On 25/01/2017 13:48, Georgijs Radovs wrote:
Is it possible to configure FreeIPA server so it does not mark new
passwords, set by Keycloak's LDAP bind user, expired?
Yes, you need to configure the privileged LDAP bind user in
passSyncManagersDNs:
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
passSyncManagersDNs: uid=....
Note that this setting does not replicate - it needs to be applied to
all replicas by hand.
See:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project