On 11/12/2013 03:47 PM, Steven Jones wrote:
> Hi,
> Not sure on the details here so please bear with me When passsync is setup 
> some users can be exempted from the sync.
> So I have 2 questions or requests for features maybe.
> This feature is good, however there is nothing within the IPA system that I 
> can see that prevents a user manually setting the same password in IPA as 
> they have in AD.  So even if we have a written policy that says you cannot do 
> this it looks like we cannot check or enforce it. Hence I see this as an 
> audit failure.  

With Winsync/Passsync this is actually a default behavior. The passwords
are the same because most of people to the best of our knowledge want it
this way. If I get you right you proposal is actually to force a reverse
which seems to be a very corner use case based on the information we have.

> So what Im asking is I guess is there any way that when a password sync 
> occurs the "hash" of the IPA password and the "hash" the AD password would be 
> converted to, gets compared and a security violation is raised if they match? 

Winsync does not sync password hashes. Passsync syncs passwords and then
causes the creation of the hashes. Password hashes are attributes that
are really not that easily readable to conduct the comparison you suggest.

IMO you can make sure that passwords different (if you do not want to
have same passwords on both sides) by setting mutually exclusive
password policies.
For example force all IPA passwords be 12 characters and AD passwords 11
characters or vice verse. This is just an example.

> If not would this be a useful feature? to me I think it would be something 
> we'd like for audit purposes.
> Secondly, at the moment it looks like I have to add each user via a command 
> line function. Can we get this setup via a user group? That way its a point 
> and click and its easily visually auditable.

Can you please explain what do you mean by setting it up via user group?
It is unclear what you have in mind.


> regards
> Steven Jones
> Technical Specialist - Linux RHCE
> Victoria University ITS,
> Level 8 Rankin Brown Building,
> Wellington, NZ
> 6012
> 0064 4 463 6272
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to