Rich Megginson wrote:
>> I have setup cross-realm trust between AD and the Kerberos KDC component
>> of FreeIPA (1.2.1).  What I'd like to do is to setup a one-way password
>> sync going from FreeIPA -> AD.  Windows users always select the Kerberos
>> Realm (of FreeIPA) when logging into machines joined to the AD domain.
>> However, for various reasons it would be nice to have the AD password in
>> sync with the FreeIPA password.  Since users will always be
>> authenticating against FreeIPA, is it possible to setup a one-way
>> password sync such that when passwords are changed in FreeIPA, the new
>> password is propagated to the AD domain controller(s)?  And if so, can
>> this be done without installing the PassSync.msi on each of the domain
>> controllers?
> Yes.  Since you only want to sync passwords one way, from IPA to AD, you
> do not need PassSync.msi
>> (I want to ensure that the password expirations are in
>> sync; that's the only thing I actually care about, since as far as the
>> users are concerned, their AD passwords can be taken away from them and
>> made into sufficiently complex random strings, and expirations on AD
>> turned off; but I doubt I can convince others to go along with that
>> approach).
> IPA winsync will not sync password expiration.  IPA winsync will sync
> account disable/enable.
>> Kambiz
> ------------------------------------------------------------------------
> _______________________________________________
> Freeipa-users mailing list

Hmmm ... so what is the correct method of syncing password expiration ?

"All tyranny needs to gain a foothold is for people of
good conscience to remain silent."  --Thomas Jefferson

Freeipa-users mailing list

Reply via email to