diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2012-10-29 05:13:39 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-11-02 10:12:00 -0400 |
| commit | 85a0cdeb696c9c1d1c50fa43b87ffe8d6d8e3ae6 (patch) | |
| tree | be639f67cb48d2a043340716646f7d427ba19736 /install/tools/man | |
| parent | fc3834ca46fa986694be6a94f0a51d74e9e532a8 (diff) | |
| download | freeipa-85a0cdeb696c9c1d1c50fa43b87ffe8d6d8e3ae6.tar.gz freeipa-85a0cdeb696c9c1d1c50fa43b87ffe8d6d8e3ae6.tar.xz freeipa-85a0cdeb696c9c1d1c50fa43b87ffe8d6d8e3ae6.zip | |
Reword description of the --passsync option of ipa-replica-manage.
https://fedorahosted.org/freeipa/ticket/3208
Diffstat (limited to 'install/tools/man')
| -rw-r--r-- | install/tools/man/ipa-replica-manage.1 | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1 index b1704c0b4..836743902 100644 --- a/install/tools/man/ipa-replica-manage.1 +++ b/install/tools/man/ipa-replica-manage.1 @@ -108,7 +108,7 @@ Full path and filename of CA certificate to use with TLS/SSL to the remote serve DN of Windows subtree containing the users you want to sync (default cn=Users,<domain suffix> \- this is typically what Windows AD uses as the default value) \- Be careful to quote this value on the command line .TP \fB\-\-passsync\fR=\fIPASSSYNC_PWD\fR -Password for the Windows PassSync user. Required when using \-\-winsync. This does not mean you have to use the PassSync service. +Password for the IPA system user used by the Windows PassSync plugin to synchronize passwords. Required when using \-\-winsync. This does not mean you have to use the PassSync service. .TP \fB\-\-from\fR=\fISERVER\fR The server to pull the data from, used by the re\-initialize and force\-sync commands. @@ -176,6 +176,10 @@ Create a winsync replication agreement: .TP Remove a winsync replication agreement: # ipa\-replica\-manage disconnect windows.ad.example.com +.SH "PASSSYNC" +PassSync is a Windows service that runs on AD Domain Controllers to intercept password changes. It sends these password changes to the IPA LDAP server over TLS. These password changes bypass normal IPA password policy settings and the password is not set to immediately expire. This is because by the time IPA receives the password change it has already been accepted by AD so it is too late to reject it. +.TP +IPA maintains a list of DNs that are excempt from password policy. A special user is added automatically when a winsync replication agreement is created. The DN of this user is added to the excemption list stored in passSyncManagersDNs in the entry cn=ipa_pwd_extop,cn=plugins,cn=config. .SH "EXIT STATUS" 0 if the command was successful |