[Freeipa-users] AD-IPA sync from multiple AD controllers
Dave Jones
Dave.Jones at spilgames.com
Wed Apr 23 07:52:40 UTC 2014
Thanks for the clarification Rob, you confirmed what I already thought.
On 22/04/14 16:57, "Rob Crittenden" <rcritten at redhat.com> wrote:
>Dave Jones wrote:
>> Hi,
>>
>> According to the IPA 3.0 Identity Management Guide chapter 15.1:
>>
>> "Synchronization can only be configured with one Active Directory
>>domain
>> controller. However, it is possible to have a list of failover Active
>> Directory domain controllers.²
>>
>> Later on, chapter 15.6 ŒManaging Password Synchronisation¹ states that
>>the
>> "Password Sync Service must be installed on each Active Directory domain
>> controller."
>>
>> Do we need multiple AD-IPA replication agreements when there are
>>multiple
>> AD controllers in an AD domain?
>
>No. You need the passsync service installed on all controllers because
>there is no way of knowing where a user will change their password. This
>service captures the cleartext password and sends it, over SSL, to the
>IPA server so we can store it. We need the cleartext password because we
>can't use the AD password hash directly.
>
>rob
More information about the Freeipa-users
mailing list