Alexander, thank you for such a quick reply.
The reason im looking at this is that I want to synchronize from AD to several FIPA domains, but as you mention it's only1-1 passync option. This results in my not being able to synchronize passwords to second idm domain.
Other options I've considered are:1. Run multiple instances of passsync on each DC. Both will intercept password change but will send to different ipa replicas in different freeipa domains.
From this link it doesn't seem to be possible however#48174 (RFE: Support for running multiple instances of the PassSync service) â 389 Project
|
|
|
| | |
|
|
|
| |
#48174 (RFE: Support for running multiple instances of the PassSync service...
| |
|
|
2. backing up/copying freeipa database that does have user/pass to second idm domainThis is not something I'm looking to do but if there is no other way I'd be willing to consider somehow grabbing files from ipa-repplica.domain.comand moving to ipa-server.example.net. Is this a route that's even worth looking into ?
Any other options that you are aware of to make this setup possible. 1AD->FIPA1.com                                                                ->FIPA2.comwith password replication to both?
thanks
From: Alexander Bokovoy <***@redhat.com>
To: pgb205 <***@yahoo.com>
Cc: Freeipa-users <freeipa-***@redhat.com>
Sent: Tuesday, May 24, 2016 12:22 PM
Subject: Re: [Freeipa-users] Forcing passync to periodically sync passwords
Currently passync is only triggered one the domain controller where the
password change is made.Is there a way to trigger passync to run
periodically and resend information to freeipa even if there are no
changes?
Passsync implements an interface on AD DC side that is activated only
when AD user changes the password. There is no way to access clear text
password at other time.
--
/ Alexander Bokovoy