[Freeipa-users] FreeIPA AD Trust: password policy?
Alexander Bokovoy
abokovoy at redhat.com
Sun Nov 2 17:05:37 UTC 2014
On Sun, 02 Nov 2014, Gregor Bregenzer wrote:
>Hi!
>
>I have FreeIPA 4.0.1 with an trust to AD to Windows 2012. The Linux
>clients have sssd 1.11.6 and use the ipa provider for authentication
>(part of client sssd.conf):
>
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = linux1.linux.intern
>chpass_provider = ipa
>
>
>I found out, the password policy for complexity etc. is retrieved from
>the group policy in AD, but is there also a way to retrieve the
>password policy from FreeIPA? All the other parts such as sudo rules
>and HBAC work when i assign the FreeIPA posix group which includes the
>external group from AD, but not the password policy.
Authentication is handled by AD in this case, thus password policy is
handled by AD DCs as well. There is no way to attach IPA-specific
password policy to AD users because the actual password policy check is
done on AD side without us being involved in any decision.
>Is there also some documentation about password policy with AD trust
>(i was browsing documents from http://www.freeipa.org/page/Trusts but
>did not find anything)?
Since we don't have ways to handle it, there is no documentation. The
same situation would be with any Kerberos cross-realm trust -- the final
decision on password changes is done by the KDC that is responsible for
the Kerberos principal in question.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list