Yes will do.


Steven Jones

Technical Specialist - Linux RHCE

Victoria University ITS,

Level 8 Rankin Brown Building,

Wellington, NZ


0064 4 463 6272

From: Rob Crittenden []
Sent: Wednesday, 13 November 2013 12:20 p.m.
To: Steven Jones;
Subject: Re: [Freeipa-users] 2 question on passsync

Steven Jones wrote:
> Hi,
> "Winsync does not sync password hashes. Passsync syncs passwords and then
> causes the creation of the hashes."
> yep, thats whatt I expected, I just didnt word it well.
> I just wondered if we could receive the plain text password then hash it, 
> then for an excluded user compare hashes and if they match raise an audit 
> alert.
> What we have is a concern is that if AD gets hacked that certain users such 
> as myself who have more privileges in Linux land could get their Linux side 
> accounts also hacked simply via a malicious password change in AD.  This 
> would mean that we might lose all of our linux side as well as the windows 
> side.
> A way to prevent this is to exclude those certian users from passsync.  The 
> issues then is there is nothing stopping an excluded user manually making the 
> passwords the same, despite a written policy.
> The problem with having different AD and IPA policies while acceptable to me 
> probably is is'nt acceptable for the organisation.
> To exclude a user from passync the identity guide says run,
> "ldapmodify -x -D "cn=Directory Manager" -w secret -h -p 389
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> changetype: modify
> add: passSyncManagersDNs
> passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"
> Which means every time I want to exclude a user I have to do this via the 
> command line and also I dont see how its easily and quickly auditable either.
> eg how do I check who is and isnt excluded?
> Now if its a IPA user group called say "excluded passsync users" and I just 
> drop the user(s) in, its very easy to do and look at to audit.

This isn't what passSyncManagersDNs does. What this value does is list
the users who can change a password without requiring a reset of that

Without this then when a new password is synced from AD it would require
a reset, which sort of defeats the point of syncing passwords.

I like your idea of a group, can you file an RFE on this?


Freeipa-users mailing list

Reply via email to