Yes will do.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University ITS,

Level 8 Rankin Brown Building,

Wellington, NZ

6012

0064 4 463 6272

________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 13 November 2013 12:20 p.m.
To: Steven Jones; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] 2 question on passsync

Steven Jones wrote:
> Hi,
>
> "Winsync does not sync password hashes. Passsync syncs passwords and then
> causes the creation of the hashes."
>
> yep, thats whatt I expected, I just didnt word it well.
>
> I just wondered if we could receive the plain text password then hash it, 
> then for an excluded user compare hashes and if they match raise an audit 
> alert.
>
> What we have is a concern is that if AD gets hacked that certain users such 
> as myself who have more privileges in Linux land could get their Linux side 
> accounts also hacked simply via a malicious password change in AD.  This 
> would mean that we might lose all of our linux side as well as the windows 
> side.
>
> A way to prevent this is to exclude those certian users from passsync.  The 
> issues then is there is nothing stopping an excluded user manually making the 
> passwords the same, despite a written policy.
>
> The problem with having different AD and IPA policies while acceptable to me 
> probably is is'nt acceptable for the organisation.
>
> To exclude a user from passync the identity guide says run,
>
> "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> changetype: modify
> add: passSyncManagersDNs
> passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"
>
> Which means every time I want to exclude a user I have to do this via the 
> command line and also I dont see how its easily and quickly auditable either.
>
> eg how do I check who is and isnt excluded?
>
> Now if its a IPA user group called say "excluded passsync users" and I just 
> drop the user(s) in, its very easy to do and look at to audit.

This isn't what passSyncManagersDNs does. What this value does is list
the users who can change a password without requiring a reset of that
password.

Without this then when a new password is synced from AD it would require
a reset, which sort of defeats the point of syncing passwords.

I like your idea of a group, can you file an RFE on this?

rob



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to