Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient
Hi Anton, maybe you can "talk" directly to ds: http://directory.fedoraproject.org/docs/389ds/FAQ/password-syntax.html regards, --- Ernedin ZAJKO eza...@root.ba > 340282366920938463463374607431768211456 On Thu, Oct 13, 2016 at 1:53 AM, Anon Lister <listera...@gmail.com> wrote: > Unfortunately, policy and regulation often lag behind current theory by > several decades. For what it's worth, I'd second being able to set more > complicated policies as a useful feature. > > > On Oct 12, 2016 6:38 PM, "Simpson Lachlan" <lachlan.simp...@petermac.org> > wrote: >> >> > -Original Message- >> > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >> > boun...@redhat.com] On Behalf Of Bennett, Chip >> > Sent: Thursday, 13 October 2016 7:21 AM >> > To: Florence Blanc-Renaud; freeipa-users@redhat.com >> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems >> > Insufficient >> > >> > Flo, >> > >> > Thanks for getting back to me. I had seen this in the documentation. >> > I was just >> > hoping that I was missing something. I guess I'm just surprised that a >> > product >> > designed to manage authentication wouldn't have a way to be more >> > specific in the >> > complexity requirements. >> >> >> I don't know. Those type of complexity requirements are multifaceted, >> complex and somewhat arbitrary. Given that each then requires regex, I'm >> quite happy that the devs focus on getting other aspects of FreeIPA to work >> over password complexity. >> >> As xkcd noted a couple of years ago, password length is better for >> security than anything else. >> >> Complex arrangements of different character classes is neither human or UX >> friendly nor where contemporary security theory is focused - try 2FA, >> public/private keys, etc. While I understand that large organisations have >> policy that often drags well behind contemporary theory, I don't think it's >> fair to expect software to also allow for that. >> >> Cheers >> L. >> >> >> >> >> >> >> > >> > Thanks again! >> > Chip >> > >> > -Original Message- >> > From: Florence Blanc-Renaud [mailto:f...@redhat.com] >> > Sent: Wednesday, October 12, 2016 3:18 PM >> > To: Bennett, Chip <cbenn...@ftdi.com>; freeipa-users@redhat.com >> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems >> > Insufficient >> > >> > On 10/11/2016 07:36 PM, Bennett, Chip wrote: >> > > I just joined this list, so if this question has been asked before >> > > (and I'll bet it has), I apologize in advance. >> > > >> > > >> > > >> > > A google search was unrevealing, so I'm asking here: we're running >> > > FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password >> > > complexity requirements are limited to setting the number of character >> > > classes to require, i.e. setting it to "2" would require your new >> > > password to be any two of the character classes. >> > > >> > > >> > > >> > > What if you wanted new passwords to meet specific class requirements, >> > > i.e. a mix of UL, LC, and numbers. It looks like you would use a >> > > value of "3" to accomplish this, but that would also allow UC, LC, and >> > > special, or LC, numbers, and special, but you don't want to allow the >> > > those: how would you specify that? >> > > >> > Hi, >> > >> > as far as I know, it is only possible to specify the number of different >> > character >> > classes. The doc chapter "Creating Password Policies in the Web UI" [1] >> > describes >> > the following: >> > --- >> > Character classes sets the number of different categories of character >> > that must be >> > used in the password. This does not set which classes must be used; it >> > sets the >> > number of different (unspecified) classes which must be used in a >> > password. For >> > example, a character class can be a number, special character, or >> > capital; the >> > complete list of categories is in Table 22.1, "Password Policy >> > Settings". This is part >> > of setting the complexity requirements. >> > --- >> > >> > hope this clarifies, >> &g
Re: [Freeipa-users] openLDAP to FreeIPA user migration
Hi Alexander, thank you for this - i think this should even work for missing some mandatory (gid) attributes... regards, --- Ernedin ZAJKO eza...@root.ba > 340282366920938463463374607431768211456 On Thu, Sep 1, 2016 at 9:26 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Thu, 01 Sep 2016, William Muriithi wrote: >> >> Afternoon, >> >> I have an openLDAP system that lack a required attribute. This result >> in the migration script rejecting all the user import. >> >> I have googled externsively, read ever line of ipa migration --help >> doc and it doesn't seem I will be able to use this migration script. >> I wonder if there is anybody here who have been able to overcome this >> problem in the past. >> >> [root@hydrogen ~]# ipa -v migrate-ds --with-compat >> --bind-dn="cn=admin,dc=eng.example,dc=com" >> --user-ignore-attribute="sn" >> --user-container="ou=People,dc=eng.example,dc=com" >> --group-container="ou=Group,dc=eng.example,dc=com" >> --group-objectclass="posixGroup" --user-objectclass="account" >> ldap://192.168.20.18:389 >> ipa: INFO: trying https://hydrogen.eng.example.com/ipa/session/json >> Password: >> ipa: INFO: Forwarding 'migrate_ds' to json server >> 'https://hydrogen.eng.example.com/ipa/session/json' >> --- >> migrate-ds: >> --- >> Migrated: >> Failed user: >> aagrim: missing attribute "sn" required by object class >> "organizationalPerson" >> acctemp: missing attribute "sn" required by object class >> "organizationalPerson" >> ... > > This looks like a common problem. I had recently made a small 'hack' to > solve this problem. > > Following small fixup plugin could be used to affect how entries are > generated. If you add it to /usr/lib/python2.7/site-packages/ipalib/plugins > on IPA master and restart httpd service, the plugin would modify migrate-ds > command so > that 'sn' attribute would be set to a 'Migrated User Last Name' for all > entries that miss 'sn' attribute before they actually get added into IPA > LDAP. > > This is an experimental hack, of course, but it should work. Once > migration is finished, don't forget to remove the file and restart httpd > service again. > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] who did what on IPAv3 - auditing
Hi Stefan, have you seen this: https://access.redhat.com/solutions/772563 regards, --- Ernedin ZAJKO eza...@root.ba > 340282366920938463463374607431768211456 On Tue, Jul 26, 2016 at 12:45 PM, Stefan Uygur <suy...@firstderivatives.com> wrote: > This is the case I am after just to be more precise: > > https://access.redhat.com/solutions/441893 > > > > It was requested 3yrs ago but no follow up so far. > > > > From: Stefan Uygur > Sent: 26 July 2016 11:18 > To: freeipa-users@redhat.com > Subject: who did what on IPAv3 - auditing > > > > Hi all, > > Still around the auditing problem with IPA, it seems the part related to > auditing is completely missing in IPA and that is not really good. > > > > For instance, to find out who did what, who added or modified the > permissions or users or sudo rules, etc, all this need auditing and it needs > to be proof of concept. > > > > I don’t see IPA being very friendly with auditing part, although IPA is a > central identity management system, which means auditing is all over IPA. I > am surprised that this part is missing. > > > > There is a page suggests to set up central login: > http://www.freeipa.org/page/Centralized_Logging > > > > With a combination of multiple logs, but I have checked accurately the logs, > I still can’t find out say, who added user John Doe in date 21 July 2016 at > 11.35. > > > > Has anybody in the list experienced or set up such solution where the IPA > server activity is tracked down? > > > > Stefan > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project