HI! from the last IRC meeting: ------------------- snip ------------------ [20:52:11] <cboltz> ("password expired" only means someone didn't login in FreeIPA for months - but you can still use the VPN and sudo with an expired password) [20:52:29] <kl_eisbaer> sure? (mean: did you try?) [20:52:48] <cboltz> yes, more than once [20:52:54] <kl_eisbaer> as in that case, I have the feeling that FreeIPA has a security problem :-( ------------------- snip ------------------ Known problem since many years. Password expiry is only enforced when authentication with Kerberos, not LDAP: https://bugzilla.redhat.com/show_bug.cgi?id=782917 They claim they have to keep it that way for resetting expired passwords. :-/ In opposite to that password expiry just works for LDAP simple bind in OpenLDAP and Æ-DIR provides a decent password reset web application which also works for expired passwords: https://www.ae-dir.com/pwd.html#reset-procedure This procedure is also used for setting the initial password (because both use-cases share the same security requirements and have the same goal). Ciao, Michael. -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org