[Freeipa-users] FreeIPA AD password sync
Martin Kosek
mkosek at redhat.com
Tue Dec 1 13:51:11 UTC 2015
On 12/01/2015 02:41 PM, Simo Sorce wrote:
> On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote:
>> On 11/30/2015 02:25 PM, Gašper Bregar wrote:
>>> I have been strugling with FreeIPA and AD password sync for a couple of
>>> days now. At first everything was working fine, but then all of a sudden
>>> the synchronization started to fail for me and another user.
>>>
>>> The error in passsync log was
>>>
>>> Ldap error in ModifyPassword
>>>> 50: Insufficient access
>>>
>>>
>>> It took me some time to figure out that it was failing just for the two us.
>>> It was failing because we were in the admin user group in FreeIPA. Is this
>>> intentional? Is it possible to somehow change this behaviour with a
>>> setting?
>>>
>>> Regards,
>>> Gašper
>>
>> Hello Gašper,
>>
>> I assume you are running with FreeIPA version 4.0 and above. At the moment,
>> this is expected behavior, based on the permission configuration:
>>
>> 'System: Change User password': {
>> 'ipapermright': {'write'},
>> 'ipapermtargetfilter': [
>> '(objectclass=posixaccount)',
>> '(!(memberOf=%s))' % DN('cn=admins',
>> api.env.container_group,
>> api.env.basedn),
>> ],
>> 'ipapermdefaultattr': {
>> 'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
>> 'sambantpassword', 'userpassword'
>> },
>> ...
>> 'default_privileges': {
>> 'User Administrators',
>> 'Modify Users and Reset passwords',
>> 'PassSync Service',
>> },
>> },
>>
>>
>> "PassSync Service" cannot indeed change passwords of admins group. I am
>> wondering if we want to change the default, which was added so that lower-level
>> administrators cannot change password of top level admins and impersonate them
>> for example. Simo, any opinion?
>
> We do not want to change the default behavior.
>
> Simo.
Ok. I requested a Doc update:
https://bugzilla.redhat.com/show_bug.cgi?id=1287092
Please feel free to comment in Bugzilla.
Martin
More information about the Freeipa-users
mailing list