Steven Jones wrote:
Hi,
"Winsync does not sync password hashes. Passsync syncs passwords and then
causes the creation of the hashes."
yep, thats whatt I expected, I just didnt word it well.
I just wondered if we could receive the plain text password then hash it, then
for an excluded user compare hashes and if they match raise an audit alert.
What we have is a concern is that if AD gets hacked that certain users such as
myself who have more privileges in Linux land could get their Linux side
accounts also hacked simply via a malicious password change in AD. This would
mean that we might lose all of our linux side as well as the windows side.
A way to prevent this is to exclude those certian users from passsync. The
issues then is there is nothing stopping an excluded user manually making the
passwords the same, despite a written policy.
The problem with having different AD and IPA policies while acceptable to me
probably is is'nt acceptable for the organisation.
To exclude a user from passync the identity guide says run,
"ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"
Which means every time I want to exclude a user I have to do this via the
command line and also I dont see how its easily and quickly auditable either.
eg how do I check who is and isnt excluded?
Now if its a IPA user group called say "excluded passsync users" and I just
drop the user(s) in, its very easy to do and look at to audit.
This isn't what passSyncManagersDNs does. What this value does is list
the users who can change a password without requiring a reset of that
password.
Without this then when a new password is synced from AD it would require
a reset, which sort of defeats the point of syncing passwords.
I like your idea of a group, can you file an RFE on this?
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
