[Freeipa-users] FreeIPA AD password sync
Martin Kosek
mkosek at redhat.com
Tue Dec 1 11:57:29 UTC 2015
On 11/30/2015 02:25 PM, Gašper Bregar wrote:
> I have been strugling with FreeIPA and AD password sync for a couple of
> days now. At first everything was working fine, but then all of a sudden
> the synchronization started to fail for me and another user.
>
> The error in passsync log was
>
> Ldap error in ModifyPassword
>> 50: Insufficient access
>
>
> It took me some time to figure out that it was failing just for the two us.
> It was failing because we were in the admin user group in FreeIPA. Is this
> intentional? Is it possible to somehow change this behaviour with a
> setting?
>
> Regards,
> Gašper
Hello Gašper,
I assume you are running with FreeIPA version 4.0 and above. At the moment,
this is expected behavior, based on the permission configuration:
'System: Change User password': {
'ipapermright': {'write'},
'ipapermtargetfilter': [
'(objectclass=posixaccount)',
'(!(memberOf=%s))' % DN('cn=admins',
api.env.container_group,
api.env.basedn),
],
'ipapermdefaultattr': {
'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
'sambantpassword', 'userpassword'
},
...
'default_privileges': {
'User Administrators',
'Modify Users and Reset passwords',
'PassSync Service',
},
},
"PassSync Service" cannot indeed change passwords of admins group. I am
wondering if we want to change the default, which was added so that lower-level
administrators cannot change password of top level admins and impersonate them
for example. Simo, any opinion?
If you want to allow that, you could also add a new permission to allow
changing admins group password and assign it to "PassSync Service" privilege.
Martin
More information about the Freeipa-users
mailing list