Alexander, thank you for such a quick reply.
The reason im looking at this is that I want to synchronize from AD to several 
FIPA domains, but as you mention it's only1-1 passync option. This results in 
my not being able to synchronize passwords to second idm domain.
Other options I've considered are:1. Run multiple instances of passsync on each 
DC. Both will intercept password change but will send to different ipa replicas 
in different freeipa domains.
>From this link it doesn't seem to be possible however#48174 (RFE: Support for 
>running multiple instances of the PassSync service) – 389 Project

|   |    |


|   |  
#48174 (RFE: Support for running multiple instances of the PassSync service...
   |   |



2. backing up/copying freeipa database that does have user/pass to second idm 
domainThis is not something I'm looking to do but if there is no other way I'd 
be willing to consider somehow grabbing files from ipa-repplica.domain.comand 
moving to Is this a route that's even worth looking 
into ?
Any other options that you are aware of to make this setup possible. 
password replication to both?

      From: Alexander Bokovoy <>
 To: pgb205 <> 
Cc: Freeipa-users <>
 Sent: Tuesday, May 24, 2016 12:22 PM
 Subject: Re: [Freeipa-users] Forcing passync to periodically sync passwords
On Tue, 24 May 2016, pgb205 wrote:
>Currently passync is only triggered one the domain controller where the
>password change is made.Is there a way to trigger passync to run
>periodically and resend information to freeipa even if there are no
Passsync implements an interface on AD DC side that is activated only
when AD user changes the password. There is no way to access clear text
password at other time.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to