Alexandre Augusto da Rocha wrote: > I am using RHDS instead of FD, so if this issue has been addressed in > FD please forgive me. > > To exemplify the issues I'll use the model: > AD <-> RHDS1 <-> RHDS2. > > Only one master is setup to sync to AD, which is the standard setup. > Since password sync uses clear text to replicate to AD, password > changes on RHDS2 will not propagate correctly to AD. RHDS2 sends the > hash to RHDS1 which in turn sends it to AD. AD assumes the hash to be > the actual clear text pw and attempts to use it to login to RHDS1. > This creates a loop where one server keeps sending what it believes to > be the new password to the other. > I _think_ that if I add a replication agreement between RHDS2 and AD > it will not fix my problem as even if RHDS2 sends the password ok to > AD, RHDS1 will still try to send the update it received from RHDS2. > Is this assumption correct? https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207893 > What is the best course of action? How can I tell if a password > update is done on the server or pushed thru replication? > > ------------------------------------------------------------------------ > > Subject: > Password replication problems between a multi-master system and AD > From: > Alexandre Augusto da Rocha <augusto.rocha at augustschell.com> > Date: > Mon, 19 Mar 2007 19:23:17 -0500 > To: > fedora-directory-users at redhat.com > > To: > fedora-directory-users at redhat.com > > > I am using RHDS instead of FD, so if this issue has been addressed in > FD please forgive me. > > To exemplify the issues I'll use the model: > AD <-> RHDS1 <-> RHDS2. > > Only one master is setup to sync to AD, which is the standard setup. > Since password sync uses clear text to replicate to AD, password > changes on RHDS2 will not propagate correctly to AD. RHDS2 sends the > hash to RHDS1 which in turn sends it to AD. AD assumes the hash to be > the actual clear text pw and attempts to use it to login to RHDS1. > This creates a loop where one server keeps sending what it believes to > be the new password to the other. > I _think_ that if I add a replication agreement between RHDS2 and AD > it will not fix my problem as even if RHDS2 sends the password ok to > AD, RHDS1 will still try to send the update it received from RHDS2. > Is this assumption correct? > What is the best course of action? How can I tell if a password > update is done on the server or pushed thru replication? > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20070320/6df86918/attachment.bin
