It then sends the plain text password
via an encrypted link to IPA, so its pretty safe. No there is no
easy way I know of, though its possible to use AD for Kerberos
ie password and an LDAP for control, dont think that is
practical in IPA.....but AD and say Openldap, yes. We have a
setup here, but ordinary bods like me couldnt maintain / modify
/ patch it.
The other possibility is Oracle's OVD which is an open virtual
directory that sits in front of (multiple if necessary) LDAPs
and gives a LDAPv3 output but that is expensive...ie when
oracle say "open" they mean open your wallet and we'll take all
we want...its also awful....2 of use tried for 3 weeks to make
it work and gave up, too unstable.
The last way I know of, which we have is a web based application
called Psync which allows users to reset their own password via
a https web page that then injects into AD, it can do LDAPs as
well in parallel...but thats really the same thing as
Or just use AD, then you use something like Centrify or Likewise
and that cost hurts as well. So depends who is paying....get
them to "chat" to your security group. Ours are A OK with
Passync as the gains of IPA and centralised control far outstrip
the Passsync minor concern. Besides which a decently sized and
complex AD is a swiss cheese for security anyway. Ask your
security how the last external pen test on AD went..if they have
never done one.....its a bit rich for them to comment on
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
Our security group have concern with copying
username/password from from AD and might not allow this
synchronisation to even happen.
Is there a way to configure ipa to go get
username/password via kind of proxy?