[Freeipa-users] FreeIPA AD password sync
Gašper Bregar
gasper.bregar at nets.si
Tue Dec 1 15:07:36 UTC 2015
Thank you for the quick reply and a solution.
I will try it in the next couple of days.
Regards,
Gašper
On Tue, Dec 1, 2015 at 2:51 PM, Martin Kosek <mkosek at redhat.com> wrote:
> On 12/01/2015 02:41 PM, Simo Sorce wrote:
> > On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote:
> >> On 11/30/2015 02:25 PM, Gašper Bregar wrote:
> >>> I have been strugling with FreeIPA and AD password sync for a couple of
> >>> days now. At first everything was working fine, but then all of a
> sudden
> >>> the synchronization started to fail for me and another user.
> >>>
> >>> The error in passsync log was
> >>>
> >>> Ldap error in ModifyPassword
> >>>> 50: Insufficient access
> >>>
> >>>
> >>> It took me some time to figure out that it was failing just for the
> two us.
> >>> It was failing because we were in the admin user group in FreeIPA. Is
> this
> >>> intentional? Is it possible to somehow change this behaviour with a
> >>> setting?
> >>>
> >>> Regards,
> >>> Gašper
> >>
> >> Hello Gašper,
> >>
> >> I assume you are running with FreeIPA version 4.0 and above. At the
> moment,
> >> this is expected behavior, based on the permission configuration:
> >>
> >> 'System: Change User password': {
> >> 'ipapermright': {'write'},
> >> 'ipapermtargetfilter': [
> >> '(objectclass=posixaccount)',
> >> '(!(memberOf=%s))' % DN('cn=admins',
> >> api.env.container_group,
> >> api.env.basedn),
> >> ],
> >> 'ipapermdefaultattr': {
> >> 'krbprincipalkey', 'passwordhistory', 'sambalmpassword',
> >> 'sambantpassword', 'userpassword'
> >> },
> >> ...
> >> 'default_privileges': {
> >> 'User Administrators',
> >> 'Modify Users and Reset passwords',
> >> 'PassSync Service',
> >> },
> >> },
> >>
> >>
> >> "PassSync Service" cannot indeed change passwords of admins group. I am
> >> wondering if we want to change the default, which was added so that
> lower-level
> >> administrators cannot change password of top level admins and
> impersonate them
> >> for example. Simo, any opinion?
> >
> > We do not want to change the default behavior.
> >
> > Simo.
>
> Ok. I requested a Doc update:
> https://bugzilla.redhat.com/show_bug.cgi?id=1287092
>
> Please feel free to comment in Bugzilla.
>
> Martin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151201/ae504489/attachment.htm>
More information about the Freeipa-users
mailing list