[Fedora-directory-users] AD Password Sync Question
Rich Megginson
rmeggins at redhat.com
Fri Dec 12 18:41:24 UTC 2008
Christopher Barry wrote:
>> -----Original Message-----
>> From: fedora-directory-users-bounces at redhat.com
>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf
>> Of Rich Megginson
>> Sent: Friday, December 12, 2008 1:11 PM
>> To: General discussion list for the Fedora Directory server project.
>> Subject: Re: [Fedora-directory-users] AD Password Sync Question
>>
>> Christopher Barry wrote:
>>
>>> Greetings,
>>>
>>> After reading chapter 19 of the RH docs about AD
>>>
>> integration, I have a question regarding the 'lifetime' and
>> locality of the plaintext password, and how this actually
>> gets captured and sync'd.
>>
>>> In a multi-site AD Enterprise, with a lot of DCs, would the
>>>
>> password sync service need to run on every DC,
>> Yes.
>>
>>> with a partnership to the one master master Directory Server?
>>>
>> Yes, that's the best way. You can point passsync at any master
>> anywhere, as long as you are prepared to deal with latency
>> issues (e.g.
>> if you add a user then immediately change the password, you
>> may have to
>> wait for that new user to show up on your local replica first).
>>
>>> I'm wondering how if a user in Texas changes their
>>>
>> password, it gets placed into the Directory Server Master in
>> Pennsylvania.
>>
>>>
>>>
>> The DS MMR protocol will update the password on all other DS servers.
>>
>>> Thanks,
>>> -C
>>>
>>>
>
> Thanks Rich for your quick response.
> I think you're saying that unlike user/group sync, where you need a single MMDS to be the master interface to AD for all MMDSes, the passsync service can point to any replicated MMDS.
>
Yes.
> Since most user adds are needed locally first, would it be better to do the local DC -> local MMDS passsync first as a rule?
>
Yes.
> Also, and this is no doubt in the docs too somewhere, but while I've got your ear, is there a limit on the number of MMDSes? e.g. can I have a MMDS at every site paired with a DC?
>
There is no limit per se - but we have only done extensive testing with
4 masters. The protocol will support many thousands of masters.
> Thanks a lot,
> -C
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20081212/5fac3809/attachment.bin>
More information about the Fedora-directory-users
mailing list