Kambiz Aghaiepour wrote:
You'll have to have some sort of external agent that polls the directory looking for expired passwords, then expires them in AD. I don't know of such a tool.Rich Megginson wrote:I have setup cross-realm trust between AD and the Kerberos KDC component of FreeIPA (1.2.1). What I'd like to do is to setup a one-way password sync going from FreeIPA -> AD. Windows users always select the Kerberos Realm (of FreeIPA) when logging into machines joined to the AD domain. However, for various reasons it would be nice to have the AD password in sync with the FreeIPA password. Since users will always be authenticating against FreeIPA, is it possible to setup a one-way password sync such that when passwords are changed in FreeIPA, the new password is propagated to the AD domain controller(s)? And if so, can this be done without installing the PassSync.msi on each of the domain controllers?Yes. Since you only want to sync passwords one way, from IPA to AD, you do not need PassSync.msi(I want to ensure that the password expirations are in sync; that's the only thing I actually care about, since as far as the users are concerned, their AD passwords can be taken away from them and made into sufficiently complex random strings, and expirations on AD turned off; but I doubt I can convince others to go along with that approach).IPA winsync will not sync password expiration. IPA winsync will sync account disable/enable.Kambiz------------------------------------------------------------------------_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-usersHmmm ... so what is the correct method of syncing password expiration ?
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users