Bug 1273040

Summary: [RFE] Automatically disable user accounts that have not been used for a specific period of time
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED DEFERRED QA Contact: Namita Soman <nsoman>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: Aaron.Boudreaux, afarley, alsharma, apeddire, artem, asakure, baptiste.agasse, charles_sheridan, cparadka, dpal, fcami, frenaud, gparente, ipa-maint, Isabel.hernanz, jaredl, jlyle, kludhwan, ldelouw, mkosek, mreinke, pasik, pcech, pierre-yves.goubet, rcritten, rvdwees, tonflo, tscherf, vmishra
Target Milestone: rcKeywords: FutureFeature, Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1654395 (view as bug list) Environment:
Last Closed: 2020-03-30 10:00:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1654395    

Description Petr Vobornik 2015-10-19 12:43:15 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4975

Create a policy that would define for how log the user account can be inactive (no authentications) until it would be disabled automatically in IPA.

This is driven by PCI compliance requirements.
Comment 2 Petr Vobornik 2015-10-19 21:27:50 UTC 
Workaround: ​https://www.redhat.com/archives/freeipa-users/2015-March/msg00052.html
Comment 9 Martin Kosek 2016-07-01 13:20:45 UTC 
(In reply to Petr Vobornik from comment #2)
> Workaround:
> ​https://www.redhat.com/archives/freeipa-users/2015-March/msg00052.html

Please note that I just realized that this workaround only works under certain conditions:
- it is an environment with single IdM master
- OR, krbLastSuccessfulAuth is replicated (see https://fedorahosted.org/freeipa/ticket/5970)
- OR, if the script checks krbLastSuccessfulAuth on *all* IdM servers and uses the most recent one.
Comment 19 kludhwan 2019-10-08 10:58:57 UTC 
Hello,

Do we have any update for the customers?

Are we planing this feature to be included in rhel7?

Thanks,
Kushal
Comment 22 Petr Čech 2019-12-09 19:45:21 UTC 
We are closing this RFE because of the life cycle of RHEL-7.
Comment 23 JaredL 2019-12-09 19:49:37 UTC 
Petr - Will there be a new issue opened for tracking this RFE for RHEL-8? 

This is still something many folks watching this issue would love to see in Idm and isn't a feature in RHEL-8 either.
Comment 24 Petr Čech 2019-12-10 13:56:45 UTC 
I closed it accidentally. Thanks for note, we moved it to RHEL-8.
Comment 27 François Cami 2020-03-30 09:54:09 UTC 
Moving back to RHEL7.
https://bugzilla.redhat.com/show_bug.cgi?id=1654395 is the right bugzilla for RHEL8.
Please attach new cases only to https://bugzilla.redhat.com/show_bug.cgi?id=1654395 .
Comment 29 François Cami 2020-03-30 10:00:40 UTC 
Closing as DEFERRED.
Please use https://bugzilla.redhat.com/show_bug.cgi?id=1654395 for this RFE.