I have the following structure AD RWDC(Read Write), AD RODC(Read Only), and a 389 DS instance.
PassSync will be installed on the AD RODC and the 389 DS instance will sync with it.
If the users are created on the AD RWDC and synced with the RODC, can PassSync still intercept passwords in cleartext format, and push them to 389 DS?
On 30 Nov 2018, at 01:30, Abhisheyk Deb abhisheykdeb@gmail.com wrote:
I have the following structure AD RWDC(Read Write), AD RODC(Read Only), and a 389 DS instance.
PassSync will be installed on the AD RODC and the 389 DS instance will sync with it.
If the users are created on the AD RWDC and synced with the RODC, can PassSync still intercept passwords in cleartext format, and push them to 389 DS?
I think the answer is “yes” but you won’t get anything from the RODC Denied Replication group (IE domain admins).
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William
Thank you for your reply. I tried creating a windows sync agreement between the 389 DS and AD Read Only DC(RODC). When I give all the details in the New Windows Sync Agreement screen , it does not give me an error message saying that "Cannot contact active directory server." But when I try to initiate Full Re-synchronization it gives me an error saying "connection error: operation failure - Total update aborted. Error Code:1". But I am seeing all the users and groups properly sync without passwords at the proper target OU in the 389 DS. Can this be a bug or am I missing something? I don't get this error If I am syncing with an AD Read Write DC(RWDC).
Regards.
On Wed, Dec 5, 2018 at 3:56 PM William Brown william@blackhats.net.au wrote:
On 30 Nov 2018, at 01:30, Abhisheyk Deb abhisheykdeb@gmail.com wrote:
I have the following structure AD RWDC(Read Write), AD RODC(Read Only),
and a 389 DS instance.
PassSync will be installed on the AD RODC and the 389 DS instance will
sync with it.
If the users are created on the AD RWDC and synced with the RODC, can
PassSync still intercept passwords in cleartext format, and push them to 389 DS?
I think the answer is “yes” but you won’t get anything from the RODC Denied Replication group (IE domain admins).
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users@lists.fedoraproject.org