Paolo, Thanks for the explanation. I understand why the passwords aren't being populated in AD, it's just the difficult task of asking all users to reset their password so that it can be synced over to AD. We already have a web-based page that allows the user to reset their password, so no worries! On Mon, 2007-12-17 at 09:04 +0100, Paolo Barbato wrote: > Scott, > > On 15/dic/07, at 02:39, Scott Belnap wrote: > > > > > On Fri, 2007-12-14 at 18:14 -0700, Rich Megginson wrote: > >> Scott Belnap wrote: > >>> I have a fresh AD install and have set up a Windows Sync between > >>> FDS and > >>> AD am able to populate AD with all my FDS accounts. My issue is > >>> when I > >>> first make the initial full synchronization FDS won't populating > >>> AD with > >>> the passwords. The only way I can get FDS to populate the > >>> password in > >>> AD is if I manually change the users' password on FDS. Can anyone > >>> give > >>> me some advice on how to get the passwords to sync on the first full > >>> sync process. > >>> > >> The problem is that the passwords in FDS are hashed, and AD has no > >> way > >> to read those hashes - AD requires the cleartext password in order to > >> hash/encrypt it with its various nefarious schemes. So even if the > >> passwords were sent over to AD in the initial sync, they would be > >> useless on AD. > >>> Mahalo! > > > > So I have to find some way to get the cleartext passwords to > > populate AD > > or have all users reset their passwords. ...Wow... > > > I've sent a couple of mail on this subject, and now finally I see some > answer. > > I paste a table from a previous e-mail: > > > 1)password changed on AD is properly replicated on FDS > > 2)password changed on FDS (console) is properly replicated on AD > > 3)password changed on Linux (via LdapPam) is not replicated on AD. I > > suspect some encoding issues, since logs seem OK. > > > So it appears, that when FDS knows cleartext password, it's able to > make a sync with AD (2). This is not true when it make a sync reading > already stored hashed password. See Rich answer. This explain (3) > because first linux password hashed is stored in FDS and then FDS try > to change it in AD, sending "useless" data. Right ? > > I'm tring to setup an external web interface and force my users to use > only that. One other way is allow users to change password only from > windows. > > I guess if it's possible and how allow only cleartext password in FDS, > since this, althought not too much secure, should face this subject. > Rich some hints ? > > Regards, > Paolo. > > > > Thanks for your help Rich. > > > >>> > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------------------------------ > Paolo Barbato email: mailto:paolo.barbato at igi.cnr.it > Network Administrator phone: (39-049)-829-5097 > (39-049)-829-5000 > Corso Stati Uniti,4 www: http://www.igi.cnr.it > 35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp > ITALY JabberID: rfx_paolo_barbato at messenger.efda.org > ------------------------------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
