On 08/27/2013 10:05 AM, Rob Crittenden wrote:
> Jessie Floyd wrote:
>> I've been working on a project where I have multiple IPA domains which
>> can't be connected due to scope and purpose of each domain.  Ideally I
>> would like to replicte a single user's password from a core domain
>> server to a satellite ipa domain.  I've learned that the password hash
>> is not a traditional hash and cant be replicated without some additional
>> work.  My primary site is a multi-master and the satellite site has its
>> own multi-master configuration. As an example I have an intranet server
>> which hosts multiple users and a DMZ domain where a limited set of
>> admins work.  How can I replicate an intranet user  from the inside to
>> the DMZ? Any pointers or ideas would be helpful.
>
> I'm not entirely clear what it is you want/need to do.
>
> Do you want to set up some sort of fractional replication that
> replicates only passwords, and the raw hashes at that? That would do
> you no good when it comes to Kerberos.
>
> rob
>

You would need to intercept password change operation in KDC and DS of
one domain then connect to other domain and do password update operation
there.
Sort of passync by not from AD to IPA but rather from IPA to IPA.

But may be it would be easier to not replicate password hashes from the
central domain to the DMZ domains but rather use Kerberos to Kerberos
trusts and set them manually?
If the initial authentication to acquire TGT always happens in the
internal domain that might fly.

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to