|
|
|
[
Permlink
| « Hide
]
Robin Shen [28/Jun/16 02:24 AM]
I guess your concern is not to allow QB user to login when the password is expired at LDAP side? If so, LDAP will prevent this as QB will forward the login request to LDAP.
Primarily, yes. Some LDAP providers (OpenLDAP, 389 Directory Services) do not always enforce a password expiration for binding purposes, this is particularly the case when facilitating self-service password reset/update functionality. Most secure implementation will not bind as an admin user, instead allow the user to modify specific attributes on their own DN.
RedHat's enterprise LDAP/directory services solutions discussion around the issue. Upstream advises using LDAP filters to limit logins with expired passwords: https://fedorahosted.org/freeipa/ticket/1539
|