On Wed, Jan 27, 2010 at 5:30 PM, Ldap Tester <ldap.tester@gmail.com> wrote:

I have two 389 servers, one under fedora 12 and one under fedora 11.
They have the following packages:

389-admin-1.1.9-1.fc12.x86_64
389-admin-console-1.1.4-2.fc12.noarch
389-admin-console-doc-1.1.4-2.fc12.noarch
389-adminutil-1.1.8-4.fc12.x86_64
389-console-1.1.3-5.fc12.noarch
389-ds-1.1.3-5.fc12.noarch
389-ds-base-1.2.5-1.fc12.x86_64
389-ds-base-devel-1.2.5-1.fc12.x86_64
389-ds-console-1.2.0-5.fc12.noarch
389-ds-console-doc-1.2.0-5.fc12.noarch
389-dsgw-1.1.4-1.fc12.x86_64

389-admin-1.1.8-4.fc11.x86_64
389-admin-console-1.1.4-1.fc11.noarch
389-admin-console-doc-1.1.4-1.fc11.noarch
389-adminutil-1.1.8-3.fc11.x86_64
389-console-1.1.3-4.fc11.noarch
389-ds-1.1.3-4.fc11.noarch
389-ds-base-1.2.5-1.fc11.x86_64
389-ds-base-devel-1.2.5-1.fc11.x86_64
389-ds-console-1.2.0-4.fc11.noarch
389-ds-console-doc-1.2.0-4.fc11.noarch
389-dsgw-1.1.4-1.fc11.x86_64

There are set up as multi masters.

I also have a windows 2003 Active Directory server.
I have password sync'ing set up between the AD and the fedora 12 389 server.

This has been working for several years.
I have recently noticed a problem that may have existed for some time now, maybe always.

If I change a user password via windows, everything works as expected.
The password changes on windows and both fedora machines.
If I change a user password via the fedora 12 machine,
the one that has the sync agreement with the windows machine,
again, everything works as expected,
The password changes on windows and both fedora machines.

However, if I change a user password via the fedora 11 machine,
the one that does not have the sync agreement with the windows machine,
then, the password changes on both fedora machines,
but NOT on the windows machine.

This is not how it is supposed to work, right?

I have looked at all sorts of logs, and still have now clue as to the problem.
(I do not believe it is a fedora 11 versus fedora 12 problem.)
Does anybody have any ideas?

I had the same scenario.

Remember that the encrypted passwords are not synchronized with
Windows. 

When you change your password on your F11, it is stored encrypted. Then

MMR transmits "userPassword 'encrypted on your F12. Therefore, the

password does not synchronize with Windows, since as already mentioned,
is encrypted.

In my case, I decided to change to a Master / Slave scenario. Thus, your
F11 will be to read only and such changes will be forwarded to your F12


(this includes passwd) which will be written.


Greetings

P.D.: I apologize for my poor English.
-- 
Sergio A. Morales <sergiomorales at archlinux.cl>


uSCI & CSRG Sysadmin
Archlinux Chile



But I have set
pam_password clear
in /etc/ldap.conf on both fedora machines.
I rely on ssl for security.
I had to do this in order to get password syncing with windows to work at all.


Shouldn't that take care of the problem you describe above?