[Freeipa-users] 2 question on passsync
Rob Crittenden
rcritten at redhat.com
Tue Nov 12 23:20:46 UTC 2013
Steven Jones wrote:
> Hi,
>
> "Winsync does not sync password hashes. Passsync syncs passwords and then
> causes the creation of the hashes."
>
> yep, thats whatt I expected, I just didnt word it well.
>
> I just wondered if we could receive the plain text password then hash it, then for an excluded user compare hashes and if they match raise an audit alert.
>
> What we have is a concern is that if AD gets hacked that certain users such as myself who have more privileges in Linux land could get their Linux side accounts also hacked simply via a malicious password change in AD. This would mean that we might lose all of our linux side as well as the windows side.
>
> A way to prevent this is to exclude those certian users from passsync. The issues then is there is nothing stopping an excluded user manually making the passwords the same, despite a written policy.
>
> The problem with having different AD and IPA policies while acceptable to me probably is is'nt acceptable for the organisation.
>
> To exclude a user from passync the identity guide says run,
>
> "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> changetype: modify
> add: passSyncManagersDNs
> passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"
>
> Which means every time I want to exclude a user I have to do this via the command line and also I dont see how its easily and quickly auditable either.
>
> eg how do I check who is and isnt excluded?
>
> Now if its a IPA user group called say "excluded passsync users" and I just drop the user(s) in, its very easy to do and look at to audit.
This isn't what passSyncManagersDNs does. What this value does is list
the users who can change a password without requiring a reset of that
password.
Without this then when a new password is synced from AD it would require
a reset, which sort of defeats the point of syncing passwords.
I like your idea of a group, can you file an RFE on this?
rob
More information about the Freeipa-users
mailing list