Bug 1273040 - [RFE] Automatically disable user accounts that have not been used for a specific period of time
[RFE] Automatically disable user accounts that have not been used for a speci...
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2015-10-19 08:43 EDT by Petr Vobornik
Modified: 2018-02-23 08:44 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Petr Vobornik 2015-10-19 08:43:15 EDT
This bug is created as a clone of upstream ticket:

Create a policy that would define for how log the user account can be inactive (no authentications) until it would be disabled automatically in IPA.

This is driven by PCI compliance requirements.
Comment 2 Petr Vobornik 2015-10-19 17:27:50 EDT
Workaround: ​https://www.redhat.com/archives/freeipa-users/2015-March/msg00052.html
Comment 9 Martin Kosek 2016-07-01 09:20:45 EDT
(In reply to Petr Vobornik from comment #2)
> Workaround:
> ​https://www.redhat.com/archives/freeipa-users/2015-March/msg00052.html

Please note that I just realized that this workaround only works under certain conditions:
- it is an environment with single IdM master
- OR, krbLastSuccessfulAuth is replicated (see https://fedorahosted.org/freeipa/ticket/5970)
- OR, if the script checks krbLastSuccessfulAuth on *all* IdM servers and uses the most recent one.

Note You need to log in before you can comment on or make changes to this bug.