[Freeipa-users] AD-IPA sync from multiple AD controllers
Rob Crittenden
rcritten at redhat.com
Tue Apr 22 14:57:45 UTC 2014
Dave Jones wrote:
> Hi,
>
> According to the IPA 3.0 Identity Management Guide chapter 15.1:
>
> "Synchronization can only be configured with one Active Directory domain
> controller. However, it is possible to have a list of failover Active
> Directory domain controllers.²
>
> Later on, chapter 15.6 ŒManaging Password Synchronisation¹ states that the
> "Password Sync Service must be installed on each Active Directory domain
> controller."
>
> Do we need multiple AD-IPA replication agreements when there are multiple
> AD controllers in an AD domain?
No. You need the passsync service installed on all controllers because
there is no way of knowing where a user will change their password. This
service captures the cleartext password and sends it, over SSL, to the
IPA server so we can store it. We need the cleartext password because we
can't use the AD password hash directly.
rob
More information about the Freeipa-users
mailing list