[Freeipa-users] quick question regarding AD <--> FreeIPA password sync ...
Rob Crittenden
rcritten at redhat.com
Thu Jul 2 19:44:12 UTC 2009
Kambiz Aghaiepour wrote:
> Looking at :
>
> http://www.freeipa.org/page/PasswordSynchronization
>
> Its not clear to me what is meant by:
> "Just assign an identity and password to the remote synchronization
> agent and list this identity in the passSyncManagersDNs attribute. "
>
> Is it possible to have a sample configuration described in greater
> detail? Do I go through "add user"? or "add service principal" in the
> web ui?
The user for this is created by ipa-replica-manage when you create an AD
sync agreement. You can get the details on this user in
ipaserver/install/replication.py the function add_passsync_user()
What this page is trying to say is that we don't want password policy
applied to any passwords that might be coming in from AD (including
requiring a password reset). There is a list of DNs stored in the IPA
password policy config entry of users who can change passwords outside
of policy. This user gets added to that automatically (also in this
function).
>
> Also, during the installation of the WinSync agent on AD, the username
> and password I presume are the same as the remote sync agent described
> above, correct? What values are needed for "Cert Token" and "Search Base" ?
Been a while since I did AD replication but I believe that Cert Token is
the password for the NSS database on the AD side and IIRC Search Base is
where entries are found in the IPA server (dc=example,dc=com).
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090702/da961288/attachment.bin>
More information about the Freeipa-users
mailing list