Steven Jones wrote:

"Winsync does not sync password hashes. Passsync syncs passwords and then
causes the creation of the hashes."

yep, thats whatt I expected, I just didnt word it well.

I just wondered if we could receive the plain text password then hash it, then 
for an excluded user compare hashes and if they match raise an audit alert.

What we have is a concern is that if AD gets hacked that certain users such as 
myself who have more privileges in Linux land could get their Linux side 
accounts also hacked simply via a malicious password change in AD.  This would 
mean that we might lose all of our linux side as well as the windows side.

A way to prevent this is to exclude those certian users from passsync.  The 
issues then is there is nothing stopping an excluded user manually making the 
passwords the same, despite a written policy.

The problem with having different AD and IPA policies while acceptable to me 
probably is is'nt acceptable for the organisation.

To exclude a user from passync the identity guide says run,

"ldapmodify -x -D "cn=Directory Manager" -w secret -h -p 389
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"

Which means every time I want to exclude a user I have to do this via the 
command line and also I dont see how its easily and quickly auditable either.

eg how do I check who is and isnt excluded?

Now if its a IPA user group called say "excluded passsync users" and I just 
drop the user(s) in, its very easy to do and look at to audit.

This isn't what passSyncManagersDNs does. What this value does is list the users who can change a password without requiring a reset of that password.

Without this then when a new password is synced from AD it would require a reset, which sort of defeats the point of syncing passwords.

I like your idea of a group, can you file an RFE on this?


Freeipa-users mailing list

Reply via email to