#3305 KrbPrincipalExpiration should be checked in pre-bind op
Closed: Fixed None by simo. Opened 5 years ago by simo.

We currently do not honour the krbprincipalexpiration attribute for LDAP binds.
A simple place to check and deny auth would be to check for it in the pre_bind operation.


3.4 development was shifted for one month, moving tickets to reflect reality better.

Linking with the right Bugzilla (previous closed as duplicate).

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

This ticket is not complete yet, moving to next month milestone.

Fixed upstream
master:

  • 5d78cdf ipa-pwd-extop: Deny LDAP binds for accounts with expired principals
  • 004071a ipatests: Add test for denying expired principals

Metadata Update from @simo:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.0 - 2014/04

2 years ago

Login to comment on this ticket.

Metadata