Thank you for your reply. I tried creating a windows sync agreement between
the 389 DS and AD Read Only DC(RODC). When I give all the details in the
New Windows Sync Agreement screen , it does not give me an error message
saying that "Cannot contact active directory server." But when I try to
initiate Full Re-synchronization it gives me an error saying "connection
error: operation failure - Total update aborted. Error Code:1". But I am
seeing all the users and groups properly sync without passwords at the
proper target OU in the 389 DS. Can this be a bug or am I missing something?
I don't get this error If I am syncing with an AD Read Write DC(RWDC).
On Wed, Dec 5, 2018 at 3:56 PM William Brown <william(a)blackhats.net.au>
> On 30 Nov 2018, at 01:30, Abhisheyk Deb <abhisheykdeb(a)gmail.com> wrote:
> I have the following structure AD RWDC(Read Write), AD RODC(Read Only),
and a 389 DS instance.
> PassSync will be installed on the AD RODC and the 389 DS instance will
sync with it.
> If the users are created on the AD RWDC and synced with the RODC, can
PassSync still intercept passwords in cleartext format, and push them to
I think the answer is “yes” but you won’t get anything from the RODC
Denied Replication group (IE domain admins).
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines