René Johansen via FreeIPA-users wrote: > Hello FreeIPA users.. > > I am currently trying to setup an account for syncing users hashed > userpassword attributes to our google directory.. Basically we use gmail > and sync users ldap passwords so that their login matches their ldap > login.. this a one way sync, and google only requires the hashes (md5, > base64, SHA1).. > > From what I can gather, the cn=Directory Manager role is the only one > that can access users userpassword attributes, but I was told it is > possible to maybe create a service account that is able to also access > this? It only needs read permissions.. I have however not been able to > get this working, and I do not find the documentation on this to be vary > clear.. > > Can anyone point me in the right direction? or help me to set this up? > > As of right not I have a user account (google), enrolled in a group > (google_sync), and would like to assign permissions to this group to > read the userpassword attribute from a group called "mail" > > uid=google,cn=users,cn=accounts,dc=xx,dc=xx > cn=google_sync,cn=groups,cn=accounts,dc=xx,dc=xx > cn=mail,cn=groups,dc=accounts,dc=xx,dc=xx
See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/pass-sync#password-sync > > As an additonal question, are userpasswords hashed in base64 or? I cant > seem to find an answer to this.. Both. Decode it and you'll see the hashing. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
