IdM allows LDAP bind with expired password

Solution Verified - Updated -

Issue

  • How to configure IdM LDAP server (389-ds) to disallow binding/authenticating using expired password?

  • The user's password has expired

    # ipa user-show bob --raw --all
  dn: uid=bob,cn=users,cn=accounts,dc=example,dc=com
  uid: bob
  givenname: Bob
  sn: User
  cn: Bob User
  <...>
  krbPasswordExpiration: 20240814004456Z     <<<<<=====

  • However, the user is allowed to perform LDAP bind and authenticate successfully without any warning:

    ldapsearch -v -x -H ldap://server1.example.com -D "uid=bob,cn=users,cn=accounts,dc=example,dc=com" -W -b "uid=bob,cn=users,cn=accounts,dc=example,dc=com"

Environment

  • Red Hat Enterprise Linux 8.7 or later
  • Red Hat Enterprise Linux 9.1 or later
  • Red Hat Identity Management (IdM) / FreeIPA
    • ipa-server-4.9.10-6 or newer
    • ipa-server-4.10.0-6 or newer
    • 389 Directory Server (389-ds)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content