On Sun, 02 Nov 2014, Gregor Bregenzer wrote:

I have FreeIPA 4.0.1 with an trust to AD to Windows 2012. The Linux
clients have sssd 1.11.6 and use the ipa provider for authentication
(part of client sssd.conf):

id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = linux1.linux.intern
chpass_provider = ipa

I found out, the password policy for complexity etc. is retrieved from
the group policy in AD, but is there also a way to retrieve the
password policy from FreeIPA? All the other parts such as sudo rules
and HBAC work when i assign the FreeIPA posix group which includes the
external group from AD, but not the password policy.
Authentication is handled by AD in this case, thus password policy is
handled by AD DCs as well. There is no way to attach IPA-specific
password policy to AD users because the actual password policy check is
done on AD side without us being involved in any decision.

Is there also some documentation about password policy with AD trust
(i was browsing documents from http://www.freeipa.org/page/Trusts but
did not find anything)?
Since we don't have ways to handle it, there is no documentation. The
same situation would be with any Kerberos cross-realm trust -- the final
decision on password changes is done by the KDC that is responsible for
the Kerberos principal in question.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to