7:59 p.m.
I am using RHDS instead of FD, so if this issue has been addressed in FD please
forgive me.
To exemplify the issues I'll use the model:
AD <-> RHDS1 <-> RHDS2.
Only one master is setup to sync to AD, which is the standard setup. Since
password sync uses clear text to replicate to AD, password changes on RHDS2
will not propagate correctly to AD. RHDS2 sends the hash to RHDS1 which in turn
sends it to AD. AD assumes the hash to be the actual clear text pw and attempts
to use it to login to RHDS1. This creates a loop where one server keeps sending
what it believes to be the new password to the other.
I _think_ that if I add a replication agreement between RHDS2 and AD it will not
fix my problem as even if RHDS2 sends the password ok to AD, RHDS1 will still
try to send the update it received from RHDS2. Is this assumption correct?
What is the best course of action? How can I tell if a password update is done
on the server or pushed thru replication?
9:44 p.m.
New subject: [Fedora-directory-users] Password replication problems between a multi-master system and AD
Alexandre Augusto da Rocha wrote:
I am using RHDS instead of FD, so if this issue has been addressed in
FD please forgive me.
To exemplify the issues I'll use the model:
AD <-> RHDS1 <-> RHDS2.
Only one master is setup to sync to AD, which is the standard setup.
Since password sync uses clear text to replicate to AD, password
changes on RHDS2 will not propagate correctly to AD. RHDS2 sends the
hash to RHDS1 which in turn sends it to AD. AD assumes the hash to be
the actual clear text pw and attempts to use it to login to RHDS1.
This creates a loop where one server keeps sending what it believes to
be the new password to the other.
I _think_ that if I add a replication agreement between RHDS2 and AD
it will not fix my problem as even if RHDS2 sends the password ok to
AD, RHDS1 will still try to send the update it received from RHDS2.
Is this assumption correct?
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207893
> What is the best course of action? How can I tell if a password
> update is done on the server or pushed thru replication?
>
> ------------------------------------------------------------------------
>
> Subject:
> Password replication problems between a multi-master system and AD
> From:
> Alexandre Augusto da Rocha <augusto.rocha(a)augustschell.com>
> Date:
> Mon, 19 Mar 2007 19:23:17 -0500
> To:
> fedora-directory-users(a)redhat.com
>
> To:
> fedora-directory-users(a)redhat.com
>
>
I am using RHDS instead of FD, so if this issue has been addressed in
FD please forgive me.
To exemplify the issues I'll use the model:
AD <-> RHDS1 <-> RHDS2.
Only one master is setup to sync to AD, which is the standard setup.
Since password sync uses clear text to replicate to AD, password
changes on RHDS2 will not propagate correctly to AD. RHDS2 sends the
hash to RHDS1 which in turn sends it to AD. AD assumes the hash to be
the actual clear text pw and attempts to use it to login to RHDS1.
This creates a loop where one server keeps sending what it believes to
be the new password to the other.
I _think_ that if I add a replication agreement between RHDS2 and AD
it will not fix my problem as even if RHDS2 sends the password ok to
AD, RHDS1 will still try to send the update it received from RHDS2.
Is this assumption correct?
> What is the best course of action? How can I tell
if a password
> update is done on the server or pushed thru replication?
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
5804
days inactive
5805
days old
389-users@lists.fedoraproject.org
1 comments
2 participants
participants (2)
-
Alexandre Augusto da Rocha -
Rich Megginson