[Freeipa-users] 2 question on passsync

Dmitri Pal dpal at redhat.com
Tue Nov 12 22:56:33 UTC 2013 

On 11/12/2013 05:44 PM, Steven Jones wrote:
> Hi,
>
> "Winsync does not sync password hashes. Passsync syncs passwords and then
> causes the creation of the hashes."
>
> yep, thats whatt I expected, I just didnt word it well.
>
> I just wondered if we could receive the plain text password then hash it, then for an excluded user compare hashes and if they match raise an audit alert.  
>
> What we have is a concern is that if AD gets hacked that certain users such as myself who have more privileges in Linux land could get their Linux side accounts also hacked simply via a malicious password change in AD.  This would mean that we might lose all of our linux side as well as the windows side.
>
> A way to prevent this is to exclude those certian users from passsync.  The issues then is there is nothing stopping an excluded user manually making the passwords the same, despite a written policy.
>
> The problem with having different AD and IPA policies while acceptable to me probably is is'nt acceptable for the organisation. 
>
> To exclude a user from passync the identity guide says run,
>
> "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> changetype: modify
> add: passSyncManagersDNs
> passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"
>
> Which means every time I want to exclude a user I have to do this via the command line and also I dont see how its easily and quickly auditable either.
>
> eg how do I check who is and isnt excluded?
>
> Now if its a IPA user group called say "excluded passsync users" and I just drop the user(s) in, its very easy to do and look at to audit.


OK that makes sense. This is a reasonable RFE to file.

>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University ITS,
>
> Level 8 Rankin Brown Building,
>
> Wellington, NZ
>
> 6012
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Wednesday, 13 November 2013 10:29 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] 2 question on passsync
>
> On 11/12/2013 03:47 PM, Steven Jones wrote:
>> Hi,
>>
>> Not sure on the details here so please bear with me When passsync is setup some users can be exempted from the sync.
>>
>> So I have 2 questions or requests for features maybe.
>>
>> This feature is good, however there is nothing within the IPA system that I can see that prevents a user manually setting the same password in IPA as they have in AD.  So even if we have a written policy that says you cannot do this it looks like we cannot check or enforce it. Hence I see this as an audit failure.
> With Winsync/Passsync this is actually a default behavior. The passwords
> are the same because most of people to the best of our knowledge want it
> this way. If I get you right you proposal is actually to force a reverse
> which seems to be a very corner use case based on the information we have.
>
>
>> So what Im asking is I guess is there any way that when a password sync occurs the "hash" of the IPA password and the "hash" the AD password would be converted to, gets compared and a security violation is raised if they match?
>
> Winsync does not sync password hashes. Passsync syncs passwords and then
> causes the creation of the hashes. Password hashes are attributes that
> are really not that easily readable to conduct the comparison you suggest.
>
> IMO you can make sure that passwords different (if you do not want to
> have same passwords on both sides) by setting mutually exclusive
> password policies.
> For example force all IPA passwords be 12 characters and AD passwords 11
> characters or vice verse. This is just an example.
>
>
>> If not would this be a useful feature? to me I think it would be something we'd like for audit purposes.
>>
>> Secondly, at the moment it looks like I have to add each user via a command line function. Can we get this setup via a user group? That way its a point and click and its easily visually auditable.
> Can you please explain what do you mean by setting it up via user group?
> It is unclear what you have in mind.
>
>
>
> Thanks
> Dmitri
>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University ITS,
>>
>> Level 8 Rankin Brown Building,
>>
>> Wellington, NZ
>>
>> 6012
>>
>> 0064 4 463 6272
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list