Re: [Freeipa-users] Setting a new directory manager password
On Mon, 2012-03-26 at 23:03 +, Steven Jones wrote: > Hi, > > No I was confused, I thought you meant there were some function that > the DM held that could be delegated. I expect that the admin user > will be deleted as that's an attack vector (however obscure/indirect). If you delete the admin user you will completely break your FreeIPA server. Just FYI. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting a new directory manager password
Hi, No I was confused, I thought you meant there were some function that the DM held that could be delegated. I expect that the admin user will be deleted as that's an attack vector (however obscure/indirect). I'm really looking at what is considered good AD security practice and looking to see what is appropriate or equivalent in IPA. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Dmitri Pal [d...@redhat.com] Sent: Tuesday, 27 March 2012 11:52 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Setting a new directory manager password On 03/26/2012 05:36 PM, Steven Jones wrote: > Hi, > > What needs to be delegated? May be I misread what you trying to accomplish. Are you talking about DM password or admin account password? DM password is needed for low level DS operations for example if something goes wrong. admin password is need for admin account and since admin account is the only IPA admin created out of box it is need to do all the IPA administration. However you can split the administrative capabilities (delegate) to different low level admins and make admin account not used or owned by the same person who owns the DM password. How you split the responsibilities is up to you. How you do it? Via permission, privilege and role related commands or UI. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Dmitri Pal [d...@redhat.com] > Sent: Tuesday, 27 March 2012 10:34 a.m. > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Setting a new directory manager password > > On 03/26/2012 05:28 PM, Steven Jones wrote: >> Hi, >> >> Our policy is to have the security manager hold the top most password of AD. >> There is a requirement that we do the same thing for IPA if >> possible/practical. >> >> So, is there any reason apart from resetting the admin password or >> replication that I would ever need this password in a day to day context? > As long as you create other administrative accounts and define their > permissions as more confined you do not need to use this admin account > other than to perform operations on itself. All other functions can be > delegated except the DM password of the underlying DS that should be > used only if you need to do some low level DS operations in case > something went wrong. > >> If not, how would I re-write/change the password? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting a new directory manager password
On 03/26/2012 05:36 PM, Steven Jones wrote: > Hi, > > What needs to be delegated? May be I misread what you trying to accomplish. Are you talking about DM password or admin account password? DM password is needed for low level DS operations for example if something goes wrong. admin password is need for admin account and since admin account is the only IPA admin created out of box it is need to do all the IPA administration. However you can split the administrative capabilities (delegate) to different low level admins and make admin account not used or owned by the same person who owns the DM password. How you split the responsibilities is up to you. How you do it? Via permission, privilege and role related commands or UI. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Dmitri Pal [d...@redhat.com] > Sent: Tuesday, 27 March 2012 10:34 a.m. > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Setting a new directory manager password > > On 03/26/2012 05:28 PM, Steven Jones wrote: >> Hi, >> >> Our policy is to have the security manager hold the top most password of AD. >> There is a requirement that we do the same thing for IPA if >> possible/practical. >> >> So, is there any reason apart from resetting the admin password or >> replication that I would ever need this password in a day to day context? > As long as you create other administrative accounts and define their > permissions as more confined you do not need to use this admin account > other than to perform operations on itself. All other functions can be > delegated except the DM password of the underlying DS that should be > used only if you need to do some low level DS operations in case > something went wrong. > >> If not, how would I re-write/change the password? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting a new directory manager password
Hi, What needs to be delegated? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 27 March 2012 10:34 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Setting a new directory manager password On 03/26/2012 05:28 PM, Steven Jones wrote: > Hi, > > Our policy is to have the security manager hold the top most password of AD. > There is a requirement that we do the same thing for IPA if > possible/practical. > > So, is there any reason apart from resetting the admin password or > replication that I would ever need this password in a day to day context? As long as you create other administrative accounts and define their permissions as more confined you do not need to use this admin account other than to perform operations on itself. All other functions can be delegated except the DM password of the underlying DS that should be used only if you need to do some low level DS operations in case something went wrong. > If not, how would I re-write/change the password? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting a new directory manager password
On 03/26/2012 03:28 PM, Steven Jones wrote: Hi, Our policy is to have the security manager hold the top most password of AD. There is a requirement that we do the same thing for IPA if possible/practical. So, is there any reason apart from resetting the admin password or replication that I would ever need this password in a day to day context? If not, how would I re-write/change the password? http://port389.org/wiki/Howto:ResetDirMgrPassword regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting a new directory manager password
On 03/26/2012 05:28 PM, Steven Jones wrote: > Hi, > > Our policy is to have the security manager hold the top most password of AD. > There is a requirement that we do the same thing for IPA if > possible/practical. > > So, is there any reason apart from resetting the admin password or > replication that I would ever need this password in a day to day context? As long as you create other administrative accounts and define their permissions as more confined you do not need to use this admin account other than to perform operations on itself. All other functions can be delegated except the DM password of the underlying DS that should be used only if you need to do some low level DS operations in case something went wrong. > If not, how would I re-write/change the password? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Setting a new directory manager password
Hi, Our policy is to have the security manager hold the top most password of AD. There is a requirement that we do the same thing for IPA if possible/practical. So, is there any reason apart from resetting the admin password or replication that I would ever need this password in a day to day context? If not, how would I re-write/change the password? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users