[Freeipa-devel] [PATCH] 88 Reword description of the --passsync option of ipa-replica-manage
Rob Crittenden
rcritten at redhat.com
Thu Nov 1 18:25:47 UTC 2012
Rob Crittenden wrote:
> Jan Cholasta wrote:
>> Hi,
>>
>> this patch fixes <https://fedorahosted.org/freeipa/ticket/3208>.
>
> There are two typos, PasSync with only 2 s's.
>
> I think there should be a separate section on PassSync explaining what
> the service is and passwords are modified. There is some information on
> this in the ticket. It doesn't need to be very long.
>
> rob
I had something like this in mind:
diff --git a/install/tools/man/ipa-replica-manage.1
b/install/tools/man/ipa-repl
ica-manage.1
index b1704c0..4e4bfa9 100644
--- a/install/tools/man/ipa-replica-manage.1
+++ b/install/tools/man/ipa-replica-manage.1
@@ -176,6 +176,10 @@ Create a winsync replication agreement:
.TP
Remove a winsync replication agreement:
# ipa\-replica\-manage disconnect windows.ad.example.com
+.SH "PASSSYNC"
+PassSync is a Windows service that runs on AD Domain Controllers to
intercept password changes. It sends these password changes to the IPA
LDAP server over TLS. These password changes bypass normal IPA password
policy settings and the password is not set to immediately expire. This
is because by the time IPA receives the password change it has already
been accepted by AD so it is too late to reject it.
+.TP
+IPA maintains a list of DNs that are excempt from password policy. A
special us
er is added automatically when a winsync replication agreement is
created. The DN of this user is added to the excemption list stored in
passSyncManagersDNs in tne entry cn=ipa_pwd_extop,cn=plugins,cn=config.
.SH "EXIT STATUS"
0 if the command was successful
More information about the Freeipa-devel
mailing list