Dave Jones wrote:

According to the IPA 3.0 Identity Management Guide chapter 15.1:

   "Synchronization can only be configured with one Active Directory domain
controller. However, it is possible to have a list of failover Active
Directory domain controllers.²

Later on, chapter 15.6 ŒManaging Password Synchronisation¹ states that the
"Password Sync Service must be installed on each Active Directory domain

Do we need multiple AD-IPA replication agreements when there are multiple
AD controllers in an AD domain?

No. You need the passsync service installed on all controllers because there is no way of knowing where a user will change their password. This service captures the cleartext password and sends it, over SSL, to the IPA server so we can store it. We need the cleartext password because we can't use the AD password hash directly.


Freeipa-users mailing list

Reply via email to