Re: [Freeipa-users] FreeIPA AD password sync
Thank you for the quick reply and a solution. I will try it in the next couple of days. Regards, Gašper On Tue, Dec 1, 2015 at 2:51 PM, Martin Kosekwrote: > On 12/01/2015 02:41 PM, Simo Sorce wrote: > > On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote: > >> On 11/30/2015 02:25 PM, Gašper Bregar wrote: > >>> I have been strugling with FreeIPA and AD password sync for a couple of > >>> days now. At first everything was working fine, but then all of a > sudden > >>> the synchronization started to fail for me and another user. > >>> > >>> The error in passsync log was > >>> > >>> Ldap error in ModifyPassword > 50: Insufficient access > >>> > >>> > >>> It took me some time to figure out that it was failing just for the > two us. > >>> It was failing because we were in the admin user group in FreeIPA. Is > this > >>> intentional? Is it possible to somehow change this behaviour with a > >>> setting? > >>> > >>> Regards, > >>> Gašper > >> > >> Hello Gašper, > >> > >> I assume you are running with FreeIPA version 4.0 and above. At the > moment, > >> this is expected behavior, based on the permission configuration: > >> > >> 'System: Change User password': { > >> 'ipapermright': {'write'}, > >> 'ipapermtargetfilter': [ > >> '(objectclass=posixaccount)', > >> '(!(memberOf=%s))' % DN('cn=admins', > >> api.env.container_group, > >> api.env.basedn), > >> ], > >> 'ipapermdefaultattr': { > >> 'krbprincipalkey', 'passwordhistory', 'sambalmpassword', > >> 'sambantpassword', 'userpassword' > >> }, > >> ... > >> 'default_privileges': { > >> 'User Administrators', > >> 'Modify Users and Reset passwords', > >> 'PassSync Service', > >> }, > >> }, > >> > >> > >> "PassSync Service" cannot indeed change passwords of admins group. I am > >> wondering if we want to change the default, which was added so that > lower-level > >> administrators cannot change password of top level admins and > impersonate them > >> for example. Simo, any opinion? > > > > We do not want to change the default behavior. > > > > Simo. > > Ok. I requested a Doc update: > https://bugzilla.redhat.com/show_bug.cgi?id=1287092 > > Please feel free to comment in Bugzilla. > > Martin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA AD password sync
On 11/30/2015 02:25 PM, Gašper Bregar wrote: > I have been strugling with FreeIPA and AD password sync for a couple of > days now. At first everything was working fine, but then all of a sudden > the synchronization started to fail for me and another user. > > The error in passsync log was > > Ldap error in ModifyPassword >> 50: Insufficient access > > > It took me some time to figure out that it was failing just for the two us. > It was failing because we were in the admin user group in FreeIPA. Is this > intentional? Is it possible to somehow change this behaviour with a > setting? > > Regards, > Gašper Hello Gašper, I assume you are running with FreeIPA version 4.0 and above. At the moment, this is expected behavior, based on the permission configuration: 'System: Change User password': { 'ipapermright': {'write'}, 'ipapermtargetfilter': [ '(objectclass=posixaccount)', '(!(memberOf=%s))' % DN('cn=admins', api.env.container_group, api.env.basedn), ], 'ipapermdefaultattr': { 'krbprincipalkey', 'passwordhistory', 'sambalmpassword', 'sambantpassword', 'userpassword' }, ... 'default_privileges': { 'User Administrators', 'Modify Users and Reset passwords', 'PassSync Service', }, }, "PassSync Service" cannot indeed change passwords of admins group. I am wondering if we want to change the default, which was added so that lower-level administrators cannot change password of top level admins and impersonate them for example. Simo, any opinion? If you want to allow that, you could also add a new permission to allow changing admins group password and assign it to "PassSync Service" privilege. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA AD password sync
On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote: > On 11/30/2015 02:25 PM, Gašper Bregar wrote: > > I have been strugling with FreeIPA and AD password sync for a couple of > > days now. At first everything was working fine, but then all of a sudden > > the synchronization started to fail for me and another user. > > > > The error in passsync log was > > > > Ldap error in ModifyPassword > >> 50: Insufficient access > > > > > > It took me some time to figure out that it was failing just for the two us. > > It was failing because we were in the admin user group in FreeIPA. Is this > > intentional? Is it possible to somehow change this behaviour with a > > setting? > > > > Regards, > > Gašper > > Hello Gašper, > > I assume you are running with FreeIPA version 4.0 and above. At the moment, > this is expected behavior, based on the permission configuration: > > 'System: Change User password': { > 'ipapermright': {'write'}, > 'ipapermtargetfilter': [ > '(objectclass=posixaccount)', > '(!(memberOf=%s))' % DN('cn=admins', > api.env.container_group, > api.env.basedn), > ], > 'ipapermdefaultattr': { > 'krbprincipalkey', 'passwordhistory', 'sambalmpassword', > 'sambantpassword', 'userpassword' > }, > ... > 'default_privileges': { > 'User Administrators', > 'Modify Users and Reset passwords', > 'PassSync Service', > }, > }, > > > "PassSync Service" cannot indeed change passwords of admins group. I am > wondering if we want to change the default, which was added so that > lower-level > administrators cannot change password of top level admins and impersonate them > for example. Simo, any opinion? We do not want to change the default behavior. Simo. > If you want to allow that, you could also add a new permission to allow > changing admins group password and assign it to "PassSync Service" privilege. > > Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA AD password sync
On 12/01/2015 02:41 PM, Simo Sorce wrote: > On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote: >> On 11/30/2015 02:25 PM, Gašper Bregar wrote: >>> I have been strugling with FreeIPA and AD password sync for a couple of >>> days now. At first everything was working fine, but then all of a sudden >>> the synchronization started to fail for me and another user. >>> >>> The error in passsync log was >>> >>> Ldap error in ModifyPassword 50: Insufficient access >>> >>> >>> It took me some time to figure out that it was failing just for the two us. >>> It was failing because we were in the admin user group in FreeIPA. Is this >>> intentional? Is it possible to somehow change this behaviour with a >>> setting? >>> >>> Regards, >>> Gašper >> >> Hello Gašper, >> >> I assume you are running with FreeIPA version 4.0 and above. At the moment, >> this is expected behavior, based on the permission configuration: >> >> 'System: Change User password': { >> 'ipapermright': {'write'}, >> 'ipapermtargetfilter': [ >> '(objectclass=posixaccount)', >> '(!(memberOf=%s))' % DN('cn=admins', >> api.env.container_group, >> api.env.basedn), >> ], >> 'ipapermdefaultattr': { >> 'krbprincipalkey', 'passwordhistory', 'sambalmpassword', >> 'sambantpassword', 'userpassword' >> }, >> ... >> 'default_privileges': { >> 'User Administrators', >> 'Modify Users and Reset passwords', >> 'PassSync Service', >> }, >> }, >> >> >> "PassSync Service" cannot indeed change passwords of admins group. I am >> wondering if we want to change the default, which was added so that >> lower-level >> administrators cannot change password of top level admins and impersonate >> them >> for example. Simo, any opinion? > > We do not want to change the default behavior. > > Simo. Ok. I requested a Doc update: https://bugzilla.redhat.com/show_bug.cgi?id=1287092 Please feel free to comment in Bugzilla. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA AD password sync
I have been strugling with FreeIPA and AD password sync for a couple of days now. At first everything was working fine, but then all of a sudden the synchronization started to fail for me and another user. The error in passsync log was Ldap error in ModifyPassword > 50: Insufficient access It took me some time to figure out that it was failing just for the two us. It was failing because we were in the admin user group in FreeIPA. Is this intentional? Is it possible to somehow change this behaviour with a setting? Regards, Gašper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project