[Freeipa-users] 2 question on passsync

[Steven Jones]

Hi,

Not sure on the details here so please bear with me When passsync is setup some users can be exempted from the sync.

So I have 2 questions or requests for features maybe.

This feature is good, however there is nothing within the IPA system that I can see that prevents a user manually setting the same password in IPA as they have in AD.  So even if we have a written policy that says you cannot do this it looks like we cannot check or enforce it. Hence I see this as an audit failure.  

So what Im asking is I guess is there any way that when a password sync occurs the "hash" of the IPA password and the "hash" the AD password would be converted to, gets compared and a security violation is raised if they match?  

If not would this be a useful feature? to me I think it would be something we'd like for audit purposes.

Secondly, at the moment it looks like I have to add each user via a command line function. Can we get this setup via a user group? That way its a point and click and its easily visually auditable.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University ITS,

Level 8 Rankin Brown Building,

Wellington, NZ

6012

0064 4 463 6272