[Freeipa-users] EXTERNAL: Re: Active Directory --> IPA Password Sync
Rob Crittenden
rcritten at redhat.com
Fri Apr 5 15:18:05 UTC 2013
Joseph, Matthew (EXP) wrote:
> Thank you very much for that. Works like a charm.
>
> How does this work though? You setup the winsync agreement between your
> IPA Server and AD server using the hostname.
>
> How does IPA know that it can trust a second DC?
Via the passsync user that you config on the Windows side. It
authenticates as this user and 389-ds accepts the password change.
rob
>
> Matt
>
> *From:*freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Dmitri Pal
> *Sent:* Friday, April 05, 2013 11:56 AM
> *To:* freeipa-users at redhat.com
> *Subject:* EXTERNAL: Re: [Freeipa-users] Active Directory --> IPA
> Password Sync
>
> On 04/05/2013 10:52 AM, Joseph, Matthew (EXP) wrote:
>
> Hello,
>
> I imagine this is a common issue/question when trying to implement the
> password sync between AD and IPA.
>
> We have two Windows 2003 domain controllers (for redundancy) so when a
> user issues a password change on the Windows side there is no primary
> domain controller that it will always use for password changes.
>
> So right now IPA is only getting 50% of the Password changes that are
> done through Windows due to password changes going through both domain
> controllers.
>
> Looking through the documentation IPA will only allow a password sync
> agreement between 1 AD and 1 IPA server.
>
> Is there a solution for this issue? How are people getting around this?
>
>
> One winsync agreement but passsync should be installed on both DCs.
>
> Thanks,
>
>
> Matt
>
>
>
>
> _______________________________________________
>
> Freeipa-users mailing list
>
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> --
>
> Thank you,
>
> Dmitri Pal
>
>
>
> Sr. Engineering Manager for IdM portfolio
>
> Red Hat Inc.
>
>
>
>
>
> -------------------------------
>
> Looking to carve out IT costs?
>
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list