if you want users with expired passwords to be denied, but it was not implemented yet. Help welcome! As a workaround, I assume you could simply leverage Kerberos for authentication - it does respect expired passwords. We have advise on how to integrate that to external web applications here: http://www.freeipa.org/page/Web_App_Authentication Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project