[Fedora-directory-users] Active Directory PW sync works for console but not user initiated PW changes
Rich Megginson
rmeggins at redhat.com
Tue Apr 28 16:24:08 UTC 2009
John A. Sullivan III wrote:
> On Tue, 2009-04-28 at 08:05 -0600, Rich Megginson wrote:
>
>> John A. Sullivan III wrote:
>>
>>> On Mon, 2009-04-27 at 21:17 -0400, John A. Sullivan III wrote:
>>>
>>>
>>>> On Mon, 2009-04-27 at 19:07 -0600, Rich Megginson wrote:
>>>>
>>>>
>>>>> John A. Sullivan III wrote:
>>>>>
>>>>>
>>>>>> Hello, all. This is a sequel to the last email on this subject now that
>>>>>> we've resolved the shadowLastChange problem. Fixing that problem did
>>>>>> not fix the DS 8.0 / AD password synchronization problem. To reiterate,
>>>>>> the passwords synchronize if the change is made from idm-console or from
>>>>>> AD. But they do not change when our Ubuntu/KDE users change their own
>>>>>> passwords. It fails when changed from both the KDE password change
>>>>>> interface and using passwd at the command line.
>>>>>>
>>>>>>
>>>>>>
>>>>> Take a look at the directory server access log - I think the change is
>>>>> being rejected before it even gets into the replication code, which is
>>>>> why the error log output below is not too helpful.
>>>>>
>>>>>
>>>> <snip>
>>>> Ah, I forgot to mention that the password change is successful in DS.
>>>> It just doesn't synchronize. Would that be the case if there was an
>>>> access failure? I'll enable the access logs and give it a check - John
>>>>
>>>>
>>> Oops! I forgot to mention that we had enabled the access logs and
>>> followed them in case the change was being made by some ID other than
>>> the user but the access logs look fine as far as we can tell. Here is
>>> what we see:
>>>
>>> [27/Apr/2009:21:43:50 -0400] conn=359 fd=66 slot=66 connection from 172.29.32.12 to 172.30.10.48
>>> [27/Apr/2009:21:43:50 -0400] conn=359 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>> [27/Apr/2009:21:43:50 -0400] conn=359 op=0 RESULT err=0 tag=120 nentries=0 etime=0
>>> [27/Apr/2009:21:43:50 -0400] conn=359 SSL 256-bit AES
>>> [27/Apr/2009:21:43:50 -0400] conn=359 op=1 BIND dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" method=128 version=3
>>> [27/Apr/2009:21:43:50 -0400] conn=359 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=b
>>> [27/Apr/2009:21:43:50 -0400] conn=359 op=2 MOD dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz"
>>> [27/Apr/2009:21:43:50 -0400] conn=359 op=2 RESULT err=0 tag=103 nentries=0 etime=0 csn=49f65f56000000010000
>>> [27/Apr/2009:21:43:50 -0400] conn=359 op=3 UNBIND
>>> [27/Apr/2009:21:43:50 -0400] conn=359 op=3 fd=66 closed - U1
>>> [27/Apr/2009:21:43:51 -0400] conn=360 fd=66 slot=66 connection from 172.29.32.12 to 172.30.10.48
>>> [27/Apr/2009:21:43:51 -0400] conn=360 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>> [27/Apr/2009:21:43:51 -0400] conn=360 op=0 RESULT err=0 tag=120 nentries=0 etime=0
>>> [27/Apr/2009:21:43:51 -0400] conn=360 SSL 256-bit AES
>>> [27/Apr/2009:21:43:51 -0400] conn=360 op=1 BIND dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" method=128 version=3
>>> [27/Apr/2009:21:43:51 -0400] conn=360 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=b
>>> [27/Apr/2009:21:43:51 -0400] conn=360 op=2 MOD dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz"
>>> [27/Apr/2009:21:43:51 -0400] conn=360 op=2 RESULT err=0 tag=103 nentries=0 etime=0 csn=49f65f57000000010000
>>> [27/Apr/2009:21:43:51 -0400] conn=360 op=3 UNBIND
>>> [27/Apr/2009:21:43:51 -0400] conn=360 op=3 fd=66 closed - U1
>>>
>>> I'm assuming this shows success and an entry into the Change log. Is
>>> that correct? If so, where do we look next to solve this problem? Thanks
>>> - John
>>>
>>>
>> I suppose you could try to enable the audit log - see what attribute it
>> is modifying, and what value. nss_ldap/pam_ldap (e.g. the interface
>> that the passwd command uses) can be configured to store a pre-hashed
>> password which will not work with winsync. You must have the clear text
>> password in order to sync it to AD.
>>
> <snip>
> That was it. Ubuntu defaulted to pam_password md5 in /etc/ldap.conf. I
> changed this to pam_password clear and it worked. Am I correct to
> assume this is safe as long and only as long as I am using tls to
> encrypt the communication between the client and the ldap server? Thanks
>
Yes.
> - John
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20090428/2affab1c/attachment.bin>
More information about the 389-users
mailing list