I would like to use public key authentication in my FreeIPA setup for the users coming
from the AD domain. I have everything set up correctly, public key authentication works
great aside from one edge case that may render this setup unacceptable. When I lock an AD
account (I test this by logging in with the wrong password more than allowed amount of
times) user in question still can access FreeIPA managed hosts via public key
According to the information I found regarding this behaviour -
- this is a desired behaviour (it's
not a bug, it's a feature). Still, it's not the configuration I am happy about :).
Has anything changed since this bug was closed?
Is there a way FreeIPA supports preventing users who are for whatever reason locked in AD
from accessing FreeIPA-managed hosts?
If this is not currently supported by default, maybe someone could point me to a way I
could implement this myself? I am thinking of checking if the user is locked in AD,
hopefully by looking at his/hers ldap attributes in the 389 ds server in FreeIPA if such
attributes exist, then removing any public keys that are present in the Default Trust View
for this user. At this point I do not know it is possible, it is just an idea.
I would really appreciate your help.