Bug 1206309
Summary: | winsync sets AccountUserControl in AD to 544 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Noriko Hosoi <nhosoi> |
Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.0 | CC: | nhosoi, nkinder, rmeggins, sramling |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | 389-ds-base-1.3.4.0-1.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-19 11:43:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Noriko Hosoi
2015-03-26 18:14:13 UTC
Hi Noriko,
>This isn't secure (allow user to set empty password). Letting the administrator set a default value for this attribute in synchronization parameters would be nice.
In the patch I didn't find any info about default value that can be set by admin.
As far as I understand, we now fallback to 512 if password is set and 544 if not, correct?
Thanks!
(In reply to Viktor Ashirov from comment #2) > Hi Noriko, > > >This isn't secure (allow user to set empty password). Letting the administrator set a default value for this attribute in synchronization parameters would be nice. > > In the patch I didn't find any info about default value that can be set by > admin. > As far as I understand, we now fallback to 512 if password is set and 544 if > not, correct? Yes, that's correct. Thank you for understanding the cryptic description... For password not set user... the userAccountControl set to 544. [root@dhcp35-196 MMR_WINSYNC]# /usr/lib64/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-M1/cert8.db -h win2012r2.adrelm.com -p 636 -D "cn=SyncManager,cn=Users,dc=adrelm,dc=com" -w Secret123 -b "cn=dsdsdsX,ou=adpasssync,dc=adrelm,dc=com" objectClass=* "userAccountControl" version: 1 dn: CN=dsdsdsX,OU=adpasssync,DC=adrelm,DC=com userAccountControl: 544 For the password set to user, the userAccountControl set to 512: [root@dhcp35-196 MMR_WINSYNC]# /usr/lib64/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-M1/cert8.db -h win2012r2.adrelm.com -p 636 -D "cn=SyncManager,cn=Users,dc=adrelm,dc=com" -w Secret123 -b "cn=dsdsds9,ou=adpasssync,dc=adrelm,dc=com" objectClass=* "userAccountControl" version: 1 dn: CN=dsdsds9,OU=adpasssync,DC=adrelm,DC=com userAccountControl: 512 Hence, marking the bug as Verified. Build tested: [root@dhcp35-196 MMR_WINSYNC]# rpm -qa |grep -i 389-ds 389-ds-base-libs-1.3.4.0-15.el7.x86_64 389-ds-base-1.3.4.0-15.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2351.html |