On 23.4.2014 09:52, Dave Jones wrote:
Thanks for the clarification Rob, you confirmed what I already thought.

Dave, it would be great if you could rephrase problematic paragraphs in docs to make it understandable.

If you can spend few minutes on it, please see


Petr^2 Spacek

On 22/04/14 16:57, "Rob Crittenden" <rcrit...@redhat.com> wrote:

Dave Jones wrote:

According to the IPA 3.0 Identity Management Guide chapter 15.1:

    "Synchronization can only be configured with one Active Directory
controller. However, it is possible to have a list of failover Active
Directory domain controllers.²

Later on, chapter 15.6 ŒManaging Password Synchronisation¹ states that
"Password Sync Service must be installed on each Active Directory domain

Do we need multiple AD-IPA replication agreements when there are
AD controllers in an AD domain?

No. You need the passsync service installed on all controllers because
there is no way of knowing where a user will change their password. This
service captures the cleartext password and sends it, over SSL, to the
IPA server so we can store it. We need the cleartext password because we
can't use the AD password hash directly.

Freeipa-users mailing list

Reply via email to