[Freeipa-users] AD-IPA sync from multiple AD controllers
Petr Spacek
pspacek at redhat.com
Wed Apr 23 08:55:45 UTC 2014
On 23.4.2014 09:52, Dave Jones wrote:
> Thanks for the clarification Rob, you confirmed what I already thought.
Dave, it would be great if you could rephrase problematic paragraphs in docs
to make it understandable.
If you can spend few minutes on it, please see
http://www.freeipa.org/page/Contribute/Documentation
Thanks!
Petr^2 Spacek
> On 22/04/14 16:57, "Rob Crittenden" <rcritten at redhat.com> wrote:
>
>> Dave Jones wrote:
>>> Hi,
>>>
>>> According to the IPA 3.0 Identity Management Guide chapter 15.1:
>>>
>>> "Synchronization can only be configured with one Active Directory
>>> domain
>>> controller. However, it is possible to have a list of failover Active
>>> Directory domain controllers.²
>>>
>>> Later on, chapter 15.6 ŒManaging Password Synchronisation¹ states that
>>> the
>>> "Password Sync Service must be installed on each Active Directory domain
>>> controller."
>>>
>>> Do we need multiple AD-IPA replication agreements when there are
>>> multiple
>>> AD controllers in an AD domain?
>>
>> No. You need the passsync service installed on all controllers because
>> there is no way of knowing where a user will change their password. This
>> service captures the cleartext password and sends it, over SSL, to the
>> IPA server so we can store it. We need the cleartext password because we
>> can't use the AD password hash directly.
More information about the Freeipa-users
mailing list