Hi All, Our current account management policy requires that users change their AD passwords via a special portal, however I've noticed that this can be bypassed by issuing passwd on a Linux system while logged in with AD credentials, thus changing their AD password.
Any thoughts on the best way to prevent this action? What I've considered so far is removing the trust in AD, effectively creating a one-way trust, but that would limit functionality for future interoperability. Additionally, we could change the permissions for passwd on each Linux system, but this would be somewhat hackish and also complicated to enforce, since we're waiting on Foreman + Puppet to properly be integrated into Katello for our configuration management solution. Any way to restrict this via the FreeIPA UI? Thanks, Brian
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
