Rob Crittenden wrote:
Jan Cholasta wrote:

this patch fixes <>.

There are two typos, PasSync with only 2 s's.

I think there should be a separate section on PassSync explaining what
the service is and passwords are modified. There is some information on
this in the ticket. It doesn't need to be very long.


I had something like this in mind:

diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-repl
index b1704c0..4e4bfa9 100644
--- a/install/tools/man/ipa-replica-manage.1
+++ b/install/tools/man/ipa-replica-manage.1
@@ -176,6 +176,10 @@ Create a winsync replication agreement:
 Remove a winsync replication agreement:
  # ipa\-replica\-manage disconnect
+PassSync is a Windows service that runs on AD Domain Controllers to intercept password changes. It sends these password changes to the IPA LDAP server over TLS. These password changes bypass normal IPA password policy settings and the password is not set to immediately expire. This is because by the time IPA receives the password change it has already been accepted by AD so it is too late to reject it.
+IPA maintains a list of DNs that are excempt from password policy. A special us er is added automatically when a winsync replication agreement is created. The DN of this user is added to the excemption list stored in passSyncManagersDNs in tne entry cn=ipa_pwd_extop,cn=plugins,cn=config.
 0 if the command was successful

Freeipa-devel mailing list

Reply via email to