Several months ago I was setting up a FreeIPA instance for a client, and ran in to a requirement for synchronizing passwords between a legacy system and their new FreeIPA instance. To be clear, it was this legacy system which would be the authoritative source of the passwords, now, and going forward. That meant when the user changed their password in the legacy system, the new password would need to make its way to the FreeIPA server and be set for that user.

By default, when a user’s password is reset, whether by the admin user, or by another user with admin privileges, the password is immediately expired. In our situation, this was not at all ideal, since we wanted to set the password to match the legacy system.

This solution was originally pointed out to me by Rob Crittenden on the FreeIPA mailing list, and while the FreeIPA docs do have some pretty extensive explanations on setting up synchronization with Windows AD, the instructions given to me by Rob no longer seem to appear on the site. So, I shall document them here.

There is an LDAP property which can be set that will list the users which can set passwords which will not be auto-expired. The easiest way to set this is via the command line (and probably the most convenient if it is being done via configuration management).

In this case, we will allow the user admin to make the change.

echo -e 'dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com' |
ldapmodify -x -D 'cn=Directory Manager' -w admin_password -h localhost -p 389

Note that this only adds the property, so if the property already exists, it will exit with a return code of 20 and you’ll need to handle that. In my Ansible task, I have this set to ignore_errors: true, register the result, and then have a block after that like so:

- name: Fail if for other reason than "no modifications"
    msg: "Password policy modification failed: {{ ipa_result.stderr }}"
  when: "ipa_result.rc != 0 and 'no modifications to be performed' not in ipa_result.stderr"

If you want to add additional names later, you’ll need to add a value to the multi-valued property, or add logic in your configuration management to edit the existing property. That is left as an exercise for the reader.


comments powered by Disqus