Paolo Barbato wrote: > Scott, > > On 15/dic/07, at 02:39, Scott Belnap wrote: > >> >> On Fri, 2007-12-14 at 18:14 -0700, Rich Megginson wrote: >>> Scott Belnap wrote: >>>> I have a fresh AD install and have set up a Windows Sync between >>>> FDS and >>>> AD am able to populate AD with all my FDS accounts. My issue is >>>> when I >>>> first make the initial full synchronization FDS won't populating AD >>>> with >>>> the passwords. The only way I can get FDS to populate the password in >>>> AD is if I manually change the users' password on FDS. Can anyone >>>> give >>>> me some advice on how to get the passwords to sync on the first full >>>> sync process. >>>> >>> The problem is that the passwords in FDS are hashed, and AD has no way >>> to read those hashes - AD requires the cleartext password in order to >>> hash/encrypt it with its various nefarious schemes. So even if the >>> passwords were sent over to AD in the initial sync, they would be >>> useless on AD. >>>> Mahalo! >> >> So I have to find some way to get the cleartext passwords to populate AD >> or have all users reset their passwords. ...Wow... >> > I've sent a couple of mail on this subject, and now finally I see some > answer. > > I paste a table from a previous e-mail: > >> 1)password changed on AD is properly replicated on FDS >> 2)password changed on FDS (console) is properly replicated on AD >> 3)password changed on Linux (via LdapPam) is not replicated on AD. I >> suspect some encoding issues, since logs seem OK. > > > So it appears, that when FDS knows cleartext password, it's able to > make a sync with AD (2). This is not true when it make a sync reading > already stored hashed password. See Rich answer. This explain (3) > because first linux password hashed is stored in FDS and then FDS try > to change it in AD, sending "useless" data. Right ? > > I'm tring to setup an external web interface and force my users to use > only that. One other way is allow users to change password only from > windows. > > I guess if it's possible and how allow only cleartext password in FDS, > since this, althought not too much secure, should face this subject. > Rich some hints ? Sure. Just set the password hash in the password policy to CLEAR. > > Regards, > Paolo. > > >> Thanks for your help Rich. >> >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------------------------------ > > Paolo Barbato email: mailto:paolo.barbato at igi.cnr.it > Network Administrator phone: (39-049)-829-5097 > (39-049)-829-5000 > Corso Stati Uniti,4 www: http://www.igi.cnr.it > 35127 Camin-Padova PGP: > http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp > ITALY JabberID: rfx_paolo_barbato at messenger.efda.org > ------------------------------------------------------------------------------------------------ > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20071217/cea06cae/attachment.bin
