Luigi Santangelo wrote:
Hi everybody, this is my problem:
I configured my Fedora DS and now I can sync the LDAP's users with
Windows 2003 Active Directory. Then, I created a new user with this
code ldif
dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx
givenName: red
sn: red
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: ntuser
uid: red
ntUserCreateNewAccount: true
ntUserDeleteAccount: true
cn: red
ntUserDomainId: red
userPassword: redpwd
creatorsName: uid=root,ou=administrators,ou=topologymanagement,
o=netscaperoot
modifiersName: uid=root,ou=administrators,ou=topologymanagement,
o=netscaperoot
createTimestamp: 20080318153555Z
modifyTimestamp: 20080318153555Z
nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae
Note that I wrote the user's password in "clear". Now, I can logon the
Windows AD with the username red and the password redpwd.
Then I added another user (yellow) with this code ldif
dn: uid=yellow,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx
givenName: yellow
sn: yellow
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: ntuser
uid: yellow
ntUserCreateNewAccount: true
ntUserDeleteAccount: true
cn: yellow
ntUserDomainId: yellow
userPassword: {MD5}8cb32079718c657b02bbbb176b97d030
creatorsName: uid=root,ou=administrators,ou=topologymanagement,
o=netscaperoot
modifiersName: uid=root,ou=administrators,ou=topologymanagement,
o=netscaperoot
createTimestamp: 20080318153555Z
modifyTimestamp: 20080318153555Z
nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae
Note the MD5(yellowpwd) = 8cb32079718c657b02bbbb176b97d030
Then If I try logon the Windows AD (from Windows) with the username
yellow and the password yellowred, I cannot log in. Instead, if I try
logon the Windows AD with the username yellow and the
password {MD5}8cb32079718c657b02bbbb176b97d030 I can log in.
Do you think that this is a problem strictly related to Windows'
problem? How can I get over it?
You can't pre-hash the password on the client side if you want it to be
properly sync'd to AD. The client needs to provide it's password to FDS
in the clear, preferably over LDAPS or using a SASL mechanism that
provides confidentiality. FDS will then hash it according to the
default password hash storage scheme config setting. The clear password
will be provided to AD over LDAPS so AD can hash it using the hashing
scheme it needs.
-NGK
Thank you in advance.
______________________________________________
Adotta un bambino a distanza. Avrà vestiti, cibo, scuola?e avrà te!
http://social.tiscali.it/promo/C02/sos/
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users