Bug 471130 - passsync needs a user that avoid password policies checks
passsync needs a user that avoid password policies checks
Product: freeIPA
Classification: Community
Component: Documentation (Show other bugs)
All Linux
medium Severity medium
: v1.x maintenance
: ---
Assigned To: Deon Ballard
Chandrasekar Kannan
: 471132 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2008-11-11 16:58 EST by Simo Sorce
Modified: 2015-01-04 18:34 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-03-28 07:23:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Simo Sorce 2008-11-11 16:58:18 EST
Description of problem:
The passync plugin for windows operates a normal ldapmodify operation to change users passwords.
These operations are still normally subject to password policy settings.
When the special user used by passsync is used to set the password, password policies should be skipped and the password should not be set to immediately expire like it is done when a normal administrator resets a user password.

add a list of passSyncManagers DNs to the password plugin configuration.
these users will be exempt from password policy enforcement like Directory Manager currently is.
Comment 1 Chandrasekar Kannan 2008-11-20 08:54:59 EST
*** Bug 471132 has been marked as a duplicate of this bug. ***
Comment 2 David O'Brien 2009-01-12 16:53:40 EST
I need more info on this before I can add anything to the doc.

Is this list of passSyncManager DNs what I need to add to the documentation? Or is it a case of "Problem statement, Solution, Procedure"? How do you add this list of DNs to the plugin config?
Comment 3 Rob Crittenden 2009-01-12 17:20:28 EST
You have to manually configure this currently.

You need to modify, as Directory Manager, the entry cn=ipa_pwd_extop,cn=plugins,cn=config

Add/update the attribute passSyncManagersDNs which is a multi-valued list of DNs that bypass password policy.

The entry cn=Directory Manager always bypasses policy and doesn't need to be explicitly listed.

An example of adding a new entry, say uid=admin:

% ldapmodify -x -D "cn=Directory Manager" -W 
Enter LDAP Password: *******
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com
Comment 4 David O'Brien 2009-07-15 00:20:07 EDT
Added to "4.3. Setting up Windows Sync on the IPA Server"
Comment 5 David O'Brien 2011-09-11 22:49:08 EDT
afaik Deon is now responsible for all IPA doc.

Note You need to log in before you can comment on or make changes to this bug.