[Freeipa-users] proxy with Active Directory
Rich Megginson
rmeggins at redhat.com
Wed May 9 21:45:30 UTC 2012
On 05/09/2012 03:11 PM, Steven Jones wrote:
> Hi,
>
> My understanding is passync intercepts the password before its
> encrypted in AD
Yes.
> and written to the AD's ldap db/disk
PassSync writes it to a log file on the windows machine, not to the ldap db.
> it cant be decrypted thereafter.
PassSync stores the password reversibly encrypted on the disk, so it is
safely stored, and can be converted back to cleartext to send to IPA.
> It then sends the plain text password via an encrypted link to IPA, so
> its pretty safe. No there is no easy way I know of, though its
> possible to use AD for Kerberos ie password and an LDAP for control,
> dont think that is practical in IPA.....but AD and say Openldap, yes.
> We have a setup here, but ordinary bods like me couldnt maintain /
> modify / patch it.
>
> The other possibility is Oracle's OVD which is an open virtual
> directory that sits in front of (multiple if necessary) LDAPs and
> gives a LDAPv3 output but that is expensive...ie when oracle say
> "open" they mean open your wallet and we'll take all we want...its
> also awful....2 of use tried for 3 weeks to make it work and gave up,
> too unstable.
>
> The last way I know of, which we have is a web based application
> called Psync which allows users to reset their own password via a
> https web page that then injects into AD, it can do LDAPs as well in
> parallel...but thats really the same thing as passync....
>
> Or just use AD, then you use something like Centrify or Likewise and
> that cost hurts as well. So depends who is paying....get them to
> "chat" to your security group. Ours are A OK with Passync as the gains
> of IPA and centralised control far outstrip the Passsync minor
> concern. Besides which a decently sized and complex AD is a swiss
> cheese for security anyway. Ask your security how the last external
> pen test on AD went..if they have never done one.....its a bit rich
> for them to comment on Passync.....
>
> ;]
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ------------------------------------------------------------------------
> *From:* freeipa-users-bounces at redhat.com
> [freeipa-users-bounces at redhat.com] on behalf of Sylvain Angers
> [sylvainangers at gmail.com]
> *Sent:* Thursday, 10 May 2012 6:19 a.m.
> *To:* Freeipa-users at redhat.com
> *Subject:* [Freeipa-users] proxy with Active Directory
>
> Hello
> Our security group have concern with copying username/password from
> from AD and might not allow this synchronisation to even happen.
> Is there a way to configure ipa to go get username/password via kind
> of proxy?
> Thank you!
>
> --
> Sylvain Angers
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120509/527c83ae/attachment.htm>
More information about the Freeipa-users
mailing list