Description of problem: The passync plugin for windows operates a normal ldapmodify operation to change users passwords. These operations are still normally subject to password policy settings. When the special user used by passsync is used to set the password, password policies should be skipped and the password should not be set to immediately expire like it is done when a normal administrator resets a user password. Solution: add a list of passSyncManagers DNs to the password plugin configuration. these users will be exempt from password policy enforcement like Directory Manager currently is.
*** Bug 471132 has been marked as a duplicate of this bug. ***
I need more info on this before I can add anything to the doc. Is this list of passSyncManager DNs what I need to add to the documentation? Or is it a case of "Problem statement, Solution, Procedure"? How do you add this list of DNs to the plugin config?
You have to manually configure this currently. You need to modify, as Directory Manager, the entry cn=ipa_pwd_extop,cn=plugins,cn=config Add/update the attribute passSyncManagersDNs which is a multi-valued list of DNs that bypass password policy. The entry cn=Directory Manager always bypasses policy and doesn't need to be explicitly listed. An example of adding a new entry, say uid=admin: % ldapmodify -x -D "cn=Directory Manager" -W Enter LDAP Password: ******* dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com
Added to "4.3. Setting up Windows Sync on the IPA Server"
afaik Deon is now responsible for all IPA doc.