René Johansen via FreeIPA-users wrote: > Does anyone have any advice? I have been scouring google, but I have not > been able to find any definitive answers :/
We strongly discourage allowing anything to read password hashes as this significantly compromises the security of the system. Adding the sync user to passSyncManagersDNs is not really needed since this is a read-only (and there is a typo in the LDIF anyway). When you said sync before I though that the external site would be writing passwords into IPA. An ACI to allow a system account to read the password attribute would look like: aci: (targetattr = "userPassword") (target = "ldap:///uid=*,cn=users,cn=accounts,dc=<my>,dc=<domain>") (version 3.0;acl "Allow password read";allow (read,compare,search)(userdn = "ldap:///<system account dn>");) But again, this is not recommended. I seriously considered not arming you with the information. rob > > Mvh. > René Johansen > Systemadministrator > > > Christians Brygge 1 > 1219 København K > Tlf: 31625208 > > > > > Den fre. 11. sep. 2020 kl. 10.47 skrev René Johansen via FreeIPA-users > <[email protected] > <mailto:[email protected]>>: > > Hi Rob (and others).. > > Thank you for taking the time to respond.. > > I tried the suggested solution and it does not seem to allow the > google user to modify ipa_pwd_extop > > Specificly I tried the following: > > ``` > dn: cn=ipa_pwd_extop,cn=plugins,cn=config > changetype: modify > add: passSyncMamagersDNs > passSyncManagersDNs: uid=google,cn=users,cn=accounts,dc=XXX,dc=XXX > ``` > > But the service still is not syncing password hashes (I am using > Google Cloud Directory Sync, it only reads hashes (from ldap) and > compares them to stored hashes, and updates the stored hashes if a > new password has been set i ldap, there are no writes from google to > ldap), as seen when running GCDS in debug mode (it dosent get > userPassword attribute): > > ``` > [2020-09-11 10:32:15,938+0200] [pool-3-thread-24] [DEBUG] > [plugin.ldap.AbstractLdapHandler] Executing LDAP rule, scope > "SUBTREE", filter "memberof=cn=mail,cn=groups,cn=accounts,dc=dsl,dc=lan" > [2020-09-11 10:32:15,943+0200] [pool-3-thread-24] [DEBUG] > [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP > attribute "uid" > [2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG] > [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP > attribute "mail" > [2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG] > [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP > attribute "givenName" > [2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG] > [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP > attribute "sn" > ``` > > I have been suggested to try adding permissions via an aci, but am > unsure of how to do this.. > The following was suggested: > > `aci: (targetattr = "userPassword") (target = > "ldap:///cn=users,cn=accounts,dc=<my>,dc=<domain>") (version 3.0;acl > "Allow password read";allow (read,compare,search)(groupdn = > "ldap:///<system accounts group dn>");)` > > What would I need to specify as "groupdn"? > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
