Yes will do.
Technical Specialist - Linux RHCE
Victoria University ITS,
Level 8 Rankin Brown Building,
0064 4 463 6272
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 13 November 2013 12:20 p.m.
To: Steven Jones; firstname.lastname@example.org
Subject: Re: [Freeipa-users] 2 question on passsync
Steven Jones wrote:
> "Winsync does not sync password hashes. Passsync syncs passwords and then
> causes the creation of the hashes."
> yep, thats whatt I expected, I just didnt word it well.
> I just wondered if we could receive the plain text password then hash it,
> then for an excluded user compare hashes and if they match raise an audit
> What we have is a concern is that if AD gets hacked that certain users such
> as myself who have more privileges in Linux land could get their Linux side
> accounts also hacked simply via a malicious password change in AD. This
> would mean that we might lose all of our linux side as well as the windows
> A way to prevent this is to exclude those certian users from passsync. The
> issues then is there is nothing stopping an excluded user manually making the
> passwords the same, despite a written policy.
> The problem with having different AD and IPA policies while acceptable to me
> probably is is'nt acceptable for the organisation.
> To exclude a user from passync the identity guide says run,
> "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> changetype: modify
> add: passSyncManagersDNs
> passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"
> Which means every time I want to exclude a user I have to do this via the
> command line and also I dont see how its easily and quickly auditable either.
> eg how do I check who is and isnt excluded?
> Now if its a IPA user group called say "excluded passsync users" and I just
> drop the user(s) in, its very easy to do and look at to audit.
This isn't what passSyncManagersDNs does. What this value does is list
the users who can change a password without requiring a reset of that
Without this then when a new password is synced from AD it would require
a reset, which sort of defeats the point of syncing passwords.
I like your idea of a group, can you file an RFE on this?
Freeipa-users mailing list