Re: [Freeipa-users] sync passwords with AD or not per user
Rich Megginson wrote: On 06/07/2011 03:41 PM, Steven Jones wrote: Hi, For most users I will want to allow the same password in AD as in freeipaso a linux or windows desktop will work with a linux or windows service.but for some specific financial servers/services I need a stricter password capability to meet our audit criteria. In 389 you can set password policy on a per-user or per-subtree basis. With a little extra work, you could probably get this working on a per-group or per-role basis as well. This should apply to IPA as well, depending on how they have implemented support for password policy. We have per-group password policy but we don't use the 389-ds password policy engine. What I don't know is what happens if you set a lousy password in AD whether that gets replicated to IPA. Will it be rejected, accepted? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sync passwords with AD or not per user
On Wed, 2011-06-08 at 10:27 -0400, Rob Crittenden wrote: Rich Megginson wrote: On 06/07/2011 03:41 PM, Steven Jones wrote: Hi, For most users I will want to allow the same password in AD as in freeipaso a linux or windows desktop will work with a linux or windows service.but for some specific financial servers/services I need a stricter password capability to meet our audit criteria. In 389 you can set password policy on a per-user or per-subtree basis. With a little extra work, you could probably get this working on a per-group or per-role basis as well. This should apply to IPA as well, depending on how they have implemented support for password policy. We have per-group password policy but we don't use the 389-ds password policy engine. What I don't know is what happens if you set a lousy password in AD whether that gets replicated to IPA. Will it be rejected, accepted? The ipa-pwd-extop module has a list of users that can set passwords w/o having them quality checked. The passsync user is normally one of these users. And passwords replicated from windows are not quality checked. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sync passwords with AD or not per user
On 06/07/2011 03:03 PM, Steven Jones wrote: Hi, Is it possible to set some users so they will not psswoard sync with AD while most do? Do you want the user data to sync, just not the passwords? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sync passwords with AD or not per user
On 06/07/2011 03:29 PM, Steven Jones wrote: Hi, I thought with freeipa 2.0 it could only sync passwords? Usually PassSync works in conjunction with Windows Sync - you first sync the users from AD to IPA, then when the AD password changes, PassSync finds the corresponding user in IPA (synced over by Windows Sync), then sends the updated password for that user. Basically our security manager wants stricter and stronger password control on our financial linux powered servers than is the policy set in AD, which is pathetic What sort of password control? Minimum length? Character classes? Password history checking? regards From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, 8 June 2011 9:20 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sync passwords with AD or not per user On 06/07/2011 03:03 PM, Steven Jones wrote: Hi, Is it possible to set some users so they will not psswoard sync with AD while most do? Do you want the user data to sync, just not the passwords? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sync passwords with AD or not per user
On 06/07/2011 03:36 PM, Steven Jones wrote: What sort of password control? Minimum length? Character classes? Password history checking? yes, yes and yes... regards With plain old 389, you can do all of these and more. IPA has its own password checking plugin, so it may differ slightly. But what does this have to do with Windows PassSync? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sync passwords with AD or not per user
Hi, For most users I will want to allow the same password in AD as in freeipaso a linux or windows desktop will work with a linux or windows service.but for some specific financial servers/services I need a stricter password capability to meet our audit criteria. regards From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, 8 June 2011 9:36 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sync passwords with AD or not per user On 06/07/2011 03:36 PM, Steven Jones wrote: What sort of password control? Minimum length? Character classes? Password history checking? yes, yes and yes... regards With plain old 389, you can do all of these and more. IPA has its own password checking plugin, so it may differ slightly. But what does this have to do with Windows PassSync? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sync passwords with AD or not per user
On 06/07/2011 03:41 PM, Steven Jones wrote: Hi, For most users I will want to allow the same password in AD as in freeipaso a linux or windows desktop will work with a linux or windows service.but for some specific financial servers/services I need a stricter password capability to meet our audit criteria. In 389 you can set password policy on a per-user or per-subtree basis. With a little extra work, you could probably get this working on a per-group or per-role basis as well. This should apply to IPA as well, depending on how they have implemented support for password policy. regards From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, 8 June 2011 9:36 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sync passwords with AD or not per user On 06/07/2011 03:36 PM, Steven Jones wrote: What sort of password control? Minimum length? Character classes? Password history checking? yes, yes and yes... regards With plain old 389, you can do all of these and more. IPA has its own password checking plugin, so it may differ slightly. But what does this have to do with Windows PassSync? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sync passwords with AD or not per user
On 06/07/2011 05:41 PM, Steven Jones wrote: Hi, For most users I will want to allow the same password in AD as in freeipaso a linux or windows desktop will work with a linux or windows service.but for some specific financial servers/services I need a stricter password capability to meet our audit criteria. But you still need to synch the users for those servers or you can created specific users in IPA and apply more restrictive password policies to them? In IPA v2 you can have password policies per group. regards From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, 8 June 2011 9:36 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sync passwords with AD or not per user On 06/07/2011 03:36 PM, Steven Jones wrote: What sort of password control? Minimum length? Character classes? Password history checking? yes, yes and yes... regards With plain old 389, you can do all of these and more. IPA has its own password checking plugin, so it may differ slightly. But what does this have to do with Windows PassSync? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sync passwords with AD or not per user
Thanks... Some options to suggest you can create specific users in IPA and apply more restrictive password policies to them? Sounds the better way regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, 8 June 2011 9:50 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sync passwords with AD or not per user On 06/07/2011 05:41 PM, Steven Jones wrote: Hi, For most users I will want to allow the same password in AD as in freeipaso a linux or windows desktop will work with a linux or windows service.but for some specific financial servers/services I need a stricter password capability to meet our audit criteria. But you still need to synch the users for those servers or you can created specific users in IPA and apply more restrictive password policies to them? In IPA v2 you can have password policies per group. regards From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, 8 June 2011 9:36 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sync passwords with AD or not per user On 06/07/2011 03:36 PM, Steven Jones wrote: What sort of password control? Minimum length? Character classes? Password history checking? yes, yes and yes... regards With plain old 389, you can do all of these and more. IPA has its own password checking plugin, so it may differ slightly. But what does this have to do with Windows PassSync? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users