[389-users] active directory password sync
Ldap Tester
ldap.tester at gmail.com
Wed Jan 27 22:53:12 UTC 2010
On Wed, Jan 27, 2010 at 7:43 PM, Ldap Tester <ldap.tester at gmail.com> wrote:
>
>
> On Wed, Jan 27, 2010 at 5:30 PM, Ldap Tester <ldap.tester at gmail.com>wrote:
>
>> I have two 389 servers, one under fedora 12 and one under fedora 11.
>> They have the following packages:
>>
>> 389-admin-1.1.9-1.fc12.x86_64
>> 389-admin-console-1.1.4-2.fc12.noarch
>> 389-admin-console-doc-1.1.4-2.fc12.noarch
>> 389-adminutil-1.1.8-4.fc12.x86_64
>> 389-console-1.1.3-5.fc12.noarch
>> 389-ds-1.1.3-5.fc12.noarch
>> 389-ds-base-1.2.5-1.fc12.x86_64
>> 389-ds-base-devel-1.2.5-1.fc12.x86_64
>> 389-ds-console-1.2.0-5.fc12.noarch
>> 389-ds-console-doc-1.2.0-5.fc12.noarch
>> 389-dsgw-1.1.4-1.fc12.x86_64
>>
>> 389-admin-1.1.8-4.fc11.x86_64
>> 389-admin-console-1.1.4-1.fc11.noarch
>> 389-admin-console-doc-1.1.4-1.fc11.noarch
>> 389-adminutil-1.1.8-3.fc11.x86_64
>> 389-console-1.1.3-4.fc11.noarch
>> 389-ds-1.1.3-4.fc11.noarch
>> 389-ds-base-1.2.5-1.fc11.x86_64
>> 389-ds-base-devel-1.2.5-1.fc11.x86_64
>> 389-ds-console-1.2.0-4.fc11.noarch
>> 389-ds-console-doc-1.2.0-4.fc11.noarch
>> 389-dsgw-1.1.4-1.fc11.x86_64
>>
>> There are set up as multi masters.
>>
>> I also have a windows 2003 Active Directory server.
>> I have password sync'ing set up between the AD and the fedora 12 389
>> server.
>>
>> This has been working for several years.
>> I have recently noticed a problem that may have existed for some time now,
>> maybe always.
>>
>> If I change a user password via windows, everything works as expected.
>> The password changes on windows and both fedora machines.
>> If I change a user password via the fedora 12 machine,
>> the one that has the sync agreement with the windows machine,
>> again, everything works as expected,
>> The password changes on windows and both fedora machines.
>>
>> However, if I change a user password via the fedora 11 machine,
>> the one that does not have the sync agreement with the windows machine,
>> then, the password changes on both fedora machines,
>> but NOT on the windows machine.
>>
>> This is not how it is supposed to work, right?
>>
>> I have looked at all sorts of logs, and still have now clue as to the
>> problem.
>> (I do not believe it is a fedora 11 versus fedora 12 problem.)
>> Does anybody have any ideas?
>>
>
> I had the same scenario.
>
> Remember that the encrypted passwords are not synchronized with
> Windows.
>
> When you change your password on your F11, it is stored encrypted. Then
> MMR transmits "userPassword 'encrypted on your F12. Therefore, the
>
> password does not synchronize with Windows, since as already mentioned,
> is encrypted.
>
> In my case, I decided to change to a Master / Slave scenario. Thus, your
> F11 will be to read only and such changes will be forwarded to your F12
>
> (this includes passwd) which will be written.
>
>
> Greetings
>
> P.D.: I apologize for my poor English.
> --
> Sergio A. Morales <sergiomorales at archlinux.cl <https://admin.fedoraproject.org/mailman/listinfo/389-users>>
>
> uSCI & CSRG Sysadmin
> Archlinux Chile
>
>
>
> But I have set
> pam_password clear
> in /etc/ldap.conf on both fedora machines.
> I rely on ssl for security.
> I had to do this in order to get password syncing with windows to work at all.
>
> Shouldn't that take care of the problem you describe above?
>
>
Also, look at
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html
figure 9.2
That implies that it should work with my setup, right?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100127/140bc3cf/attachment.html>
More information about the 389-users
mailing list