<br><br><div class="gmail_quote">On Wed, Jan 27, 2010 at 7:43 PM, Ldap Tester <span dir="ltr"><<a href="mailto:ldap.tester@gmail.com">ldap.tester@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="h5"><br><br><div class="gmail_quote">On Wed, Jan 27, 2010 at 5:30 PM, Ldap Tester <span dir="ltr"><<a href="mailto:ldap.tester@gmail.com" target="_blank">ldap.tester@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I have two 389 servers, one under fedora 12 and one under fedora 11.<br>They have the following packages:<br><br>389-admin-1.1.9-1.fc12.x86_64<br>389-admin-console-1.1.4-2.fc12.noarch<br>389-admin-console-doc-1.1.4-2.fc12.noarch<br>
389-adminutil-1.1.8-4.fc12.x86_64<br>389-console-1.1.3-5.fc12.noarch<br>389-ds-1.1.3-5.fc12.noarch<br>389-ds-base-1.2.5-1.fc12.x86_64<br>389-ds-base-devel-1.2.5-1.fc12.x86_64<br>389-ds-console-1.2.0-5.fc12.noarch<br>389-ds-console-doc-1.2.0-5.fc12.noarch<br>
389-dsgw-1.1.4-1.fc12.x86_64<br><br>389-admin-1.1.8-4.fc11.x86_64<br>389-admin-console-1.1.4-1.fc11.noarch<br>389-admin-console-doc-1.1.4-1.fc11.noarch<br>389-adminutil-1.1.8-3.fc11.x86_64<br>389-console-1.1.3-4.fc11.noarch<br>
389-ds-1.1.3-4.fc11.noarch<br>389-ds-base-1.2.5-1.fc11.x86_64<br>389-ds-base-devel-1.2.5-1.fc11.x86_64<br>389-ds-console-1.2.0-4.fc11.noarch<br>389-ds-console-doc-1.2.0-4.fc11.noarch<br>389-dsgw-1.1.4-1.fc11.x86_64<br><br>
There are set up as multi masters.<br><br>I also have a windows 2003 Active Directory server.<br>I have password sync'ing set up between the AD and the fedora 12 389 server.<br><br>This has been working for several years.<br>
I have recently noticed a problem that may have existed for some time now, maybe always.<br><br>If I change a user password via windows, everything works as expected.<br>The password changes on windows and both fedora machines.<br>
If I change a user password via the fedora 12 machine,<br>the one that has the sync agreement with the windows machine,<br>again, everything works as expected,<br>The password changes on windows and both fedora machines.<br>
<br>However, if I change a user password via the fedora 11 machine,<br>the one that does not have the sync agreement with the windows machine,<br>then, the password changes on both fedora machines,<br>but NOT on the windows machine.<br>
<br>This is not how it is supposed to work, right?<br><br>I have looked at all sorts of logs, and still have now clue as to the problem.<br>(I do not believe it is a fedora 11 versus fedora 12 problem.)<br>Does anybody have any ideas?<br>
</blockquote></div><br></div></div><pre>I had the same scenario.<br><br>Remember that the encrypted passwords are not synchronized with<br>Windows. <br><br>When you change your password on your F11, it is stored encrypted. Then<br>
MMR transmits "userPassword 'encrypted on your F12. Therefore, the<br>
password does not synchronize with Windows, since as already mentioned,<br>is encrypted.<br><br>In my case, I decided to change to a Master / Slave scenario. Thus, your<br>F11 will be to read only and such changes will be forwarded to your F12<br>
(this includes passwd) which will be written.<br><br><br>Greetings<br><br>P.D.: I apologize for my poor English.<br>-- <br>Sergio A. Morales <<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">sergiomorales at archlinux.cl</a>><br>
uSCI & CSRG Sysadmin<br>Archlinux Chile<br><br><br><br>But I have set<br>pam_password clear<br>in /etc/ldap.conf on both fedora machines.<br>I rely on ssl for security.<br>I had to do this in order to get password syncing with windows to work at all.<br>
Shouldn't that take care of the problem you describe above?<br></pre>
</blockquote></div><br><br>Also, look at <a href="http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html">http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html</a><br>figure 9.2<br>
That implies that it should work with my setup, right?<br>