On 03/21/2016 06:56 PM, Rob Crittenden wrote: > Bob wrote: >> If each IPA server tracks time of last auth independently, then one ipa >> server might disable an inactive account. But that account might be >> active on another servers. In a fail over case where the server that >> that account normally uses is down, the user would not have a usable >> account. >> >> Is it possible to use the account policy plugin? Or is there a way to >> track time of last auth that is replicated. I need to have accounts >> that have been inactive for 90 days automatically disabled. > > You can't use the account policy plugin but it isn't aware of Kerberos so it > would miss potentially a lot of authentications. > > You could modify replication agreements to not ignore this attribute but you > potentially create a replication "storm", particularly early morning when > everyone logs in at the same time. > > In any case IPA password policy doesn't currently handle inactivity. There is > a > ticket open: https://fedorahosted.org/freeipa/ticket/4975 (with a potential > short-term workaround).
JFTR, this is the ticket with failed login replication RFE: https://fedorahosted.org/freeipa/ticket/3700 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
