Hi,
We've installed FDS, AD and a replication agrement. FDS data/passwords sync with AD AD passwords sync with FDS.
2 pbs are still unsolved : - AD modifications (name, surname, mail) are not send or catched in FDS - Passwords are not recognized after a Full init. FDS => AD full init = unable to log on AD (even if we manually activate the account) FDS -> AD passwd update = passwd ok in AD
Anyone has an idea ?
Emmanuel BILLOT wrote:
Hi,
We've installed FDS, AD and a replication agrement. FDS data/passwords sync with AD AD passwords sync with FDS.
2 pbs are still unsolved :
- AD modifications (name, surname, mail) are not send or catched in FDS
I suppose you could enable the replication log level and see why this is not working. Note that changes may take up to 5 minutes to sync over to Fedora DS due to the way the sync works using the DirSync control. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
- Passwords are not recognized after a Full init. FDS => AD full init = unable to log on AD (even if we manually
activate the account)
Right. Passwords are not synced during full init. Full init only uses passwords in the database which are hashed and do not sync.
FDS -> AD passwd update = passwd ok in AD
Right. Passwd update uses clear text passwords.
Anyone has an idea ?
Rich Megginson a écrit :
Emmanuel BILLOT wrote:
Hi,
We've installed FDS, AD and a replication agrement. FDS data/passwords sync with AD AD passwords sync with FDS.
2 pbs are still unsolved :
- AD modifications (name, surname, mail) are not send or catched in FDS
I suppose you could enable the replication log level and see why this is not working. Note that changes may take up to 5 minutes to sync over to Fedora DS due to the way the sync works using the DirSync control. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
I(ve enabled it but nothing else more than an empty replication try... I thought FDS connect to AD and "ldapsearch" modified entries. I can't see any request or update try.
- Passwords are not recognized after a Full init. FDS => AD full init = unable to log on AD (even if we manually
activate the account)
Right. Passwords are not synced during full init. Full init only uses passwords in the database which are hashed and do not sync.
FDS -> AD passwd update = passwd ok in AD
Right. Passwd update uses clear text passwords.
Anyone has an idea ?
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Emmanuel BILLOT wrote:
Rich Megginson a écrit :
Emmanuel BILLOT wrote:
Hi,
We've installed FDS, AD and a replication agrement. FDS data/passwords sync with AD AD passwords sync with FDS.
2 pbs are still unsolved :
- AD modifications (name, surname, mail) are not send or catched in FDS
I suppose you could enable the replication log level and see why this is not working. Note that changes may take up to 5 minutes to sync over to Fedora DS due to the way the sync works using the DirSync control. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
I(ve enabled it but nothing else more than an empty replication try... I thought FDS connect to AD and "ldapsearch" modified entries. I can't see any request or update try.
Yes. That's what it is supposed to do, if the init succeeded.
- Passwords are not recognized after a Full init. FDS => AD full init = unable to log on AD (even if we manually
activate the account)
Right. Passwords are not synced during full init. Full init only uses passwords in the database which are hashed and do not sync.
FDS -> AD passwd update = passwd ok in AD
Right. Passwd update uses clear text passwords.
Anyone has an idea ?
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Rich Megginson a écrit :
Emmanuel BILLOT wrote:
Hi,
We've installed FDS, AD and a replication agrement. FDS data/passwords sync with AD AD passwords sync with FDS.
2 pbs are still unsolved :
- AD modifications (name, surname, mail) are not send or catched in FDS
I suppose you could enable the replication log level and see why this is not working. Note that changes may take up to 5 minutes to sync over to Fedora DS due to the way the sync works using the DirSync control. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
- Passwords are not recognized after a Full init. FDS => AD full init = unable to log on AD (even if we manually
activate the account)
Here is the log extract : [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): No changes to send [26/Mar/2009:09:55:43 +0100] - Calling dirsync search request plugin [26/Mar/2009:09:55:43 +0100] - Sending dirsync search request [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): Beginning linger on the connection [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): Linger timeout has expired on the connection [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): State: sending_updates -> wait_for_changes [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): Disconnected from the consumer
I can't see any action.
Right. Passwords are not synced during full init. Full init only uses passwords in the database which are hashed and do not sync.
FDS -> AD passwd update = passwd ok in AD
Right. Passwd update uses clear text passwords.
Anyone has an idea ?
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Rich Megginson a écrit :
Emmanuel BILLOT wrote:
Hi,
We've installed FDS, AD and a replication agrement. FDS data/passwords sync with AD AD passwords sync with FDS.
2 pbs are still unsolved :
- AD modifications (name, surname, mail) are not send or catched in FDS
I suppose you could enable the replication log level and see why this is not working. Note that changes may take up to 5 minutes to sync over to Fedora DS due to the way the sync works using the DirSync control. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
- Passwords are not recognized after a Full init. FDS => AD full init = unable to log on AD (even if we manually
activate the account)
Right. Passwords are not synced during full init. Full init only uses passwords in the database which are hashed and do not sync.
FDS -> AD passwd update = passwd ok in AD
Right. Passwd update uses clear text passwords.
Anyone has an idea ?
Ok. Is there any best pratice when adding AD to a FDS ? I don't think i will ask all users to update their password just for it...?
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Emmanuel BILLOT wrote:
Rich Megginson a écrit :
Emmanuel BILLOT wrote:
Hi,
We've installed FDS, AD and a replication agrement. FDS data/passwords sync with AD AD passwords sync with FDS.
2 pbs are still unsolved :
- AD modifications (name, surname, mail) are not send or catched in FDS
I suppose you could enable the replication log level and see why this is not working. Note that changes may take up to 5 minutes to sync over to Fedora DS due to the way the sync works using the DirSync control. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
- Passwords are not recognized after a Full init. FDS => AD full init = unable to log on AD (even if we manually
activate the account)
Right. Passwords are not synced during full init. Full init only uses passwords in the database which are hashed and do not sync.
FDS -> AD passwd update = passwd ok in AD
Right. Passwd update uses clear text passwords.
Anyone has an idea ?
Ok. Is there any best pratice when adding AD to a FDS ? I don't think i will ask all users to update their password just for it...?
That's one of the main problems with Windows Sync/Pass Sync. There is really no way to sync passwords - AD uses an unreversible hash/encryption, and so does Fedora DS. The Samba and freeIPA guys are working on ways to mitigate this situation.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Rich Megginson a écrit :
Emmanuel BILLOT wrote:
Rich Megginson a écrit :
Emmanuel BILLOT wrote:
Hi,
We've installed FDS, AD and a replication agrement. FDS data/passwords sync with AD AD passwords sync with FDS.
2 pbs are still unsolved :
- AD modifications (name, surname, mail) are not send or catched in
FDS
I suppose you could enable the replication log level and see why this is not working. Note that changes may take up to 5 minutes to sync over to Fedora DS due to the way the sync works using the DirSync control. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
- Passwords are not recognized after a Full init. FDS => AD full init = unable to log on AD (even if we manually
activate the account)
Right. Passwords are not synced during full init. Full init only uses passwords in the database which are hashed and do not sync.
FDS -> AD passwd update = passwd ok in AD
Right. Passwd update uses clear text passwords.
Anyone has an idea ?
Ok. Is there any best pratice when adding AD to a FDS ? I don't think i will ask all users to update their password just for it...?
That's one of the main problems with Windows Sync/Pass Sync. There is really no way to sync passwords - AD uses an unreversible hash/encryption, and so does Fedora DS. The Samba and freeIPA guys are working on ways to mitigate this situation.
I had an idea (maybe totally crazy) What happens if for each FDS entry, the password is updated with the same hashed value after init ? Does WinSync requires the cleartext password to work ?
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Emmanuel BILLOT wrote:
Rich Megginson a écrit :
Emmanuel BILLOT wrote:
Rich Megginson a écrit :
Emmanuel BILLOT wrote:
Hi,
We've installed FDS, AD and a replication agrement. FDS data/passwords sync with AD AD passwords sync with FDS.
2 pbs are still unsolved :
- AD modifications (name, surname, mail) are not send or catched
in FDS
I suppose you could enable the replication log level and see why this is not working. Note that changes may take up to 5 minutes to sync over to Fedora DS due to the way the sync works using the DirSync control. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
- Passwords are not recognized after a Full init. FDS => AD full init = unable to log on AD (even if we manually
activate the account)
Right. Passwords are not synced during full init. Full init only uses passwords in the database which are hashed and do not sync.
FDS -> AD passwd update = passwd ok in AD
Right. Passwd update uses clear text passwords.
Anyone has an idea ?
Ok. Is there any best pratice when adding AD to a FDS ? I don't think i will ask all users to update their password just for it...?
That's one of the main problems with Windows Sync/Pass Sync. There is really no way to sync passwords - AD uses an unreversible hash/encryption, and so does Fedora DS. The Samba and freeIPA guys are working on ways to mitigate this situation.
I had an idea (maybe totally crazy) What happens if for each FDS entry, the password is updated with the same hashed value after init ? Does WinSync requires the cleartext password to work ?
WinSync must have access to the clear text password to send it to AD, and vice versa - that's what passsync does - it intercepts the clear text password modification so that it can send the clear text password to Fedora DS.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org
-
Emmanuel BILLOT -
Rich Megginson