[Freeipa-users] 2 question on passsync

Steven Jones Steven.Jones at vuw.ac.nz
Tue Nov 12 22:44:33 UTC 2013 

Hi,

"Winsync does not sync password hashes. Passsync syncs passwords and then
causes the creation of the hashes."

yep, thats whatt I expected, I just didnt word it well.

I just wondered if we could receive the plain text password then hash it, then for an excluded user compare hashes and if they match raise an audit alert.  

What we have is a concern is that if AD gets hacked that certain users such as myself who have more privileges in Linux land could get their Linux side accounts also hacked simply via a malicious password change in AD.  This would mean that we might lose all of our linux side as well as the windows side.

A way to prevent this is to exclude those certian users from passsync.  The issues then is there is nothing stopping an excluded user manually making the passwords the same, despite a written policy.

The problem with having different AD and IPA policies while acceptable to me probably is is'nt acceptable for the organisation. 

To exclude a user from passync the identity guide says run,

"ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"

Which means every time I want to exclude a user I have to do this via the command line and also I dont see how its easily and quickly auditable either.

eg how do I check who is and isnt excluded?

Now if its a IPA user group called say "excluded passsync users" and I just drop the user(s) in, its very easy to do and look at to audit.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University ITS,

Level 8 Rankin Brown Building,

Wellington, NZ

6012

0064 4 463 6272

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Wednesday, 13 November 2013 10:29 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] 2 question on passsync

On 11/12/2013 03:47 PM, Steven Jones wrote:
> Hi,
>
> Not sure on the details here so please bear with me When passsync is setup some users can be exempted from the sync.
>
> So I have 2 questions or requests for features maybe.
>
> This feature is good, however there is nothing within the IPA system that I can see that prevents a user manually setting the same password in IPA as they have in AD.  So even if we have a written policy that says you cannot do this it looks like we cannot check or enforce it. Hence I see this as an audit failure.

With Winsync/Passsync this is actually a default behavior. The passwords
are the same because most of people to the best of our knowledge want it
this way. If I get you right you proposal is actually to force a reverse
which seems to be a very corner use case based on the information we have.


>
> So what Im asking is I guess is there any way that when a password sync occurs the "hash" of the IPA password and the "hash" the AD password would be converted to, gets compared and a security violation is raised if they match?


Winsync does not sync password hashes. Passsync syncs passwords and then
causes the creation of the hashes. Password hashes are attributes that
are really not that easily readable to conduct the comparison you suggest.

IMO you can make sure that passwords different (if you do not want to
have same passwords on both sides) by setting mutually exclusive
password policies.
For example force all IPA passwords be 12 characters and AD passwords 11
characters or vice verse. This is just an example.


>
> If not would this be a useful feature? to me I think it would be something we'd like for audit purposes.
>
> Secondly, at the moment it looks like I have to add each user via a command line function. Can we get this setup via a user group? That way its a point and click and its easily visually auditable.

Can you please explain what do you mean by setting it up via user group?
It is unclear what you have in mind.



Thanks
Dmitri

>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University ITS,
>
> Level 8 Rankin Brown Building,
>
> Wellington, NZ
>
> 6012
>
> 0064 4 463 6272
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list