FreeIPA - Password Expiration

Dave Perry Dave.Perry at
Tue Apr 5 07:48:53 EDT 2016

This was discussed in the last few days:

Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at<mailto:elearning at> *

From: users [mailto:users-bounces at] On Behalf Of Prashant Bapat
Sent: 05 April 2016 12:08
To: Shib Users
Subject: FreeIPA - Password Expiration


I'm trying to configure Shibboleth IdP (ver 3.2.1) to authenticate against FreeIPA's LDAP component. So far authentication and attribute release is working.

When I tried to configure the password expiration, it does not work. I tried the "account state" section of but could not get it it working.

FreeIPA has an user attribute "krbPasswordExpiration" which is the time when the password expires.

How to use this attribute for redirecting the user to the password expiration page ?

Looking at Ldaptive's GIT<>, there is a FreeIPAAuthenticationResponseHandler<> in the latest version. Is it advisable to use this ?


This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list