[Freeipa-users] FreeIPA AD password sync

Gašper Bregar gasper.bregar at nets.si
Tue Dec 1 15:07:36 UTC 2015 

Thank you for the quick reply and a solution.

I will try it in the next couple of days.

Regards,
Gašper

On Tue, Dec 1, 2015 at 2:51 PM, Martin Kosek <mkosek at redhat.com> wrote:

> On 12/01/2015 02:41 PM, Simo Sorce wrote:
> > On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote:
> >> On 11/30/2015 02:25 PM, Gašper Bregar wrote:
> >>> I have been strugling with FreeIPA and AD password sync for a couple of
> >>> days now. At first everything was working fine, but then all of a
> sudden
> >>> the synchronization started to fail for me and another user.
> >>>
> >>> The error in passsync log was
> >>>
> >>> Ldap error in ModifyPassword
> >>>> 50: Insufficient access
> >>>
> >>>
> >>> It took me some time to figure out that it was failing just for the
> two us.
> >>> It was failing because we were in the admin user group in FreeIPA. Is
> this
> >>> intentional? Is it possible to somehow change this behaviour with a
> >>> setting?
> >>>
> >>> Regards,
> >>> Gašper
> >>
> >> Hello Gašper,
> >>
> >> I assume you are running with FreeIPA version 4.0 and above. At the
> moment,
> >> this is expected behavior, based on the permission configuration:
> >>
> >>         'System: Change User password': {
> >>             'ipapermright': {'write'},
> >>             'ipapermtargetfilter': [
> >>                 '(objectclass=posixaccount)',
> >>                 '(!(memberOf=%s))' % DN('cn=admins',
> >>                                         api.env.container_group,
> >>                                         api.env.basedn),
> >>             ],
> >>             'ipapermdefaultattr': {
> >>                 'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
> >>                 'sambantpassword', 'userpassword'
> >>             },
> >> ...
> >>             'default_privileges': {
> >>                 'User Administrators',
> >>                 'Modify Users and Reset passwords',
> >>                 'PassSync Service',
> >>             },
> >>         },
> >>
> >>
> >> "PassSync Service" cannot indeed change passwords of admins group. I am
> >> wondering if we want to change the default, which was added so that
> lower-level
> >> administrators cannot change password of top level admins and
> impersonate them
> >> for example. Simo, any opinion?
> >
> > We do not want to change the default behavior.
> >
> > Simo.
>
> Ok. I requested a Doc update:
> https://bugzilla.redhat.com/show_bug.cgi?id=1287092
>
> Please feel free to comment in Bugzilla.
>
> Martin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151201/ae504489/attachment.htm>

More information about the Freeipa-users mailing list