[Freeipa-users] Forcing passync to periodically sync passwords

[Alexander Bokovoy]

On Tue, 24 May 2016, pgb205 wrote:
>Alexander, thank you for such a quick reply.
>The reason im looking at this is that I want to synchronize from AD to
>several FIPA domains, but as you mention it's only1-1 passync option.
>This results in my not being able to synchronize passwords to second
>idm domain.  Other options I've considered are:1. Run multiple
>instances of passsync on each DC. Both will intercept password change
>but will send to different ipa replicas in different freeipa domains.
>From this link it doesn't seem to be possible however#48174 (RFE:
>Support for running multiple instances of the PassSync service) – 389
>Project
>
>|   |
>#48174 (RFE: Support for running multiple instances of the PassSync service...
>
>2. backing up/copying freeipa database that does have user/pass to
>second idm domainThis is not something I'm looking to do but if there
>is no other way I'd be willing to consider somehow grabbing files from
>ipa-repplica.domain.comand moving to ipa-server.example.net. Is this a
>route that's even worth looking into ?  Any other options that you are
>aware of to make this setup possible. 1AD->FIPA1.com                   
>                                                                       
>                                   ->FIPA2.comwith password replication
>to both?
I don't think it is possible to achieve what you want this way.

Why can't you go with a cross-forest trust? It doesn't need any
replication as passwords will always be authenticated by AD. AD can have
multiple forest trusts established so there is no problem with
FIPA1.com, FIPA2.com, ..., FIPAN.com.



-- 
/ Alexander Bokovoy