I'd like to migrate from ODSEE and PSW to 389 directory server with windows sync.
From my understanding after reading the redhat 10/9 Directory Server documentation,
existing user's password from AD will not be synced to LDAP.
This of course is normal since passwords are already hashed in AD.
However in SUN/Oracle ODSEE+PSW they were doing this:
A special attributed was added to new synced users in LDAP. On user bind to the LDAP
the password was caught (by the LDAP server plugin) and a second bind was tested from the
LDAP server itself to the AD server.
If the 2nd bind was successful the userPassword was updated on the LDAP server, the
attribute was removed and the 1st bind was ok.
Since I have a large AD forest (30K users) I don't want to do password reset on these
What is the common practice with 389 server for such scenario?
Sun also had another nice feature: Uni directional sync Windows->LDAP for user
bi-directional attribute/password change. I guess this also not supported in 389 correct?
thanks in advance,
Show replies by date