I've found that by not mixing the old fds directory users with current
ad users (i.e. doing a full sync for the users ou in ad to the People ou
in fds and then manually fixing missing host attributes of the ad
objects, that this issue has been resolved); I have however found
something else; I've found that some ad users didn't come over with the
initial sync, turns out these accounts in ad don't have first or last
names; after fixing these attributes, is there an easy way to make the
users appear as new users to the fds synchronization mechanism so that
those objects that were not originally synchronized will be brought
over? Thanks again.
Aaron
-----Original Message-----
From: Bliss, Aaron
Sent: Tuesday, October 31, 2006 9:52 PM
To: Bliss, Aaron; General discussion list for the Fedora Directory
server project.
Subject: RE: [Fedora-directory-users] Trouble getting windows to talk to
fds
This is a little scary; in testing in getting fds to talk to ad (were
running ad 2003, fds 1.0.2 on 2 redhat 4 boxes), sometimes (2 of 5 times
so far) when changing a users password from the fds console, it actually
deletes the user from the active directory box !!! Has anyone else seen
this behavior? What can I do to troubleshoot this? Thanks again.
Aaron
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Bliss,
Aaron
Sent: Tuesday, October 31, 2006 5:51 PM
To: General discussion list for the Fedora Directory server project.
Subject: RE: [Fedora-directory-users] Trouble getting windows to talk to
fds
Thanks very much for your explanations; they have cleared up a lot of
grey area for me.
Aaron
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan
Kinder
Sent: Tuesday, October 31, 2006 5:49 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to
fds
Bliss, Aaron wrote:
That makes perfect sense, as I noticed that the replication agreement
I
created was a supplier/consumer agreement between fds and ad; now I
have
another question, if a new user is created in ad, since the fds box
is
the supplier, how will that uid be replicated to fds?
When FDS connects to AD, it will send the dirsync control. This control
contains a cookie of sorts. This basically tells AD to give us all
modifications since the last time we sent the dirsync control (which it
knows from the cookie we are sending). Ad then gives us the
modifications along with a new cookie to use next time. You can think
of this as pull-style replication in the AD->FDS direction. FDS pushes
it's changes to AD while pulling changes from AD to itself.
-NGK
Aaron
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan
Kinder
Sent: Tuesday, October 31, 2006 4:44 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Trouble getting windows to talk
to
fds
Bliss, Aaron wrote:
> I'm a little confused here; what is the purpose of the passsync
>
service
> (I've successfully created a replication agreement over ssl via fds
>
and
> ad). Thanks again.
>
>
The PassSync service is only responsible for sending password changes
initiated on the AD side to FDS. Any password that is changed on the
FDS side will be sent to AD over the synchronization agreement along
with other user & group changes. The synchronization agreement will
also pull changes that happened on the AD side over to FDS.
The problem is that AD hashes the password differently than FDS does,
so
FDS needs access to the clear-text password. The only way for this to
happen when a password change is initiated on the AD side is to have
a
password plug-in installed on the domain controller to get a copy of
the
clear-text password. This is exactly what the PassSync service does.
It installs a plugin (passhook.dll) that receives the clear-text
password which passsync.exe sends across to FDS over LDAPS.
Hopefully that clears things up.
-NGK
> Aaron
>
>
>
Confidentiality Notice:
The information contained in this electronic message is intended for
the exclusive
use of the individual or entity named above and may
contain privileged or confidential information. If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited. If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users