[Freeipa-users] 2 question on passsync

Simo Sorce simo at redhat.com
Wed Nov 13 01:03:09 UTC 2013 

On Wed, 2013-11-13 at 00:14 +0000, Steven Jones wrote:
> Hi
> 
> >From the RH manual,
> 
> "15.6.3. Exempting Active Directory Users from Password Synchronization"

This paragraph is completely misguiding, sorry, we'll open a doc bug to
correct the explanation.

The list of uses set in passSyncManagersDNs is allowed to set passwords
for any user without triggering password policy requirements. In the
synchronization case it means that although an 'administrative' account
is resetting another user passwrod, that password is not marked for
immediate reset like it normally happens, it is indeed considered valid
and proper.

It has nothing to do with expempting users from password
synchronization.

Please DO NOT list regular, non administrative users in that attribute.

Simo.

> So the heading says I can?
> 
> or I cannot?
> 
> by running,
> 
>  "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
>  changetype: modify
> add: passSyncManagersDNs passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"
> 
> Where the user would say be me, so I have to have a different password in IPA to AD.
> 
> If I cannot then the manual heading above is very confusing...
> 
> In terms of
> 
> "Without this then when a new password is synced from AD it would require
> a reset, which sort of defeats the point of syncing passwords."
> 
> I did wonder but when I tested a normal user, there was no password reset required, the AD password just worked with teh rhle6 client login, no issues, no reset.
> 
> So I am confused.
> 
> regards
> 
> Steven Jones
> 
> Technical Specialist - Linux RHCE
> 
> Victoria University ITS,
> 
> Level 8 Rankin Brown Building,
> 
> Wellington, NZ
> 
> 6012
> 
> 0064 4 463 6272
> 
> clude a user from passync the identity guide says run,
> >
> > "ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389
> > dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> > changetype: modify
> > add: passSyncManagersDNs
> > passSyncManagersDNs: uid=user,cn=users,cn=accounts,dc=example,dc=com"
> >
> > Which means every time I want to exclude a user I have to do this via the command line and also I dont see how its easily and quickly auditable either.
> >
> > eg how do I check who is and isnt excluded?
> >
> > Now if its a IPA user group called say "excluded passsync users" and I just drop the user(s) in, its very easy to do and look at to audit.
> 
> This isn't what passSyncManagersDNs does. What this value does is list
> the users who can change a password without requiring a reset of that
> password.
> 
> Without this then when a new password is synced from AD it would require
> a reset, which sort of defeats the point of syncing passwords.
> 
> I like your idea of a group, can you file an RFE on this?
> 
> rob
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list