[Freeipa-users] Restrict AD users from passwd
Brian Lee
brian_lee1 at jabil.com
Wed Aug 14 13:19:17 UTC 2013
Hi All,
Our current account management policy requires that users change their AD
passwords via a special portal, however I've noticed that this can be
bypassed by issuing passwd on a Linux system while logged in with AD
credentials, thus changing their AD password.
Any thoughts on the best way to prevent this action?
What I've considered so far is removing the trust in AD, effectively
creating a one-way trust, but that would limit functionality for future
interoperability.
Additionally, we could change the permissions for passwd on each Linux
system, but this would be somewhat hackish and also complicated to enforce,
since we're waiting on Foreman + Puppet to properly be integrated into
Katello for our configuration management solution.
Any way to restrict this via the FreeIPA UI?
Thanks,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130814/54a14c10/attachment.htm>
More information about the Freeipa-users
mailing list