lambam80 at hotmail.com wrote: > Hello everybody and a BIG thanks to Rich, and the rest of you, for > your kind aid. Can you please help with something else ? > > HISTORY > ------- > > We're currently investigating using Windows SYNC but only the password > part of the SYNC functionality - no accounts. > > My prototype works fine - if I change a password with Windows > Cntl+Alt+Del it > is propogated to Redhat Directory Server (RHDS). If I change the RHDS > password with a simple front end it > is propogated to Windows Active-Directory (Netscape console, for > example, or a script with userpassword: secret-password ). > > I read the following: > Directory Server passwords are synchronized along with other entry > attributes because plain-text passwords are retained in the Directory > Server changelog. > Source: > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html#Windows_Sync-About_Windows_Sync > > PROBLEM ? > --------- > > I think this only works with RHDS and password changing front-ends > that send the password unencrypted. > > For example, if I do something like the following with RHDS: > > ./ldapmodify -P "/root/.mozilla/firefox/acu5w0yl.default/cert8.db" -c > -h ${DEST_HOST} -p ${DEST_PORT} -D "${DEST_BIND}" -w $DESTDN_PASSWORD > <<EOF > dn: uid=${TGI},ou=People,${DEST_SUFFIX} > changetype: modify > replace: userpassword > userpassword: {SHA}v9KDMpMQgX13LuXtmWzmSaIcNGM= > EOF > > Note: Please note the {SHA} stuff in 'userpassword'. > > I cannot see how, using the changelog, RHDS can unencrypt the password > from {SHA} so as to > re-encode it in unicodePwd for sending to Active-Directory. > unicodePwd: good link > http://www.eyrie.org/~eagle/journal/2007-07/010.html > <http://www.eyrie.org/%7Eeagle/journal/2007-07/010.html> > > My tests show that it doesn't work: After running the script I cannot > login to Windows > using my account/secret-password. > > If however, I change my script to use the password unencrypted > (userpassword: secret-password) the propogation works again and I can > log into my Windows client. > > Q1. Am I correct that it only works with RHDS front-ends that send the > password unencrypted ? Yes. SHA and other hashes are one way only - it is practically impossible to convert a SHA hash to the original clear text password. In addition, AD must have the clear text password sent to it in order for it to generate its hashes and keys used for Windows authentication. > Thanks, > > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090116/679ad24c/attachment.bin
