[Freeipa-users] FreeIPA AD password sync
Simo Sorce
ssorce at redhat.com
Tue Dec 1 13:41:51 UTC 2015
On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote:
> On 11/30/2015 02:25 PM, Gašper Bregar wrote:
> > I have been strugling with FreeIPA and AD password sync for a couple of
> > days now. At first everything was working fine, but then all of a sudden
> > the synchronization started to fail for me and another user.
> >
> > The error in passsync log was
> >
> > Ldap error in ModifyPassword
> >> 50: Insufficient access
> >
> >
> > It took me some time to figure out that it was failing just for the two us.
> > It was failing because we were in the admin user group in FreeIPA. Is this
> > intentional? Is it possible to somehow change this behaviour with a
> > setting?
> >
> > Regards,
> > Gašper
>
> Hello Gašper,
>
> I assume you are running with FreeIPA version 4.0 and above. At the moment,
> this is expected behavior, based on the permission configuration:
>
> 'System: Change User password': {
> 'ipapermright': {'write'},
> 'ipapermtargetfilter': [
> '(objectclass=posixaccount)',
> '(!(memberOf=%s))' % DN('cn=admins',
> api.env.container_group,
> api.env.basedn),
> ],
> 'ipapermdefaultattr': {
> 'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
> 'sambantpassword', 'userpassword'
> },
> ...
> 'default_privileges': {
> 'User Administrators',
> 'Modify Users and Reset passwords',
> 'PassSync Service',
> },
> },
>
>
> "PassSync Service" cannot indeed change passwords of admins group. I am
> wondering if we want to change the default, which was added so that lower-level
> administrators cannot change password of top level admins and impersonate them
> for example. Simo, any opinion?
We do not want to change the default behavior.
Simo.
> If you want to allow that, you could also add a new permission to allow
> changing admins group password and assign it to "PassSync Service" privilege.
>
> Martin
More information about the Freeipa-users
mailing list