[Fedora-directory-users] PassSync only working one way

Ulf Weltman ulf.weltman at hp.com
Wed Jun 14 17:55:29 UTC 2006 

UnicodePwd has to be little-endian unicode and with quotes around it.  
You can do something like...

echo \"Secret12\" > pass.txt
iconv -t UNICODELITTLE -o unicodepass.txt pass.txt

And then base64 encode unicodepass.txt and use the result for unicodePwd 
value.

I got the details from http://support.microsoft.com/?kbid=269190 originally.

Ulf

Jeff Gamsby wrote:

> Correct. It was not enabled when I first installed and configured 
> PassSync. I tried to use ldapmodify to change the password, but that 
> didn't work either.
>
> To use ldapmodify, do I change UnicodePwd?
>
> How do I generate UnicodePwd?
>
> dn: cn=user,cn=users,dc=ad,dc=server,dc=com
> changetype: modify
> replace: unicodepwd
> unicodepwd:
>
> Thanks
> Jeff
>
>
> Nathan Kinder wrote:
>
>> Jeff Gamsby wrote:
>>
>>>
>>> Thanks for responding.
>>> I have windows 2000, the default password policy is disabled by 
>>> default, but I did turn it on to see if that was the problem and 
>>> also tried more complex passwords when testing. Nothing has worked 
>>> so far. I'm not even sure if there is any other tests that I can do, 
>>> I've turned up the logging, but it still doesn't give me any clues 
>>> as to what is going on.
>>
>> Are you saying that you enabled Active Directorys password complexity 
>> option?  I'm pretty sure that is required for passwords to sync from 
>> FDS -> AD.  You could also attempt to use ldapmodify against AD to 
>> remotely change a users password over SSL as a test.
>>
>> It sounds like everything with the PassSync service is fine since 
>> passwords are working from AD -> FDS.
>>
>> -NGK
>>
>>>
>>> Thanks,
>>> Jeff
>>>
>>> nattapon viroonsri wrote:
>>>
>>>>
>>>> When i add user or change password at fds side , it stuck with 
>>>> windows (2003)  default password policy.
>>>> So i  have to chage to more strict password or disable policy at ads ,
>>>> then fds  sync with ads completely.( can log on to ads with same 
>>>> password as fds user)
>>>>
>>>> im not sure this is  same case as you.
>>>>
>>>> Regards,
>>>> Nattapon
>>>>
>>>>
>>>>> From: Jeff Gamsby <JFGamsby at lbl.gov>
>>>>> Reply-To: "General discussion list for the Fedora Directory server 
>>>>> project." <fedora-directory-users at redhat.com>
>>>>> To: "General discussion list for the Fedora Directory server 
>>>>> project." <fedora-directory-users at redhat.com>
>>>>> Subject: [Fedora-directory-users] PassSync only working one way
>>>>> Date: Tue, 13 Jun 2006 15:08:03 -0700
>>>>> MIME-Version: 1.0
>>>>> Received: from hormel.redhat.com ([209.132.177.30]) by 
>>>>> bay0-mc4-f5.bay0.hotmail.com with Microsoft 
>>>>> SMTPSVC(6.0.3790.2444); Tue, 13 Jun 2006 15:08:15 -0700
>>>>> Received: from listman.util.phx.redhat.com 
>>>>> (listman.util.phx.redhat.com [10.8.4.110])by hormel.redhat.com 
>>>>> (Postfix) with ESMTPid 7DA3A73550; Tue, 13 Jun 2006 18:08:12 -0400 
>>>>> (EDT)
>>>>> Received: from int-mx1.corp.redhat.com 
>>>>> (int-mx1.corp.redhat.com[172.16.52.254])by 
>>>>> listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP 
>>>>> idk5DM8BEP021980for 
>>>>> <fedora-directory-users at listman.util.phx.redhat.com>;Tue, 13 Jun 
>>>>> 2006 18:08:11 -0400
>>>>> Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])by 
>>>>> int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP 
>>>>> idk5DM8B7P010237for <fedora-directory-users at redhat.com>; Tue, 13 
>>>>> Jun 2006 18:08:11 -0400
>>>>> Received: from mta1.lbl.gov (mta1.lbl.gov [128.3.41.24])by 
>>>>> mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP 
>>>>> idk5DM8ATa017845for <fedora-directory-users at redhat.com>; Tue, 13 
>>>>> Jun 2006 18:08:10 -0400
>>>>> Received: from mta1.lbl.gov (localhost [127.0.0.1])by mta1.lbl.gov 
>>>>> (8.13.6/8.13.6) with ESMTP id k5DM83Do029430for 
>>>>> <fedora-directory-users at redhat.com>;Tue, 13 Jun 2006 15:08:03 
>>>>> -0700 (PDT)
>>>>> Received: from [131.243.161.186] (charlie.lbl.gov 
>>>>> [131.243.161.186])by mta1.lbl.gov (8.13.6/8.13.6) with ESMTP id 
>>>>> k5DM82oT029426for <fedora-directory-users at redhat.com>;Tue, 13 Jun 
>>>>> 2006 15:08:03 -0700 (PDT)
>>>>> X-Message-Info: LsUYwwHHNt1YGVdsJHk9XJ3CjXqSQnQhAaTm5/PIsXI=
>>>>> User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
>>>>> X-Virus-Scanned: ClamAV 0.88.2/1538/Tue Jun 13 13:17:56 2006 on mta1
>>>>> X-Virus-Status: Clean
>>>>> X-RedHat-Spam-Score: 0 X-loop: fedora-directory-users at redhat.com
>>>>> X-BeenThere: fedora-directory-users at redhat.com
>>>>> X-Mailman-Version: 2.1.5
>>>>> Precedence: junk
>>>>> List-Id: "General discussion list for the Fedora Directory server 
>>>>> project."<fedora-directory-users.redhat.com>
>>>>> List-Unsubscribe: 
>>>>> <https://www.redhat.com/mailman/listinfo/fedora-directory-users>,<mailto:fedora-directory-users-request at redhat.com?subject=unsubscribe> 
>>>>>
>>>>> List-Archive: 
>>>>> <https://www.redhat.com/archives/fedora-directory-users>
>>>>> List-Post: <mailto:fedora-directory-users at redhat.com>
>>>>> List-Help: 
>>>>> <mailto:fedora-directory-users-request at redhat.com?subject=help>
>>>>> List-Subscribe: 
>>>>> <https://www.redhat.com/mailman/listinfo/fedora-directory-users>,<mailto:fedora-directory-users-request at redhat.com?subject=subscribe> 
>>>>>
>>>>> Errors-To: fedora-directory-users-bounces at redhat.com
>>>>> Return-Path: fedora-directory-users-bounces at redhat.com
>>>>> X-OriginalArrivalTime: 13 Jun 2006 22:08:16.0215 (UTC) 
>>>>> FILETIME=[DEE3D670:01C68F35]
>>>>>
>>>>> I thought that I had the PassSync working until I ran into this 
>>>>> problem:
>>>>>
>>>>> Passwords are not synchronized from FDS to AD.  When accounts are 
>>>>> added to FDS, they do show up in AD ( Although sometimes the cn 
>>>>> attribute gets base64 encoded ), but I cannot authenticate to AD. 
>>>>> When I change passwords in the FDS side, they are not changed ( or 
>>>>> not sent ) to AD. If I change passwords in AD, they are changed in 
>>>>> the FDS.
>>>>>
>>>>> The logs show that something is happening (changed host names and 
>>>>> dn's)
>>>>>
>>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>>>> (ad:636): No linger to cancel on the connection
>>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - 
>>>>> windows_acquire_replica returned success (101)
>>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>>>> (ad:636): State: ready_to_acquire_replica -> sending_updates
>>>>> [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay 
>>>>> (agmt="cn=AD" (ad:636)): Consumer RUV:
>>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>>>> (ad:636): {replicageneration} 448f18ae000000010000
>>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>>>> (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 
>>>>> 448f363d03d400010000 448f363d
>>>>> [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay 
>>>>> (agmt="cn=AD" (ad:636)): Supplier RUV:
>>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>>>> (ad:636): {replicageneration} 448f18ae000000010000
>>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>>>> (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 
>>>>> 448f363d03d700010000 448f363d
>>>>> [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - session 
>>>>> start: anchorcsn=448f363d03d400010000
>>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - changelog 
>>>>> program - agmt="cn=AD" (ad:636): CSN 448f363d03d400010000 found, 
>>>>> position set for replay
>>>>> [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - load=1 rec=1 
>>>>> csn=448f363d03d600010000
>>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>>>> (ad:636): windows_replay_update: Looking at modify operation local 
>>>>> dn="uid=user,ou=people,dc=server,dc=,dc=" (ours,user,not group)
>>>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>>>> (ad:636): windows_replay_update: Processing modify operation local 
>>>>> dn="uid=user,ou=people,dc=server,dc=,dc=" remote 
>>>>> dn="<GUID=16f869dcfdde3d42bcb075fd4a1c7980>"
>>>>>
>>>>>
>>>>> I'm not sure what is going on, I can talk via SSL from FDS to AD, 
>>>>> and I'm assuming that the PassSync service is working properly 
>>>>> since the changes from AD to FDS work.
>>>>>
>>>>> Any suggestions?
>>>>>
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>>> _________________________________________________________________
>>>> Express yourself instantly with MSN Messenger! Download today it's 
>>>> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>> ------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the 389-users mailing list