Bug 471130

Summary: passsync needs a user that avoid password policies checks
Product: [Retired] freeIPA Reporter: Simo Sorce <ssorce>
Component: DocumentationAssignee: Deon Ballard <dlackey>
Status: CLOSED UPSTREAM QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0CC: benl, dpal, rcritten
Target Milestone: v1.x maintenance   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 11:23:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Simo Sorce 2008-11-11 21:58:18 UTC 
Description of problem:
The passync plugin for windows operates a normal ldapmodify operation to change users passwords.
These operations are still normally subject to password policy settings.
When the special user used by passsync is used to set the password, password policies should be skipped and the password should not be set to immediately expire like it is done when a normal administrator resets a user password.

Solution:
add a list of passSyncManagers DNs to the password plugin configuration.
these users will be exempt from password policy enforcement like Directory Manager currently is.
Comment 1 Chandrasekar Kannan 2008-11-20 13:54:59 UTC 
*** Bug 471132 has been marked as a duplicate of this bug. ***
Comment 2 David O'Brien 2009-01-12 21:53:40 UTC 
I need more info on this before I can add anything to the doc.

Is this list of passSyncManager DNs what I need to add to the documentation? Or is it a case of "Problem statement, Solution, Procedure"? How do you add this list of DNs to the plugin config?
Comment 3 Rob Crittenden 2009-01-12 22:20:28 UTC 
You have to manually configure this currently.

You need to modify, as Directory Manager, the entry cn=ipa_pwd_extop,cn=plugins,cn=config

Add/update the attribute passSyncManagersDNs which is a multi-valued list of DNs that bypass password policy.

The entry cn=Directory Manager always bypasses policy and doesn't need to be explicitly listed.

An example of adding a new entry, say uid=admin:

% ldapmodify -x -D "cn=Directory Manager" -W 
Enter LDAP Password: *******
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com
Comment 4 David O'Brien 2009-07-15 04:20:07 UTC 
Added to "4.3. Setting up Windows Sync on the IPA Server"
Comment 5 David O'Brien 2011-09-12 02:49:08 UTC 
afaik Deon is now responsible for all IPA doc.