[Freeipa-users] Re: question about password sync ...
Kambiz Aghaiepour
kambiz at mcnc.org
Mon Sep 21 17:07:18 UTC 2009
Rich Megginson wrote:
>>
>> I have setup cross-realm trust between AD and the Kerberos KDC component
>> of FreeIPA (1.2.1). What I'd like to do is to setup a one-way password
>> sync going from FreeIPA -> AD. Windows users always select the Kerberos
>> Realm (of FreeIPA) when logging into machines joined to the AD domain.
>> However, for various reasons it would be nice to have the AD password in
>> sync with the FreeIPA password. Since users will always be
>> authenticating against FreeIPA, is it possible to setup a one-way
>> password sync such that when passwords are changed in FreeIPA, the new
>> password is propagated to the AD domain controller(s)? And if so, can
>> this be done without installing the PassSync.msi on each of the domain
>> controllers?
> Yes. Since you only want to sync passwords one way, from IPA to AD, you
> do not need PassSync.msi
>> (I want to ensure that the password expirations are in
>> sync; that's the only thing I actually care about, since as far as the
>> users are concerned, their AD passwords can be taken away from them and
>> made into sufficiently complex random strings, and expirations on AD
>> turned off; but I doubt I can convince others to go along with that
>> approach).
>>
> IPA winsync will not sync password expiration. IPA winsync will sync
> account disable/enable.
>> Kambiz
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Hmmm ... so what is the correct method of syncing password expiration ?
--
"All tyranny needs to gain a foothold is for people of
good conscience to remain silent." --Thomas Jefferson
More information about the Freeipa-users
mailing list