[Fedora-directory-users] AD Password Sync Question

Rich Megginson rmeggins at redhat.com
Fri Dec 12 18:41:24 UTC 2008 

Christopher Barry wrote:
>> -----Original Message-----
>> From: fedora-directory-users-bounces at redhat.com 
>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf 
>> Of Rich Megginson
>> Sent: Friday, December 12, 2008 1:11 PM
>> To: General discussion list for the Fedora Directory server project.
>> Subject: Re: [Fedora-directory-users] AD Password Sync Question
>>
>> Christopher Barry wrote:
>>     
>>> Greetings,
>>>
>>> After reading chapter 19 of the RH docs about AD 
>>>       
>> integration, I have a question regarding the 'lifetime' and 
>> locality of the plaintext password, and how this actually 
>> gets captured and sync'd.
>>     
>>> In a multi-site AD Enterprise, with a lot of DCs, would the 
>>>       
>> password sync service need to run on every DC,
>> Yes.
>>     
>>> with a partnership to the one master master Directory Server?
>>>       
>> Yes, that's the best way.  You can point passsync at any master 
>> anywhere, as long as you are prepared to deal with latency 
>> issues (e.g. 
>> if you add a user then immediately change the password, you 
>> may have to 
>> wait for that new user to show up on your local replica first).
>>     
>>> I'm wondering how if a user in Texas changes their 
>>>       
>> password, it gets placed into the Directory Server Master in 
>> Pennsylvania.
>>     
>>>   
>>>       
>> The DS MMR protocol will update the password on all other DS servers.
>>     
>>> Thanks,
>>> -C
>>>
>>>       
>
> Thanks Rich for your quick response. 
> I think you're saying that unlike user/group sync, where you need a single MMDS to be the master interface to AD for all MMDSes, the passsync service can point to any replicated MMDS. 
>   
Yes.
> Since most user adds are needed locally first, would it be better to do the local DC -> local MMDS passsync first as a rule?
>   
Yes.
> Also, and this is no doubt in the docs too somewhere, but while I've got your ear, is there a limit on the number of MMDSes? e.g. can I have a MMDS at every site paired with a DC?
>   
There is no limit per se - but we have only done extensive testing with 
4 masters.  The protocol will support many thousands of masters.
> Thanks a lot,
> -C
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20081212/5fac3809/attachment.bin>

More information about the 389-users mailing list