[389-users] Multi-master replication + AD password synchronisation
Rich Megginson
rmeggins at redhat.com
Fri Aug 6 17:19:42 UTC 2010
Johan Venter wrote:
> Hi all,
>
> I have the following situation:
> - ds1 running 1.2.6.a3
> - ds2 running 1.2.5.rc3 (yes, I will get around to bringing them up to
> the same version soon)
> - Multi-master replication agreements between both hosts
> - A synchronisation agreement to a Windows 2008 AD on ds1
>
> Although I am sure I have tested password changes on ds2 synchronising
> to ds1 then to the AD I have recently put ds2 in production and found
> that this is not working. To be more specific:
> - Password changes on Windows work fine, as the Password Sync service
> picks them up, pushes them to ds1, which then replicates the change
> to ds2
> - Password changes on ds1 work fine, are replicated to ds2 and are
> synchronised to AD
> - Password changes on ds2 replicate to ds1, and while there are
> entries in the Replication log on ds1 for a modification to the AD,
> the Windows password is not changed
>
> Looking at the documentation at
> http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html#Windows_Sync-About_Windows_Sync
> there are no caveats mentioned regarding multi-master replication and AD
> password sync, in fact their provided architecture diagram (lower part
> of the page) seems to indicate it should work in this situation.
>
I guess we should make it clear, because it does not work. See
https://bugzilla.redhat.com/show_bug.cgi?id=182507
> Furthermore, the text backs this up with:
>
> "The Directory Server relies on the Multi-Master Replication Plug-in to
> synchronize user and group entries. The same changelog that is used for
> multi-master replication is also used to send updates from the Directory
> Server to Active Directory as LDAP operations."
>
> and
>
> "Directory Server passwords are synchronized along with other entry
> attributes because plain-text passwords are retained in the Directory
> Server changelog."
>
> I did search the mailing list and turned up
> http://lists.fedoraproject.org/pipermail/389-users/2010-January/010903.html
> but I was hoping there is a different answer 6 months on. It seems to me
> that if 389 is storing password changes in the clear in the changelog
> that it should be able to push this cleartext password to AD when ds1
> gets the replication?
>
> Alternatively if this is absolutely just not a supported feature, would
> it be possible to setup a second AD synchronisation agreement on ds2 to
> the AD but specify ONLY to sync userPassword attribute changes?
> (disabling the create/delete new user/group options in the sync
> agreement of course to try and not cause loops or other problems).
>
> The same documentation references above specifically says NOT to have
> different DS's syncing to the same AD domain, but does that still apply
> if it's a very limited attribute synchronisation?
>
> Any help appreciated.
>
> Cheers,
> Johan
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
More information about the 389-users
mailing list