Not sure on the details here so please bear with me When passsync is setup some
users can be exempted from the sync.
So I have 2 questions or requests for features maybe.
This feature is good, however there is nothing within the IPA system that I can
see that prevents a user manually setting the same password in IPA as they have
in AD. So even if we have a written policy that says you cannot do this it
looks like we cannot check or enforce it. Hence I see this as an audit failure.
So what Im asking is I guess is there any way that when a password sync occurs
the "hash" of the IPA password and the "hash" the AD password would be
converted to, gets compared and a security violation is raised if they match?
If not would this be a useful feature? to me I think it would be something we'd
like for audit purposes.
Secondly, at the moment it looks like I have to add each user via a command
line function. Can we get this setup via a user group? That way its a point and
click and its easily visually auditable.
Technical Specialist - Linux RHCE
Victoria University ITS,
Level 8 Rankin Brown Building,
0064 4 463 6272
Freeipa-users mailing list