[Freeipa-users] 2 question on passsync
Hi, Not sure on the details here so please bear with me When passsync is setup some users can be exempted from the sync. So I have 2 questions or requests for features maybe. This feature is good, however there is nothing within the IPA system that I can see that prevents a user manually setting the same password in IPA as they have in AD. So even if we have a written policy that says you cannot do this it looks like we cannot check or enforce it. Hence I see this as an audit failure. So what Im asking is I guess is there any way that when a password sync occurs the hash of the IPA password and the hash the AD password would be converted to, gets compared and a security violation is raised if they match? If not would this be a useful feature? to me I think it would be something we'd like for audit purposes. Secondly, at the moment it looks like I have to add each user via a command line function. Can we get this setup via a user group? That way its a point and click and its easily visually auditable. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 2 question on passsync
On 11/12/2013 03:47 PM, Steven Jones wrote: Hi, Not sure on the details here so please bear with me When passsync is setup some users can be exempted from the sync. So I have 2 questions or requests for features maybe. This feature is good, however there is nothing within the IPA system that I can see that prevents a user manually setting the same password in IPA as they have in AD. So even if we have a written policy that says you cannot do this it looks like we cannot check or enforce it. Hence I see this as an audit failure. With Winsync/Passsync this is actually a default behavior. The passwords are the same because most of people to the best of our knowledge want it this way. If I get you right you proposal is actually to force a reverse which seems to be a very corner use case based on the information we have. So what Im asking is I guess is there any way that when a password sync occurs the hash of the IPA password and the hash the AD password would be converted to, gets compared and a security violation is raised if they match? Winsync does not sync password hashes. Passsync syncs passwords and then causes the creation of the hashes. Password hashes are attributes that are really not that easily readable to conduct the comparison you suggest. IMO you can make sure that passwords different (if you do not want to have same passwords on both sides) by setting mutually exclusive password policies. For example force all IPA passwords be 12 characters and AD passwords 11 characters or vice verse. This is just an example. If not would this be a useful feature? to me I think it would be something we'd like for audit purposes. Secondly, at the moment it looks like I have to add each user via a command line function. Can we get this setup via a user group? That way its a point and click and its easily visually auditable. Can you please explain what do you mean by setting it up via user group? It is unclear what you have in mind. Thanks Dmitri regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 2 question on passsync
Hi, Winsync does not sync password hashes. Passsync syncs passwords and then causes the creation of the hashes. yep, thats whatt I expected, I just didnt word it well. I just wondered if we could receive the plain text password then hash it, then for an excluded user compare hashes and if they match raise an audit alert. What we have is a concern is that if AD gets hacked that certain users such as myself who have more privileges in Linux land could get their Linux side accounts also hacked simply via a malicious password change in AD. This would mean that we might lose all of our linux side as well as the windows side. A way to prevent this is to exclude those certian users from passsync. The issues then is there is nothing stopping an excluded user manually making the passwords the same, despite a written policy. The problem with having different AD and IPA policies while acceptable to me probably is is'nt acceptable for the organisation. To exclude a user from passync the identity guide says run, ldapmodify -x -D cn=Directory Manager -w secret -h ldap.example.com -p 389 dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com Which means every time I want to exclude a user I have to do this via the command line and also I dont see how its easily and quickly auditable either. eg how do I check who is and isnt excluded? Now if its a IPA user group called say excluded passsync users and I just drop the user(s) in, its very easy to do and look at to audit. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, 13 November 2013 10:29 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] 2 question on passsync On 11/12/2013 03:47 PM, Steven Jones wrote: Hi, Not sure on the details here so please bear with me When passsync is setup some users can be exempted from the sync. So I have 2 questions or requests for features maybe. This feature is good, however there is nothing within the IPA system that I can see that prevents a user manually setting the same password in IPA as they have in AD. So even if we have a written policy that says you cannot do this it looks like we cannot check or enforce it. Hence I see this as an audit failure. With Winsync/Passsync this is actually a default behavior. The passwords are the same because most of people to the best of our knowledge want it this way. If I get you right you proposal is actually to force a reverse which seems to be a very corner use case based on the information we have. So what Im asking is I guess is there any way that when a password sync occurs the hash of the IPA password and the hash the AD password would be converted to, gets compared and a security violation is raised if they match? Winsync does not sync password hashes. Passsync syncs passwords and then causes the creation of the hashes. Password hashes are attributes that are really not that easily readable to conduct the comparison you suggest. IMO you can make sure that passwords different (if you do not want to have same passwords on both sides) by setting mutually exclusive password policies. For example force all IPA passwords be 12 characters and AD passwords 11 characters or vice verse. This is just an example. If not would this be a useful feature? to me I think it would be something we'd like for audit purposes. Secondly, at the moment it looks like I have to add each user via a command line function. Can we get this setup via a user group? That way its a point and click and its easily visually auditable. Can you please explain what do you mean by setting it up via user group? It is unclear what you have in mind. Thanks Dmitri regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 2 question on passsync
Steven Jones wrote: Hi, Winsync does not sync password hashes. Passsync syncs passwords and then causes the creation of the hashes. yep, thats whatt I expected, I just didnt word it well. I just wondered if we could receive the plain text password then hash it, then for an excluded user compare hashes and if they match raise an audit alert. What we have is a concern is that if AD gets hacked that certain users such as myself who have more privileges in Linux land could get their Linux side accounts also hacked simply via a malicious password change in AD. This would mean that we might lose all of our linux side as well as the windows side. A way to prevent this is to exclude those certian users from passsync. The issues then is there is nothing stopping an excluded user manually making the passwords the same, despite a written policy. The problem with having different AD and IPA policies while acceptable to me probably is is'nt acceptable for the organisation. To exclude a user from passync the identity guide says run, ldapmodify -x -D cn=Directory Manager -w secret -h ldap.example.com -p 389 dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com Which means every time I want to exclude a user I have to do this via the command line and also I dont see how its easily and quickly auditable either. eg how do I check who is and isnt excluded? Now if its a IPA user group called say excluded passsync users and I just drop the user(s) in, its very easy to do and look at to audit. This isn't what passSyncManagersDNs does. What this value does is list the users who can change a password without requiring a reset of that password. Without this then when a new password is synced from AD it would require a reset, which sort of defeats the point of syncing passwords. I like your idea of a group, can you file an RFE on this? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 2 question on passsync
Yes will do. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 13 November 2013 12:20 p.m. To: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] 2 question on passsync Steven Jones wrote: Hi, Winsync does not sync password hashes. Passsync syncs passwords and then causes the creation of the hashes. yep, thats whatt I expected, I just didnt word it well. I just wondered if we could receive the plain text password then hash it, then for an excluded user compare hashes and if they match raise an audit alert. What we have is a concern is that if AD gets hacked that certain users such as myself who have more privileges in Linux land could get their Linux side accounts also hacked simply via a malicious password change in AD. This would mean that we might lose all of our linux side as well as the windows side. A way to prevent this is to exclude those certian users from passsync. The issues then is there is nothing stopping an excluded user manually making the passwords the same, despite a written policy. The problem with having different AD and IPA policies while acceptable to me probably is is'nt acceptable for the organisation. To exclude a user from passync the identity guide says run, ldapmodify -x -D cn=Directory Manager -w secret -h ldap.example.com -p 389 dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com Which means every time I want to exclude a user I have to do this via the command line and also I dont see how its easily and quickly auditable either. eg how do I check who is and isnt excluded? Now if its a IPA user group called say excluded passsync users and I just drop the user(s) in, its very easy to do and look at to audit. This isn't what passSyncManagersDNs does. What this value does is list the users who can change a password without requiring a reset of that password. Without this then when a new password is synced from AD it would require a reset, which sort of defeats the point of syncing passwords. I like your idea of a group, can you file an RFE on this? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users