Password Sync Service Question (IdM to Active Directory)
i would like some validation whether you actually need to install the Password Sync Service on "every" domain controller. Or whether it actually needs to be installed on a DC, at all - I.E. can it simply be another Windows 2008 Server.
This will be my first attempt at installing IdM to work with Active Directory and the customer is fairly adament about limiting the impact on their exisitng AD (and rightfully so). So far I have identified the only modification to AD to include importing the IdM cert and creating the AD user with the correct AD permissions.
Thanks in advance!
Section 8.5.2 of the identity management document explains the requirement.
Install the Password Sync Service on every domain controller in the Active Directory domain in order to synchronize Windows passwords.
1. Download the PassSync.msi file from the Red Hat Enterprise Linux channels, and save it to the Active Directory machine.
Responses
Hi James. Yes, you must install PassSynch.msi on all of your domain controllers to ensure all communications are captured and properly handled.
I've got a few links that might help you and others working down this path. The first is a nice overview of the process with links to the install guide you already referenced:
How to configure Windows Sync to synchronization between Red Hat Directory Server and Windows Active Directory ?
https://access.redhat.com/knowledge/solutions/42800
this next one is a bit more advanced, and may assist you as you continue your install:
IPA Frequently Asked Questions
https://access.redhat.com/knowledge/solutions/117223
Also, so you know, we're in the process of building an IDM community here on portal, where all the directory experts will hang out. Keep an eye out for it, questions like this are what that channel will be for once it's launched. Please let me know if you have any additional questions as your install progresses. Good luck!
-Chris Robinson
Technical Account Manager, Red Hat Inc.
G'dAy James,
Q do you need to somehow push the passwords for each user that already exists in AD? Or does the password validation against their AD credentials happen when the user attempts to login? At this point, I can su to a user, but I can not login via ssh.
Answer : Yes. AD uses different password encryption mechanism. So PassSync.msi captures that information and send it through to IPA.
To answer your other question Every time change happens at AD end it logs everything in the change logs. Passsync make sure it it send that updated information to IPA. Hope that make sense.. So yes you have to wait till next sync happens.
Frank
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
