[Freeipa-users] FreeIPA AD Trust: password policy?
Gregor Bregenzer
gregor.bregenzer at gmail.com
Sun Nov 2 18:52:12 UTC 2014
Thanks! :-)
Gregor
2014-11-02 18:05 GMT+01:00 Alexander Bokovoy <abokovoy at redhat.com>:
> On Sun, 02 Nov 2014, Gregor Bregenzer wrote:
>>
>> Hi!
>>
>> I have FreeIPA 4.0.1 with an trust to AD to Windows 2012. The Linux
>> clients have sssd 1.11.6 and use the ipa provider for authentication
>> (part of client sssd.conf):
>>
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = linux1.linux.intern
>> chpass_provider = ipa
>>
>>
>> I found out, the password policy for complexity etc. is retrieved from
>> the group policy in AD, but is there also a way to retrieve the
>> password policy from FreeIPA? All the other parts such as sudo rules
>> and HBAC work when i assign the FreeIPA posix group which includes the
>> external group from AD, but not the password policy.
>
> Authentication is handled by AD in this case, thus password policy is
> handled by AD DCs as well. There is no way to attach IPA-specific
> password policy to AD users because the actual password policy check is
> done on AD side without us being involved in any decision.
>
>> Is there also some documentation about password policy with AD trust
>> (i was browsing documents from http://www.freeipa.org/page/Trusts but
>> did not find anything)?
>
> Since we don't have ways to handle it, there is no documentation. The
> same situation would be with any Kerberos cross-realm trust -- the final
> decision on password changes is done by the KDC that is responsible for
> the Kerberos principal in question.
> --
> / Alexander Bokovoy
More information about the Freeipa-users
mailing list