[Freeipa-users] Re: question about password sync ...
Rich Megginson
rmeggins at redhat.com
Mon Sep 21 17:17:05 UTC 2009
Kambiz Aghaiepour wrote:
> Rich Megginson wrote:
>
>>> I have setup cross-realm trust between AD and the Kerberos KDC component
>>> of FreeIPA (1.2.1). What I'd like to do is to setup a one-way password
>>> sync going from FreeIPA -> AD. Windows users always select the Kerberos
>>> Realm (of FreeIPA) when logging into machines joined to the AD domain.
>>> However, for various reasons it would be nice to have the AD password in
>>> sync with the FreeIPA password. Since users will always be
>>> authenticating against FreeIPA, is it possible to setup a one-way
>>> password sync such that when passwords are changed in FreeIPA, the new
>>> password is propagated to the AD domain controller(s)? And if so, can
>>> this be done without installing the PassSync.msi on each of the domain
>>> controllers?
>>>
>> Yes. Since you only want to sync passwords one way, from IPA to AD, you
>> do not need PassSync.msi
>>
>>> (I want to ensure that the password expirations are in
>>> sync; that's the only thing I actually care about, since as far as the
>>> users are concerned, their AD passwords can be taken away from them and
>>> made into sufficiently complex random strings, and expirations on AD
>>> turned off; but I doubt I can convince others to go along with that
>>> approach).
>>>
>>>
>> IPA winsync will not sync password expiration. IPA winsync will sync
>> account disable/enable.
>>
>>> Kambiz
>>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> Hmmm ... so what is the correct method of syncing password expiration ?
>
You'll have to have some sort of external agent that polls the directory
looking for expired passwords, then expires them in AD. I don't know of
such a tool.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090921/e0404cd9/attachment.bin>
More information about the Freeipa-users
mailing list