On 11/12/2013 05:44 PM, Steven Jones wrote: > Hi, > > "Winsync does not sync password hashes. Passsync syncs passwords and then > causes the creation of the hashes." > > yep, thats whatt I expected, I just didnt word it well. > > I just wondered if we could receive the plain text password then hash it, > then for an excluded user compare hashes and if they match raise an audit > alert. > > What we have is a concern is that if AD gets hacked that certain users such > as myself who have more privileges in Linux land could get their Linux side > accounts also hacked simply via a malicious password change in AD. This > would mean that we might lose all of our linux side as well as the windows > side. > > A way to prevent this is to exclude those certian users from passsync. The > issues then is there is nothing stopping an excluded user manually making the > passwords the same, despite a written policy. > > The problem with having different AD and IPA policies while acceptable to me > probably is is'nt acceptable for the organisation. > > To exclude a user from passync the identity guide says run, > > "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389 > dn: cn=ipa_pwd_extop,cn=plugins,cn=config > changetype: modify > add: passSyncManagersDNs > passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com" > > Which means every time I want to exclude a user I have to do this via the > command line and also I dont see how its easily and quickly auditable either. > > eg how do I check who is and isnt excluded? > > Now if its a IPA user group called say "excluded passsync users" and I just > drop the user(s) in, its very easy to do and look at to audit.
OK that makes sense. This is a reasonable RFE to file. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University ITS, > > Level 8 Rankin Brown Building, > > Wellington, NZ > > 6012 > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Dmitri Pal [d...@redhat.com] > Sent: Wednesday, 13 November 2013 10:29 a.m. > To: firstname.lastname@example.org > Subject: Re: [Freeipa-users] 2 question on passsync > > On 11/12/2013 03:47 PM, Steven Jones wrote: >> Hi, >> >> Not sure on the details here so please bear with me When passsync is setup >> some users can be exempted from the sync. >> >> So I have 2 questions or requests for features maybe. >> >> This feature is good, however there is nothing within the IPA system that I >> can see that prevents a user manually setting the same password in IPA as >> they have in AD. So even if we have a written policy that says you cannot >> do this it looks like we cannot check or enforce it. Hence I see this as an >> audit failure. > With Winsync/Passsync this is actually a default behavior. The passwords > are the same because most of people to the best of our knowledge want it > this way. If I get you right you proposal is actually to force a reverse > which seems to be a very corner use case based on the information we have. > > >> So what Im asking is I guess is there any way that when a password sync >> occurs the "hash" of the IPA password and the "hash" the AD password would >> be converted to, gets compared and a security violation is raised if they >> match? > > Winsync does not sync password hashes. Passsync syncs passwords and then > causes the creation of the hashes. Password hashes are attributes that > are really not that easily readable to conduct the comparison you suggest. > > IMO you can make sure that passwords different (if you do not want to > have same passwords on both sides) by setting mutually exclusive > password policies. > For example force all IPA passwords be 12 characters and AD passwords 11 > characters or vice verse. This is just an example. > > >> If not would this be a useful feature? to me I think it would be something >> we'd like for audit purposes. >> >> Secondly, at the moment it looks like I have to add each user via a command >> line function. Can we get this setup via a user group? That way its a point >> and click and its easily visually auditable. > Can you please explain what do you mean by setting it up via user group? > It is unclear what you have in mind. > > > > Thanks > Dmitri > >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University ITS, >> >> Level 8 Rankin Brown Building, >> >> Wellington, NZ >> >> 6012 >> >> 0064 4 463 6272 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipaemail@example.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users