Ldap – FreeIPA (LDAP): Refuse auth for users with expired password

authenticationfreeipaldap

I have a FreeIPA used mostly for LDAP-based authentication in many local web services. Unfortunately, LDAP authorizes users to login to 3-rd party applications even when user's password is expired (including first random password, that is already expired and was not yet changed).

Is there a way to configure a "policy" to refuse users with expired login everywhere but FreeIPA web interface, letting users only to change their expired password?

Regards,

Best Answer

No, not at the moment. Please see related upstream ticket.

What you could do, when applicable, is to authenticate users via Kerberos which does not log in users when expired. More information about the FreeIPA and available Web Application modules are on the FreeIPA.org page Web App Authentication.

Related Solutions

Ldap – PAM and LDAP with variable base DN

You can do exactly what you're asking for. Use:

auth        required       pam_ldap.so config=/etc/ldap_web.conf

See the man page for more details.

Linux – Unable to authenticate LDAP client with PAM when pwdReset = TRUE

Policies on the LDAP server don't necessarily equate to policies within the OS. You seem to be picturing a framework where you set this overflay property and the OS becomes aware of the need for a password change, but as you can see that's not how it works.

To trigger a prompt within the operating system, an accounting module (typically PAM) has to notice the condition. OpenLDAP's password policy overlay is not a POSIX standard. Unlike what happens when you adjust the shadow properties of a user to set the policy, pam_unix has no awareness of these attributes that you're setting. The same cannot be said of the OpenLDAP server itself. This results in a user lockout because the user cannot authenticate to the Linux server, and lacks sufficient information about LDAP (as you yourself note) to work directly with the LDAP server to change their password.

If you're looking to trigger password change prompts within the OS, this is not the right tool for the job. I would personally recommend that you familiarize yourself with the relevant shadow attributes, store them in LDAP if they need to be centrally managed, and use those to trigger the behaviors you're looking for.

From the pam_unix(8) manpage:

The account component performs the task of establishing the status of the user's account and password based on the following shadow elements: expire, last_change, max_change, min_change, warn_change. In the case of the latter, it may offer advice to the user on changing their password or, through the PAM_AUTHTOKEN_REQD return, delay giving service to the user until they have established a new password. The entries listed above are documented in the shadow(5) manual page. Should the user's record not contain one or more of these entries, the corresponding shadow check is not performed.

Best Answer

Related Solutions

Ldap – PAM and LDAP with variable base DN

Linux – Unable to authenticate LDAP client with PAM when pwdReset = TRUE

Related Topic