AD Password Sync Question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Christopher Barry wrote:
>> -----Original Message-----
>> From: fedora-directory-users-bounces at redhat.com 
>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf 
>> Of Rich Megginson
>> Sent: Friday, December 12, 2008 1:11 PM
>> To: General discussion list for the Fedora Directory server project.
>> Subject: Re: AD Password Sync Question
>>
>> Christopher Barry wrote:
>>     
>>> Greetings,
>>>
>>> After reading chapter 19 of the RH docs about AD 
>>>       
>> integration, I have a question regarding the 'lifetime' and 
>> locality of the plaintext password, and how this actually 
>> gets captured and sync'd.
>>     
>>> In a multi-site AD Enterprise, with a lot of DCs, would the 
>>>       
>> password sync service need to run on every DC,
>> Yes.
>>     
>>> with a partnership to the one master master Directory Server?
>>>       
>> Yes, that's the best way.  You can point passsync at any master 
>> anywhere, as long as you are prepared to deal with latency 
>> issues (e.g. 
>> if you add a user then immediately change the password, you 
>> may have to 
>> wait for that new user to show up on your local replica first).
>>     
>>> I'm wondering how if a user in Texas changes their 
>>>       
>> password, it gets placed into the Directory Server Master in 
>> Pennsylvania.
>>     
>>>   
>>>       
>> The DS MMR protocol will update the password on all other DS servers.
>>     
>>> Thanks,
>>> -C
>>>
>>>       
>
> Thanks Rich for your quick response. 
> I think you're saying that unlike user/group sync, where you need a single MMDS to be the master interface to AD for all MMDSes, the passsync service can point to any replicated MMDS. 
>   
Yes.
> Since most user adds are needed locally first, would it be better to do the local DC -> local MMDS passsync first as a rule?
>   
Yes.
> Also, and this is no doubt in the docs too somewhere, but while I've got your ear, is there a limit on the number of MMDSes? e.g. can I have a MMDS at every site paired with a DC?
>   
There is no limit per se - but we have only done extensive testing with 
4 masters.  The protocol will support many thousands of masters.
> Thanks a lot,
> -C
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20081212/5fac3809/attachment.bin
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux