Hi,

What I meant was the AD ui / system is going to write the user's AD password 
into AD's db on the ad server's disk....not that passync does it.....sort of 
man in the middle attack....


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, 10 May 2012 9:45 a.m.
To: Steven Jones
Cc: Sylvain Angers; Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] proxy with Active Directory

On 05/09/2012 03:11 PM, Steven Jones wrote:
Hi,

My understanding is passync intercepts the password before its encrypted in AD

Yes.

and written to the AD's ldap db/disk

PassSync writes it to a log file on the windows machine, not to the ldap db.

it cant be decrypted thereafter.

PassSync stores the password reversibly encrypted on the disk, so it is safely 
stored, and can be converted back to cleartext to send to IPA.

It then sends the plain text password via an encrypted link to IPA, so its 
pretty safe. No there is no easy way I know of, though its possible to use AD 
for Kerberos ie password and an LDAP for control, dont think that is practical 
in IPA.....but AD and say Openldap, yes. We have a setup here, but ordinary 
bods like me couldnt maintain / modify / patch it.

The other possibility is Oracle's OVD which is an open virtual directory that 
sits in front of (multiple if necessary) LDAPs and gives a LDAPv3 output but 
that is  expensive...ie when oracle say "open" they mean open your wallet and 
we'll take all we want...its also awful....2 of use tried for 3 weeks to make 
it work and gave up, too unstable.

The last way I know of, which we have is a web based application called Psync 
which allows users to reset their own password via a https web page that then 
injects into AD, it can do LDAPs as well in parallel...but thats really the 
same thing as passync....

Or just use AD, then you use something like Centrify or Likewise and that cost 
hurts as well. So depends who is paying....get them to "chat" to your security 
group. Ours are A OK with Passync as the gains of IPA and centralised control 
far outstrip the Passsync minor concern. Besides which a decently sized and 
complex AD is a swiss cheese for security anyway.  Ask your security how the 
last external pen test on AD went..if they have never done one.....its a bit 
rich for them to comment on Passync.....

;]

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on 
behalf of Sylvain Angers 
[sylvainang...@gmail.com<mailto:sylvainang...@gmail.com>]
Sent: Thursday, 10 May 2012 6:19 a.m.
To: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: [Freeipa-users] proxy with Active Directory

Hello

Our security group have concern with copying username/password from from AD and 
might not allow this synchronisation to even happen.
Is there a way to configure ipa to go get username/password via kind of proxy?

Thank you!

--
Sylvain Angers




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to