On 07/05/2011 07:02 AM, Alexandr Popov wrote:
Hello!
I've got a directory server and DSGW running.
Mail server, openvpn server and samba share use ldap authentication against this directory server. Users change their passwords in DSGW.
The mailserver and openvpn use SSHA hash in "userpassword" field, but samba uses NT hash and LM hash in "sambantpassword" and "sambalmpassword" fields accordingly.
How can I make "userpassword" , "sambantpassword" and "sambalmpassword" fields change synchronously when users change their passwords in DSGW?
As I can understand, there is no already written 389-DS-plugin for synchronizing these fields. Moreover, it seems to me that such issues as mine are often solved on the ldap clients: http://web.archiveorange.com/archive/v/I3m7YImbRJ3Dj9WoXlCz Am I right?
So should I change domodify.c http://git.fedorahosted.org/git?p=389/dsgw.git;a=blob;f=domodify.c;h=5a3719276e3283e80415a884998e5281e066a8c1;hb=refs/tags/389-dsgw-1.1.7 which is responsible for password change in DSGW? Does it seem to be useful for Community?
Looking forward to your prompt repy.
Patches welcome.
Or you could use IPA instead - IPA provides a plugin that keeps all of your passwords in sync - userPassword, and Samba and Kerberos passwords.
Best regards, Alex Popov.
Can IPA use 389ds as a replication partner? The idea is to have IPA as a source directory with all of its growing benefits (kerberos, pass sync, windows sync with selected attributes) while keeping faithful to 389ds, simply because that's the solution we're all here for.
El mar, 05-07-2011 a las 08:43 -0600, Rich Megginson escribió:
On 07/05/2011 07:02 AM, Alexandr Popov wrote:
Hello!
I've got a directory server and DSGW running.
Mail server, openvpn server and samba share use ldap authentication against this directory server. Users change their passwords in DSGW.
The mailserver and openvpn use SSHA hash in "userpassword" field, but samba uses NT hash and LM hash in "sambantpassword" and "sambalmpassword" fields accordingly.
How can I make "userpassword" , "sambantpassword" and "sambalmpassword" fields change synchronously when users change their passwords in DSGW?
As I can understand, there is no already written 389-DS-plugin for synchronizing these fields. Moreover, it seems to me that such issues as mine are often solved on the ldap clients: http://web.archiveorange.com/archive/v/I3m7YImbRJ3Dj9WoXlCz Am I right?
So should I change domodify.c which is responsible for password change in DSGW? Does it seem to be useful for Community?
Looking forward to your prompt repy.
Patches welcome.
Or you could use IPA instead - IPA provides a plugin that keeps all of your passwords in sync - userPassword, and Samba and Kerberos passwords.
Best regards, Alex Popov.
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Juan Carlos Camargo Carrillo wrote:
Can IPA use 389ds as a replication partner? The idea is to have IPA as a source directory with all of its growing benefits (kerberos, pass sync, windows sync with selected attributes) while keeping faithful to 389ds, simply because that's the solution we're all here for.
I'm not sure I understand the statement "keeping faithful."
This isn't something the IPA developers have tried. You can manually set up replication agreement between the two, using SSL would be the easiest. You'd probably want it to be a read-only replica.
rob
El mar, 05-07-2011 a las 08:43 -0600, Rich Megginson escribió:
On 07/05/2011 07:02 AM, Alexandr Popov wrote:
Hello!
I've got a directory server and DSGW running.
Mail server, openvpn server and samba share use ldap authentication against this directory server. Users change their passwords in DSGW.
The mailserver and openvpn use SSHA hash in "userpassword" field, but samba uses NT hash and LM hash in "sambantpassword" and "sambalmpassword" fields accordingly.
How can I make "userpassword" , "sambantpassword" and "sambalmpassword" fields change synchronously when users change their passwords in DSGW?
As I can understand, there is no already written 389-DS-plugin for synchronizing these fields. Moreover, it seems to me that such issues as mine are often solved on the ldap clients: http://web.archiveorange.com/archive/v/I3m7YImbRJ3Dj9WoXlCz Am I right?
So should I change domodify.c http://git.fedorahosted.org/git?p=389/dsgw.git;a=blob;f=domodify.c;h=5a3719276e3283e80415a884998e5281e066a8c1;hb=refs/tags/389-dsgw-1.1.7 which is responsible for password change in DSGW? Does it seem to be useful for Community?
Looking forward to your prompt repy.
Patches welcome.
Or you could use IPA instead - IPA provides a plugin that keeps all of your passwords in sync - userPassword, and Samba and Kerberos passwords.
Best regards, Alex Popov.
-- 389 users mailing list 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Apologies for my english :)
Thanks Rob, I'll try that.
El mié, 06-07-2011 a las 09:37 -0400, Rob Crittenden escribió:
Juan Carlos Camargo Carrillo wrote:
Can IPA use 389ds as a replication partner? The idea is to have IPA as a source directory with all of its growing benefits (kerberos, pass sync, windows sync with selected attributes) while keeping faithful to 389ds, simply because that's the solution we're all here for.
I'm not sure I understand the statement "keeping faithful."
This isn't something the IPA developers have tried. You can manually set up replication agreement between the two, using SSL would be the easiest. You'd probably want it to be a read-only replica.
rob
El mar, 05-07-2011 a las 08:43 -0600, Rich Megginson escribió:
On 07/05/2011 07:02 AM, Alexandr Popov wrote:
Hello!
I've got a directory server and DSGW running.
Mail server, openvpn server and samba share use ldap authentication against this directory server. Users change their passwords in DSGW.
The mailserver and openvpn use SSHA hash in "userpassword" field, but samba uses NT hash and LM hash in "sambantpassword" and "sambalmpassword" fields accordingly.
How can I make "userpassword" , "sambantpassword" and "sambalmpassword" fields change synchronously when users change their passwords in DSGW?
As I can understand, there is no already written 389-DS-plugin for synchronizing these fields. Moreover, it seems to me that such issues as mine are often solved on the ldap clients: http://web.archiveorange.com/archive/v/I3m7YImbRJ3Dj9WoXlCz Am I right?
So should I change domodify.c http://git.fedorahosted.org/git?p=389/dsgw.git;a=blob;f=domodify.c;h=5a3719276e3283e80415a884998e5281e066a8c1;hb=refs/tags/389-dsgw-1.1.7 which is responsible for password change in DSGW? Does it seem to be useful for Community?
Looking forward to your prompt repy.
Patches welcome.
Or you could use IPA instead - IPA provides a plugin that keeps all of your passwords in sync - userPassword, and Samba and Kerberos passwords.
Best regards, Alex Popov.
-- 389 users mailing list 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Hey, Rich!
I've written a patch for DSGW. This patch allows to change "userpassword" and "sambantpassword" synchronously when users change their passwords in DSGW.
Where should I learn how to make this patch available for community feedback and usage?
2011/7/5 Rich Megginson rmeggins@redhat.com
** On 07/05/2011 07:02 AM, Alexandr Popov wrote:
Hello!
I've got a directory server and DSGW running.
Mail server, openvpn server and samba share use ldap authentication against this directory server. Users change their passwords in DSGW.
The mailserver and openvpn use SSHA hash in "userpassword" field, but samba uses NT hash and LM hash in "sambantpassword" and "sambalmpassword" fields accordingly.
How can I make "userpassword" , "sambantpassword" and "sambalmpassword" fields change synchronously when users change their passwords in DSGW?
As I can understand, there is no already written 389-DS-plugin for synchronizing these fields. Moreover, it seems to me that such issues as mine are often solved on the ldap clients: http://web.archiveorange.com/archive/v/I3m7YImbRJ3Dj9WoXlCz Am I right?
So should I change domodify.chttp://git.fedorahosted.org/git?p=389/dsgw.git;a=blob;f=domodify.c;h=5a3719276e3283e80415a884998e5281e066a8c1;hb=refs/tags/389-dsgw-1.1.7which is responsible for password change in DSGW? Does it seem to be useful for Community?
Looking forward to your prompt repy.
Patches welcome.
Or you could use IPA instead - IPA provides a plugin that keeps all of your passwords in sync - userPassword, and Samba and Kerberos passwords.
Best regards, Alex Popov.
On 07/17/2011 03:32 PM, Alexandr Popov wrote:
Hey, Rich!
I've written a patch for DSGW. This patch allows to change "userpassword" and "sambantpassword" synchronously when users change their passwords in DSGW.
Where should I learn how to make this patch available for community feedback and usage?
Open a bugzilla at https://bugzilla.redhat.com/enter_bug.cgi?product=389 Attach the patch to the bug as an attachment Post the link to the bug to the users list for review
2011/7/5 Rich Megginson <rmeggins@redhat.com mailto:rmeggins@redhat.com>
On 07/05/2011 07:02 AM, Alexandr Popov wrote:
Hello! I've got a directory server and DSGW running. Mail server, openvpn server and samba share use ldap authentication against this directory server. Users change their passwords in DSGW. The mailserver and openvpn use SSHA hash in "userpassword" field, but samba uses NT hash and LM hash in "sambantpassword" and "sambalmpassword" fields accordingly. How can I make "userpassword" , "sambantpassword" and "sambalmpassword" fields change synchronously when users change their passwords in DSGW? As I can understand, there is no already written 389-DS-plugin for synchronizing these fields. Moreover, it seems to me that such issues as mine are often solved on the ldap clients: http://web.archiveorange.com/archive/v/I3m7YImbRJ3Dj9WoXlCz Am I right? So should I change domodify.c <http://git.fedorahosted.org/git?p=389/dsgw.git;a=blob;f=domodify.c;h=5a3719276e3283e80415a884998e5281e066a8c1;hb=refs/tags/389-dsgw-1.1.7> which is responsible for password change in DSGW? Does it seem to be useful for Community? Looking forward to your prompt repy.
Patches welcome. Or you could use IPA instead - IPA provides a plugin that keeps all of your passwords in sync - userPassword, and Samba and Kerberos passwords.
Best regards, Alex Popov.
2011/7/18 Rich Megginson rmeggins@redhat.com wrote
** On 07/17/2011 03:32 PM, Alexandr Popov wrote:
Hey, Rich!
I've written a patch for DSGW. This patch allows to change "userpassword" and "sambantpassword" synchronously when users change their passwords in DSGW.
Where should I learn how to make this patch available for community feedback and usage?
Open a bugzilla at https://bugzilla.redhat.com/enter_bug.cgi?product=389 Attach the patch to the bug as an attachment Post the link to the bug to the users list for review
Hello Everyone!
I've opened a bug report: https://bugzilla.redhat.com/show_bug.cgi?id=726282
I've attached some modified source code to this bug. It allows DSGW to change "userpassword" and "sambantpassword" fields synchronously. DSGW with those modifications was tested and worked fine for Red Hat Directory Server 8.1.0-1 and Samba 3.0.33.
I hope for your feedback.
Best regards, Alex Popov.
P.S. If you are going to test it - don't forget to modify the selfwrite ACI for users in your DS.
389-users@lists.fedoraproject.org