-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf
Of Rich Megginson
Sent: Friday, December 12, 2008 1:11 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] AD Password Sync Question
Christopher Barry wrote:
> Greetings,
>
> After reading chapter 19 of the RH docs about AD
integration, I have a question regarding the 'lifetime' and
locality of the plaintext password, and how this actually
gets captured and sync'd.
>
> In a multi-site AD Enterprise, with a lot of DCs, would the
password sync service need to run on every DC,
Yes.
> with a partnership to the one master master Directory Server?
Yes, that's the best way. You can point passsync at any master
anywhere, as long as you are prepared to deal with latency
issues (e.g.
if you add a user then immediately change the password, you
may have to
wait for that new user to show up on your local replica first).
> I'm wondering how if a user in Texas changes their
password, it gets placed into the Directory Server Master in
Pennsylvania.
>
The DS MMR protocol will update the password on all other DS servers.
>
> Thanks,
> -C
>
Thanks Rich for your quick response.
I think you're saying that unlike user/group sync, where you need a single MMDS to be
the master interface to AD for all MMDSes, the passsync service can point to any
replicated MMDS.
Since most user adds are needed locally first, would it be better to do the local DC ->
local MMDS passsync first as a rule?
Also, and this is no doubt in the docs too somewhere, but while I've got your ear, is
there a limit on the number of MMDSes? e.g. can I have a MMDS at every site paired with a
DC?
Thanks a lot,
-C