[Freeipa-users] sync passwords with AD or not per user
Simo Sorce
simo at redhat.com
Wed Jun 8 14:57:50 UTC 2011
On Wed, 2011-06-08 at 10:27 -0400, Rob Crittenden wrote:
> Rich Megginson wrote:
> > On 06/07/2011 03:41 PM, Steven Jones wrote:
> >> Hi,
> >>
> >> For most users I will want to allow the same password in AD as in
> >> freeipa....so a linux or windows desktop will work with a linux or
> >> windows service.....but for some specific financial servers/services I
> >> need a stricter password capability to meet our audit criteria.
> > In 389 you can set password policy on a per-user or per-subtree basis.
> > With a little extra work, you could probably get this working on a
> > per-group or per-role basis as well. This should apply to IPA as well,
> > depending on how they have implemented support for password policy.
>
> We have per-group password policy but we don't use the 389-ds password
> policy engine. What I don't know is what happens if you set a lousy
> password in AD whether that gets replicated to IPA. Will it be rejected,
> accepted?
The ipa-pwd-extop module has a list of users that can set passwords w/o
having them quality checked. The passsync user is normally one of these
users. And passwords replicated from windows are not quality checked.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list