The current text is wrong and misleading, can we expedite trickling this change all the way down all downstream documentation ? (Ie Fedora official user guides).
Simo. -- Simo Sorce * Red Hat, Inc * New York
>From f24531982ae99cd53fede49cdfaa9b87459162f4 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Fri, 6 Dec 2013 11:29:02 -0500 Subject: [PATCH] Fix password sync managers paragraph The explanation was wrong and misleading. fixed the text to explain what this feature actually does. Change the example to make it clear you list synchonization agents here not real users in the normal case. --- src/user_guide/en-US/ActiveDirectory.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/user_guide/en-US/ActiveDirectory.xml b/src/user_guide/en-US/ActiveDirectory.xml index 1054e4d114268e58f62131b0893c0a99a11162f0..7af5798ada49a23c33e352f629918f2effcda0d5 100644 --- a/src/user_guide/en-US/ActiveDirectory.xml +++ b/src/user_guide/en-US/ActiveDirectory.xml @@ -1432,10 +1432,10 @@ certutil.exe -d . -A -n "IPASERVER.EXAMPLE.COM IPA CA" -t CT,, -a -i ipaca.crt</ </section> <section id="password-sync"><title>Exempting &AD; Users from Password Synchronization</title> <para> - The passwords in password change operations are still subject to the password policy settings, such as password expiration times. For example, in &IPA; every - password change requires an immediate password reset. - While normal user passwords need to be subject to password policies, administrative passwords should be exempt from any password rules. - A list of user DNs can be set in the password synchronization configuration that are exempted from the password policy. + In order to sync password a synchronization agent should be given enough privileges to bypass normal access control. + The synchronization user also needs to be able to avoid the default rule that requires users to change their password if a different entity change it. + The password plugin can be instructed to treat some users as Password Synchronization Managers. + These users can change any other user password withouth triggering password complexity checks. </para> <note><title>NOTE</title> <para> @@ -1450,7 +1450,7 @@ certutil.exe -d . -A -n "IPASERVER.EXAMPLE.COM IPA CA" -t CT,, -a -i ipaca.crt</ dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs -passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com</screen> +passSyncManagersDNs: uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com</screen> </section> </section> -- 1.8.4.2
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
