Create a policy that would define for how log the user account can be inactive (no authentications) until it would be disabled automatically in IPA.
This is driven by PCI compliance requirements.
Notes from triage:
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1273040
Workaround: https://www.redhat.com/archives/freeipa-users/2015-March/msg00052.html
There is already a 389 DS "Account Policy" plugin that is capable of this. FreeIPA should allow this plugin to be configured and used.
Additionally, it would be ideal to enhance the existing plugin to meet these compliance requirements as described in this 389 DS ticket:
​https://fedorahosted.org/389/ticket/48908
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Summary from team discussion
nsAccountLock
krbPrincipalExpiration
Metadata Update from @cheimes: - Issue close_status updated to: None
There is also an event thread within 389-DS, which a plugin can use to register events to execute at some regular time. This might be useful for solving part of this problem.
Login to comment on this ticket.