On 08/27/2013 10:05 AM, Rob Crittenden wrote:
Jessie Floyd wrote:
I've been working on a project where I have multiple IPA domains which
can't be connected due to scope and purpose of each domain. Ideally I
would like to replicte a single user's password from a core domain
server to a satellite ipa domain. I've learned that the password hash
is not a traditional hash and cant be replicated without some additional
work. My primary site is a multi-master and the satellite site has its
own multi-master configuration. As an example I have an intranet server
which hosts multiple users and a DMZ domain where a limited set of
admins work. How can I replicate an intranet user from the inside to
the DMZ? Any pointers or ideas would be helpful.
I'm not entirely clear what it is you want/need to do.
Do you want to set up some sort of fractional replication that
replicates only passwords, and the raw hashes at that? That would do
you no good when it comes to Kerberos.
rob
You would need to intercept password change operation in KDC and DS of
one domain then connect to other domain and do password update operation
there.
Sort of passync by not from AD to IPA but rather from IPA to IPA.
But may be it would be easier to not replicate password hashes from the
central domain to the DMZ domains but rather use Kerberos to Kerberos
trusts and set them manually?
If the initial authentication to acquire TGT always happens in the
internal domain that might fly.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users