Hartmut W?hrle wrote: >Hell Elliot, > >Am Dienstag, 29. November 2005 21:27 schrieb Elliot Schlegelmilch: > > >>I'm a bit confused now. Which password, or which actual? You can >>ldapsearch using the uid=admin,ou=system account and correct password. >> >> >"correct password" thats exactly my problem. I think when setting up the >system I did something wrong, because the answer is "Invalid Credentials >(49)" which means wrong password. Therefore I can not connect, not search, >and not modify anything.... so what to do? Uninstall and start from scratch? > > > >>>ldapsearch works, but (as you can see below) my bind password is wrong >>>(or I can't remember.... :) ) >>> >>> >>I would suggest opening up your c:\program files\fedora directory >>synchronization\conf\usersync.conf in your favorite editor, and see what >>password is in it. Try binding as that user. While looking inside that >>file look for the 'server.db.partition.suffix.usersync field. >> >> >> >While trying to install I changed this password and now it doesn't fit - or >maybe I am too stupid because I can not remember. > > > >>Then, with this password and base, try another search. >> >>ldapsearch -v -h 192.168.1.218 -D "uid=admin,ou=system" -w pw -b >>"dc=home,dc=org" "(objectclass=*) >> >>I'm just guessing the base, but I assume it's something very similar. >> >>You should see something similar to this: >># Guest, users, example.com >>dn: sAMAccountName=Guest,cn=users,dc=example,dc=com >>memberOf: sAMAccountName=Domain Guests,cn=users,dc=example,dc=com >>lastLogon: 0 >>objectGUID: 0105000000000005150000003D725165EB1AB15BC9504D49F5010000 >>countryCode: 0 >> >> >> >Ok, so now I know what should com out - good. > > > >>Once you can access your PDC from LDAP, there's a lot better chance that >>your Fedora Directory Server will be able to for replication. >> >> >> >Exactly thats why I switched to the ldapsearch, because it tells me much more >at the output as the logfile from Replication Log. > > > >>>Btw... It would be nice to find a schema (written or drawn) which tells >>>me (or everyone) how winsync and passwordsync works. The Pictures in the >>>manuals tell me the way which way the servers exchange informations, but >>>within the PDC (or AD) I don't know anything - it is a black box. >>>And .... I didn't find the sources to check by myself - is it closed >>>source? >>> >>> >>It's not closed source. >>http://directory.fedora.redhat.com/wiki/Building#Pulling_the_Directory_Serv >>er_Source >> >> >The Directory Server yes. >But I don't see (maybe I'm blind) the sources for the ApacheDS at the PDC >(Java based) and the sources for winsync software, which comes as a .msi >(Microsoft Installer) File. >So is this opensource? And where to find it? > > The ApacheDS source is available at http://directory.apache.org/ The source for the winsync software is in the same source tree as the Directory Server. The PassSync.msi source is in the ldapserver/ldap/synctools directory. The ntds.msi source is in the ldapserver/ldap/servers/ntds directory. >And I think the manual is a little bit too small for the NT Winsync. >With AD it is OK, because you use the LDAP Funktion of the AD and synchronise >like a replica - more or less. >But what exactly happens at the NT PDC??? >I learned from this forum that winsync installs an ApacheDS as LDAP Server to >connect with. OK what next. How does the ApacheDS connect to the PDC. Which >user is used for the login - if any? >Does it work like this: >FDS --> ApacheDS (uid=admin,ou=system) --> NT PDC (user=?) >or >FDS --> ApacheDS (uid=admin,ou=system) --> NT PDC (user=admin) > > My understanding is that the ApacheDS just serves up an LDAP representation of NTs SAM database. It can access this since it is running as Administrator. >And you need the replication manager (with the acl's to add, modify and delete >a user) at the FDS side for the synchronization? >So this works like this (push) > NT PDC (user=?) --> ApacheDS (uid=admin,ou=system) --> FDS >(uid=replmanager,out=users) >And how does he know which user at hte FDS to use >Or like this (Pull) >FDS --> ApacheDS (uid=admin,ou=system) --> NT PDC (user=?) > > FDS pulls the data from ApacheDS. >And how does it work, when I use the Password sync? Is there a layer inbetween >windows admintool and PDC that reads the input and sends it to the FDS before >handing it to the PDC Directory - but for this it needs an account with >administrative rights, which one? > > The Windows LSA (local security authority) hands password changes off to PassSync. The PassSync service then attempts to push this password change to FDS. You need to setup a user on the FDS side that has permission to update the userPassword attribute for your user entries. It doesn't matter which user as long as they have the proper rights. -NGK >You see there are many questions with this challenging tool. > > See U > Hartmut > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3174 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20051201/23347ce8/attachment.bin
