Yeah I knew that the passync utility would only communicate with 1 server. I'm not too worried about password sync for our new IdM server until it actually replaces the old server. I just didn't know how Windows would handle having multiple CA certs and if it would get cranky because of it. Last thing I want to do is have users coming to complain about the passwords not syncing.
Thanks for the input guys, I'll give it a shot to see how it goes. Matt -----Original Message----- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Thursday, July 09, 2015 10:37 AM To: Rob Crittenden; Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Multiple CA certificates (for PassSync) On 07/09/2015 07:23 AM, Rob Crittenden wrote: > Joseph, Matthew (EXP) wrote: >> Hello, >> >> We are currently in the process of replacing our IdM 3.x server with >> 4.x. >> >> There are going to be some major directory changes during the upgrade so >> I need to keep both the old and new IdM servers up and running >> separately. >> >> Part of our configuration is using the password sync between IdM and >> Active Directory. >> >> I can't find any information on this so I figured I'd ask you guys to >> see if anyone has done this before. >> >> Can I have two CA certificates from 2 IdM servers installed on the >> Active Directory server? And will this cause any issues with our >> password sync? > > I'm not sure if you can do this. The CA is probably the least of your > problems. I don't believe the AD passsync service can be aware of > multiple consumers like this. Right. passsync can talk to only 1 IdM server. To use multiple CA certs, just use the certutil tool to install an additional CA cert as per the docs. > > Rich may know. > > rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
