Hi, "Winsync does not sync password hashes. Passsync syncs passwords and then causes the creation of the hashes."
yep, thats whatt I expected, I just didnt word it well. I just wondered if we could receive the plain text password then hash it, then for an excluded user compare hashes and if they match raise an audit alert. What we have is a concern is that if AD gets hacked that certain users such as myself who have more privileges in Linux land could get their Linux side accounts also hacked simply via a malicious password change in AD. This would mean that we might lose all of our linux side as well as the windows side. A way to prevent this is to exclude those certian users from passsync. The issues then is there is nothing stopping an excluded user manually making the passwords the same, despite a written policy. The problem with having different AD and IPA policies while acceptable to me probably is is'nt acceptable for the organisation. To exclude a user from passync the identity guide says run, "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389 dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com" Which means every time I want to exclude a user I have to do this via the command line and also I dont see how its easily and quickly auditable either. eg how do I check who is and isnt excluded? Now if its a IPA user group called say "excluded passsync users" and I just drop the user(s) in, its very easy to do and look at to audit. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 ________________________________________ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, 13 November 2013 10:29 a.m. To: email@example.com Subject: Re: [Freeipa-users] 2 question on passsync On 11/12/2013 03:47 PM, Steven Jones wrote: > Hi, > > Not sure on the details here so please bear with me When passsync is setup > some users can be exempted from the sync. > > So I have 2 questions or requests for features maybe. > > This feature is good, however there is nothing within the IPA system that I > can see that prevents a user manually setting the same password in IPA as > they have in AD. So even if we have a written policy that says you cannot do > this it looks like we cannot check or enforce it. Hence I see this as an > audit failure. With Winsync/Passsync this is actually a default behavior. The passwords are the same because most of people to the best of our knowledge want it this way. If I get you right you proposal is actually to force a reverse which seems to be a very corner use case based on the information we have. > > So what Im asking is I guess is there any way that when a password sync > occurs the "hash" of the IPA password and the "hash" the AD password would be > converted to, gets compared and a security violation is raised if they match? Winsync does not sync password hashes. Passsync syncs passwords and then causes the creation of the hashes. Password hashes are attributes that are really not that easily readable to conduct the comparison you suggest. IMO you can make sure that passwords different (if you do not want to have same passwords on both sides) by setting mutually exclusive password policies. For example force all IPA passwords be 12 characters and AD passwords 11 characters or vice verse. This is just an example. > > If not would this be a useful feature? to me I think it would be something > we'd like for audit purposes. > > Secondly, at the moment it looks like I have to add each user via a command > line function. Can we get this setup via a user group? That way its a point > and click and its easily visually auditable. Can you please explain what do you mean by setting it up via user group? It is unclear what you have in mind. Thanks Dmitri > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University ITS, > > Level 8 Rankin Brown Building, > > Wellington, NZ > > 6012 > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users