[Freeipa-users] 2 question on passsync
Steven Jones
Steven.Jones at vuw.ac.nz
Tue Nov 12 20:47:06 UTC 2013
Hi,
Not sure on the details here so please bear with me When passsync is setup some users can be exempted from the sync.
So I have 2 questions or requests for features maybe.
This feature is good, however there is nothing within the IPA system that I can see that prevents a user manually setting the same password in IPA as they have in AD. So even if we have a written policy that says you cannot do this it looks like we cannot check or enforce it. Hence I see this as an audit failure.
So what Im asking is I guess is there any way that when a password sync occurs the "hash" of the IPA password and the "hash" the AD password would be converted to, gets compared and a security violation is raised if they match?
If not would this be a useful feature? to me I think it would be something we'd like for audit purposes.
Secondly, at the moment it looks like I have to add each user via a command line function. Can we get this setup via a user group? That way its a point and click and its easily visually auditable.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University ITS,
Level 8 Rankin Brown Building,
Wellington, NZ
6012
0064 4 463 6272
More information about the Freeipa-users
mailing list