Thanks for the clarification Rob, you confirmed what I already thought.
On 22/04/14 16:57, "Rob Crittenden" <rcrit...@redhat.com> wrote: >Dave Jones wrote: >> Hi, >> >> According to the IPA 3.0 Identity Management Guide chapter 15.1: >> >> "Synchronization can only be configured with one Active Directory >>domain >> controller. However, it is possible to have a list of failover Active >> Directory domain controllers.² >> >> Later on, chapter 15.6 ŒManaging Password Synchronisation¹ states that >>the >> "Password Sync Service must be installed on each Active Directory domain >> controller." >> >> Do we need multiple AD-IPA replication agreements when there are >>multiple >> AD controllers in an AD domain? > >No. You need the passsync service installed on all controllers because >there is no way of knowing where a user will change their password. This >service captures the cleartext password and sends it, over SSL, to the >IPA server so we can store it. We need the cleartext password because we >can't use the AD password hash directly. > >rob _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users