<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
1. The Windows DCs will be the master of the passwords. Users will
need to change their passwords in that environment.<br>
<br>
Not true, the password synchronization is based upon certain
attributes in the database. 389 will only sync to AD if the ntuser
objectClass is available, and AD, it's posixAccount? iirc. <br>
<br>
2. It must be installed on all DCs as you never know which DC the
Windows client will send the change to.<br>
<br>
Nope, it's a single point of failure, it must be installed onto
*ONE* DC otherwise they will be overwriting each other. <br>
<br>
3. Right that is a limitation, but there are bad workarounds for it.
You can modify and create a pointer from SamAccountname to UID in
the AD schema, but the UID will be UID in 389, does your application
point to AD or 389?<br>
<br>
As Petr stated, I do suggest looking at IdM/IPA as an alternative
solution because it contains the compat tree for legacy applications
and RHEL7/Fedora it currently supports a trust which will then
negate having AD users change their passwords. Just make sure you
have fully redundant IPA and AD servers so authentication will not
break. <br>
<br>
Dan<br>
<br>
<br>
<div class="moz-cite-prefix">On 01/16/2014 12:08 PM, Gary Algier
wrote:<br>
</div>
<blockquote cite="mid:52D8120D.4050406@ulticom.com" type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">On 01/16/14 11:07, Louis-Marie Plumel
wrote:<br>
</div>
<blockquote
cite="mid:CAG=1xvgpChah=aUJGueSKLcfNSrzubwv8S3gUT2AEaXbC+iS6g@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div>
<div>My environment is 99 % under linux and authentication
is full LDAP.<br>
</div>
For some 30 workstations under windows, i had to create an
AD under 2008 R2. For some reasons, i have to synchronize
password beetween LDAP and AD. Linux users will keep
authentication on LDAP. (windows users are on LDAP AND AD,
and if they want to change their password, they have to do
this on LDAP. That's why i want to synchronise their
password beetween LDAP and AD).<br>
</div>
LM<br>
<br>
</div>
</blockquote>
I installed the Windows password sync from the 389DS project on
our DCs and it works with the Sun/Solaris/Java directory server
just fine. It should work with any LDAP server.<br>
<br>
However:<br>
1. The Windows DCs will be the master of the passwords. Users
will need to change their passwords in that environment.<br>
2. It must be installed on all DCs as you never know which DC the
Windows client will send the change to.<br>
3. You may need to adjust the parameters of the module by editing
the registry after installation. The default attributes did not
suit our needs. We use the UID attribute for the LDAP equivalent
of the Windows SamAccountName attribute.<br>
<br>
<blockquote
cite="mid:CAG=1xvgpChah=aUJGueSKLcfNSrzubwv8S3gUT2AEaXbC+iS6g@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div class="gmail_quote">2014/1/16 Petr Spacek <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 16.1.2014 16:55, Louis-Marie Plumel
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im"> Ok ok, i'm going to see what you sent
to me . To be sure, is 389DS may be an<br>
intermediate between my two actual servers?<br>
<br>
Not sure what you mean here.<br>
<br>
<br>
</div>
<div class="im"> Is my actual LDAP can be used by 389DS?
I'm sorry for these requests i'm<br>
novice in this domain....<br>
</div>
</blockquote>
<br>
Could you describe what are you trying to achieve?<br>
<br>
What is the use case? Logging to workstations? To web
apps? File sharing over NFS with centralized identity
store? What else?<br>
<br>
Petr^2 Spacek
<div class="HOEnZb">
<div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
2014/1/16 Rich Megginson <<a
moz-do-not-send="true"
href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
On 01/16/2014 08:12 AM, Louis-Marie Plumel
wrote:<br>
<br>
Ok ok, i'm going to see what you sent to me . To
be sure, is 389DS may<br>
be an intermediate between my two actual servers?<br>
<br>
Not sure what you mean here.<br>
<br>
I have to keep my actual LDAP and remain the
master and synchronization must<br>
be a single direction (LDAP -> AD).<br>
<br>
389 supports one way sync.<br>
<br>
Will users have to change their password?<br>
<br>
Yes, unfortunately.<br>
<br>
<br>
My goal is that everything will be transparent.<br>
<br>
Then you may want to look into IPA with AD cross
domain trust as Petr<br>
suggested.<br>
<br>
regards<br>
<br>
<br>
2014/1/16 Petr Spacek <<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"> On 16.1.2014 15:59,
Rich Megginson wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"> On 01/16/2014 07:57
AM, Louis-Marie Plumel wrote:<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> Hello,<br>
<br>
Actually , i work with openldap.<br>
I've installed an AD 2008 R2.My challenge is
to work with both and<br>
synchronise LDAP and AD 2008 R2. After a
long research on the web, i<br>
don't<br>
find any information about howto synchronise
passwords . That's why i<br>
come<br>
here to see if with 389 DS it's possible or
not.<br>
<br>
</blockquote>
<br>
Yes.<br>
<br>
<a moz-do-not-send="true"
href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync.html"
target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync.html</a><br>
<br>
</blockquote>
<br>
There is also one completely different option:
Use trust between AD and<br>
Unix domain. It depends on your requirements ...<br>
<br>
See<br>
<a moz-do-not-send="true"
href="http://www.freeipa.org/page/Trusts"
target="_blank">http://www.freeipa.org/page/Trusts</a><br>
<br>
or join mailing list<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</blockquote>
</blockquote>
</div>
</div>
<div class="HOEnZb">
<div class="h5"> --<br>
389 users mailing list<br>
<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org"
target="_blank">389-users@lists.fedoraproject.org</a><br>
<a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Louis-Marie Plumel<br>
<a moz-do-not-send="true"
href="mailto:louismarie.plumel@gmail.com" target="_blank">louismarie.plumel@gmail.com</a><br>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>