On 23.4.2014 09:52, Dave Jones wrote:
Thanks for the clarification Rob, you confirmed what I already thought.

Dave, it would be great if you could rephrase problematic paragraphs in docs to make it understandable.

If you can spend few minutes on it, please see
http://www.freeipa.org/page/Contribute/Documentation

Thanks!

Petr^2 Spacek

On 22/04/14 16:57, "Rob Crittenden" <rcrit...@redhat.com> wrote:

Dave Jones wrote:
Hi,

According to the IPA 3.0 Identity Management Guide chapter 15.1:

    "Synchronization can only be configured with one Active Directory
domain
controller. However, it is possible to have a list of failover Active
Directory domain controllers.²

Later on, chapter 15.6 ŒManaging Password Synchronisation¹ states that
the
"Password Sync Service must be installed on each Active Directory domain
controller."

Do we need multiple AD-IPA replication agreements when there are
multiple
AD controllers in an AD domain?

No. You need the passsync service installed on all controllers because
there is no way of knowing where a user will change their password. This
service captures the cleartext password and sends it, over SSL, to the
IPA server so we can store it. We need the cleartext password because we
can't use the AD password hash directly.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to