René Johansen via FreeIPA-users wrote:
Does anyone have any advice? I have been scouring google, but I have
not
been able to find any definitive answers :/
We strongly discourage allowing anything to read password hashes as this
significantly compromises the security of the system.
Adding the sync user to passSyncManagersDNs is not really needed since
this is a read-only (and there is a typo in the LDIF anyway). When you
said sync before I though that the external site would be writing
passwords into IPA.
An ACI to allow a system account to read the password attribute would
look like:
aci: (targetattr = "userPassword") (target =
"ldap:///uid=*,cn=users,cn=accounts,dc=<my>,dc=<domain>") (version
3.0;acl "Allow password read";allow (read,compare,search)(userdn =
"ldap:///<system account dn>");)
But again, this is not recommended. I seriously considered not arming
you with the information.
rob
Mvh.
René Johansen
Systemadministrator
Christians Brygge 1
1219 København K
Tlf: 31625208
Den fre. 11. sep. 2020 kl. 10.47 skrev René Johansen via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>:
Hi Rob (and others)..
Thank you for taking the time to respond..
I tried the suggested solution and it does not seem to allow the
google user to modify ipa_pwd_extop
Specificly I tried the following:
```
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncMamagersDNs
passSyncManagersDNs: uid=google,cn=users,cn=accounts,dc=XXX,dc=XXX
```
But the service still is not syncing password hashes (I am using
Google Cloud Directory Sync, it only reads hashes (from ldap) and
compares them to stored hashes, and updates the stored hashes if a
new password has been set i ldap, there are no writes from google to
ldap), as seen when running GCDS in debug mode (it dosent get
userPassword attribute):
```
[2020-09-11 10:32:15,938+0200] [pool-3-thread-24] [DEBUG]
[plugin.ldap.AbstractLdapHandler] Executing LDAP rule, scope
"SUBTREE", filter
"memberof=cn=mail,cn=groups,cn=accounts,dc=dsl,dc=lan"
[2020-09-11 10:32:15,943+0200] [pool-3-thread-24] [DEBUG]
[plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP
attribute "uid"
[2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG]
[plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP
attribute "mail"
[2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG]
[plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP
attribute "givenName"
[2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG]
[plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP
attribute "sn"
```
I have been suggested to try adding permissions via an aci, but am
unsure of how to do this..
The following was suggested:
`aci: (targetattr = "userPassword") (target =
"ldap:///cn=users,cn=accounts,dc=<my>,dc=<domain>") (version
3.0;acl
"Allow password read";allow (read,compare,search)(groupdn =
"ldap:///<system accounts group dn>");)`
What would I need to specify as "groupdn"?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...