Thanks for the clarification Rob, you confirmed what I already thought.

On 22/04/14 16:57, "Rob Crittenden" <> wrote:

>Dave Jones wrote:
>> Hi,
>> According to the IPA 3.0 Identity Management Guide chapter 15.1:
>>    "Synchronization can only be configured with one Active Directory
>> controller. However, it is possible to have a list of failover Active
>> Directory domain controllers.²
>> Later on, chapter 15.6 ŒManaging Password Synchronisation¹ states that
>> "Password Sync Service must be installed on each Active Directory domain
>> controller."
>> Do we need multiple AD-IPA replication agreements when there are
>> AD controllers in an AD domain?
>No. You need the passsync service installed on all controllers because
>there is no way of knowing where a user will change their password. This
>service captures the cleartext password and sends it, over SSL, to the
>IPA server so we can store it. We need the cleartext password because we
>can't use the AD password hash directly.

Freeipa-users mailing list

Reply via email to