Not sure on the details here so please bear with me When passsync is setup some 
users can be exempted from the sync.

So I have 2 questions or requests for features maybe.

This feature is good, however there is nothing within the IPA system that I can 
see that prevents a user manually setting the same password in IPA as they have 
in AD.  So even if we have a written policy that says you cannot do this it 
looks like we cannot check or enforce it. Hence I see this as an audit failure. 

So what Im asking is I guess is there any way that when a password sync occurs 
the "hash" of the IPA password and the "hash" the AD password would be 
converted to, gets compared and a security violation is raised if they match?  

If not would this be a useful feature? to me I think it would be something we'd 
like for audit purposes.

Secondly, at the moment it looks like I have to add each user via a command 
line function. Can we get this setup via a user group? That way its a point and 
click and its easily visually auditable.


Steven Jones

Technical Specialist - Linux RHCE

Victoria University ITS,

Level 8 Rankin Brown Building,

Wellington, NZ


0064 4 463 6272

Freeipa-users mailing list

Reply via email to