[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] sync passwords with AD or not per user

On Wed, 2011-06-08 at 10:27 -0400, Rob Crittenden wrote:
> Rich Megginson wrote:
> > On 06/07/2011 03:41 PM, Steven Jones wrote:
> >> Hi,
> >>
> >> For most users I will want to allow the same password in AD as in
> >> freeipa....so a linux or windows desktop will work with a linux or
> >> windows service.....but for some specific financial servers/services I
> >> need a stricter password capability to meet our audit criteria.
> > In 389 you can set password policy on a per-user or per-subtree basis.
> > With a little extra work, you could probably get this working on a
> > per-group or per-role basis as well. This should apply to IPA as well,
> > depending on how they have implemented support for password policy.
> We have per-group password policy but we don't use the 389-ds password 
> policy engine. What I don't know is what happens if you set a lousy 
> password in AD whether that gets replicated to IPA. Will it be rejected, 
> accepted?

The ipa-pwd-extop module has a list of users that can set passwords w/o
having them quality checked. The passsync user is normally one of these
users. And passwords replicated from windows are not quality checked.


Simo Sorce * Red Hat, Inc * New York

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]