Re: [Freeipa-users] Forcing passync to periodically sync passwords
On Tue, 24 May 2016, pgb205 wrote: Alexander, thank you for such a quick reply. The reason im looking at this is that I want to synchronize from AD to several FIPA domains, but as you mention it's only1-1 passync option. This results in my not being able to synchronize passwords to second idm domain. Other options I've considered are:1. Run multiple instances of passsync on each DC. Both will intercept password change but will send to different ipa replicas in different freeipa domains. From this link it doesn't seem to be possible however#48174 (RFE: Support for running multiple instances of the PassSync service) – 389 Project | | #48174 (RFE: Support for running multiple instances of the PassSync service... 2. backing up/copying freeipa database that does have user/pass to second idm domainThis is not something I'm looking to do but if there is no other way I'd be willing to consider somehow grabbing files from ipa-repplica.domain.comand moving to ipa-server.example.net. Is this a route that's even worth looking into ? Any other options that you are aware of to make this setup possible. 1AD->FIPA1.com ->FIPA2.comwith password replication to both? I don't think it is possible to achieve what you want this way. Why can't you go with a cross-forest trust? It doesn't need any replication as passwords will always be authenticated by AD. AD can have multiple forest trusts established so there is no problem with FIPA1.com, FIPA2.com, ..., FIPAN.com. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Forcing passync to periodically sync passwords
Alexander, thank you for such a quick reply. The reason im looking at this is that I want to synchronize from AD to several FIPA domains, but as you mention it's only1-1 passync option. This results in my not being able to synchronize passwords to second idm domain. Other options I've considered are:1. Run multiple instances of passsync on each DC. Both will intercept password change but will send to different ipa replicas in different freeipa domains. >From this link it doesn't seem to be possible however#48174 (RFE: Support for >running multiple instances of the PassSync service) – 389 Project | | | | || | | | | | #48174 (RFE: Support for running multiple instances of the PassSync service... | | | | 2. backing up/copying freeipa database that does have user/pass to second idm domainThis is not something I'm looking to do but if there is no other way I'd be willing to consider somehow grabbing files from ipa-repplica.domain.comand moving to ipa-server.example.net. Is this a route that's even worth looking into ? Any other options that you are aware of to make this setup possible. 1AD->FIPA1.com ->FIPA2.comwith password replication to both? thanks From: Alexander Bokovoy <aboko...@redhat.com> To: pgb205 <pgb...@yahoo.com> Cc: Freeipa-users <freeipa-users@redhat.com> Sent: Tuesday, May 24, 2016 12:22 PM Subject: Re: [Freeipa-users] Forcing passync to periodically sync passwords On Tue, 24 May 2016, pgb205 wrote: >Currently passync is only triggered one the domain controller where the >password change is made.Is there a way to trigger passync to run >periodically and resend information to freeipa even if there are no >changes? Passsync implements an interface on AD DC side that is activated only when AD user changes the password. There is no way to access clear text password at other time. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Forcing passync to periodically sync passwords
On Tue, 24 May 2016, pgb205 wrote: Currently passync is only triggered one the domain controller where the password change is made.Is there a way to trigger passync to run periodically and resend information to freeipa even if there are no changes? Passsync implements an interface on AD DC side that is activated only when AD user changes the password. There is no way to access clear text password at other time. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Forcing passync to periodically sync passwords
Currently passync is only triggered one the domain controller where the password change is made.Is there a way to trigger passync to run periodically and resend information to freeipa even if there are no changes?-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project