[389-users] Password sync

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

hello,

jean-No?l Chardron a ?crit :
> Hello,
>
> I have a Network with two Windows 2000 server , I suppose one is 
> master (or  primary) and one is secondary - I don't know exactly the 
> vocabulary of Windows. the AD is "replicated" over the two Windows Server
>
> I installed synchronization between the FDS server and the AD on a 
> host (say Windows-1 server), with Agreement replication
> then I installed the password sync on the Windows-1 host.
> All is ok when the password is changed on the Windows-1 server, the 
> password is synchronized to the FDS.
>
> Now when a user change his password on a windows XP station in the AD 
> (the operation is CTRL+ALT+DEL then change password)  the password is 
> not necessary sync to the FDS.
> my hypothesis : it seems it depends  on which windows server the 
> password has been changed. Some time the password is sync when, I 
> suppose, the Windows1 server answer to the request to change the 
> password, but when the windows2 server answer , then the password is 
> not sync.
>
> is my hypothesis correct ?
Yes, it is correct.
Password is captured in clear by passsync service into the AD server 
witch is used by workstation for changing password operation.
Master AD server give password to slave servers in no-clear mode and 
crypted password can not be captured by passsync service.


> Can I install the password sync programm on the other Windows2 server 
> even if the replicated agreement is beetween FDS and Windows1 server ? 
> wich will behavior be ?
No, you can't.

In the AD-FDS synchronization architecture, only one synchronization is 
allowed.
If you install two passsync services into two AD servers you take risks 
to create problems in replication.

cf : http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html
"WARNING : There can only be a single sync agreement between the 
Directory Server environment and the Active Directory environment. 
Multiple sync agreements to the same Active Directory domain can create 
entry conflicts."

This is the point of failure of the FDS/windows sync architecture.


regards

-- 
* Hugo ?ti?vant *
*INRP/SCI*
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux