White, Daniel E. (GSFC-770.0)[NICS] wrote:
Rob Crittenden wrote:
> White, Daniel E. (GSFC-770.0)[NICS] wrote:
...
> > What controls these behaviors ?
> >
>
> As I said before, I think only krbprincipalexpiration would help here.
> There is no policy/setting in IPA to disable an account X days after a
> password has expired.
>
> That said, this is probably scriptable using LDAP to find the entries
> and call ipa user-disable <id> to mark inactive the users.
>
> rob
Actually, I do not want to disable accounts at all.
A user requested a password reset. I found out he was trying to log in to an application
that uses IdM for credentials - one of the few we were able to get working. Based on this
new information, I suspect that there were multiple attempts to log in to the app,
eventually causing a lockout due to "failed" authentication.
When authenticating to IdM/FreeIPA thru an app, I suspect it won't tell you that your
password expired, just that the login failed. Is that a reasonable suspicion ?
Over LDAP, yes.
https://pagure.io/freeipa/issue/1539
Again, thanks to all you FreeIPA folks for being here to answer
questions that Tier One Red Hat support cannot answer.
The advantage I have is that I wrote the password policy code.
rob