[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Freeipa-devel] [PATCH][DOCS] Fix password synchronization manager explanation

The current text is wrong and misleading, can we expedite trickling this
change all the way down all downstream documentation ?
(Ie Fedora official user guides).


Simo Sorce * Red Hat, Inc * New York
>From f24531982ae99cd53fede49cdfaa9b87459162f4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo redhat com>
Date: Fri, 6 Dec 2013 11:29:02 -0500
Subject: [PATCH] Fix password sync managers paragraph

The explanation was wrong and misleading. fixed the text to explain what this
feature actually does.

Change the example to make it clear you list synchonization agents here not
real users in the normal case.
 src/user_guide/en-US/ActiveDirectory.xml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/user_guide/en-US/ActiveDirectory.xml b/src/user_guide/en-US/ActiveDirectory.xml
index 1054e4d114268e58f62131b0893c0a99a11162f0..7af5798ada49a23c33e352f629918f2effcda0d5 100644
--- a/src/user_guide/en-US/ActiveDirectory.xml
+++ b/src/user_guide/en-US/ActiveDirectory.xml
@@ -1432,10 +1432,10 @@ certutil.exe -d . -A -n "IPASERVER.EXAMPLE.COM IPA CA" -t CT,, -a -i ipaca.crt</
 			<section id="password-sync"><title>Exempting &AD; Users from Password Synchronization</title>
-			The passwords in password change operations are still subject to the password policy settings, such as password expiration times. For example, in &IPA; every
-			password change requires an immediate password reset.
-			While normal user passwords need to be subject to password policies, administrative passwords should be exempt from any password rules.
-			A list of user DNs can be set in the password synchronization configuration that are exempted from the password policy.
+                        In order to sync password a synchronization agent should be given enough privileges to bypass normal access control.
+                        The synchronization user also needs to be able to avoid the default rule that requires users to change their password if a different entity change it.
+                        The password plugin can be instructed to treat some users as Password Synchronization Managers.
+                        These users can change any other user password withouth triggering password complexity checks.
@@ -1450,7 +1450,7 @@ certutil.exe -d . -A -n "IPASERVER.EXAMPLE.COM IPA CA" -t CT,, -a -i ipaca.crt</
 dn: cn=ipa_pwd_extop,cn=plugins,cn=config
 changetype: modify
 add: passSyncManagersDNs
-passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com</screen>
+passSyncManagersDNs: uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com</screen>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]