Dave Jones wrote:
According to the IPA 3.0 Identity Management Guide chapter 15.1:
"Synchronization can only be configured with one Active Directory domain
controller. However, it is possible to have a list of failover Active
Directory domain controllers.²
Later on, chapter 15.6 ŒManaging Password Synchronisation¹ states that the
"Password Sync Service must be installed on each Active Directory domain
Do we need multiple AD-IPA replication agreements when there are multiple
AD controllers in an AD domain?
No. You need the passsync service installed on all controllers because
there is no way of knowing where a user will change their password. This
service captures the cleartext password and sends it, over SSL, to the
IPA server so we can store it. We need the cleartext password because we
can't use the AD password hash directly.
Freeipa-users mailing list