Emmanuel BILLOT wrote: > Rich Megginson a ?crit : >> Emmanuel BILLOT wrote: >>> Rich Megginson a ?crit : >>>> Emmanuel BILLOT wrote: >>>>> Hi, >>>>> >>>>> We've installed FDS, AD and a replication agrement. >>>>> FDS data/passwords sync with AD >>>>> AD passwords sync with FDS. >>>>> >>>>> 2 pbs are still unsolved : >>>>> - AD modifications (name, surname, mail) are not send or catched >>>>> in FDS >>>> I suppose you could enable the replication log level and see why >>>> this is not working. Note that changes may take up to 5 minutes to >>>> sync over to Fedora DS due to the way the sync works using the >>>> DirSync control. >>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>>>> - Passwords are not recognized after a Full init. >>>>> FDS => AD full init = unable to log on AD (even if we manually >>>>> activate the account) >>>> Right. Passwords are not synced during full init. Full init only >>>> uses passwords in the database which are hashed and do not sync. >>>>> FDS -> AD passwd update = passwd ok in AD >>>> Right. Passwd update uses clear text passwords. >>>>> >>>>> Anyone has an idea ? >>>>> >>>> >>> Ok. >>> Is there any best pratice when adding AD to a FDS ? >>> I don't think i will ask all users to update their password just for >>> it...? >> That's one of the main problems with Windows Sync/Pass Sync. There >> is really no way to sync passwords - AD uses an unreversible >> hash/encryption, and so does Fedora DS. >> The Samba and freeIPA guys are working on ways to mitigate this >> situation. > I had an idea (maybe totally crazy) > What happens if for each FDS entry, the password is updated with the > same hashed value after init ? > Does WinSync requires the cleartext password to work ? WinSync must have access to the clear text password to send it to AD, and vice versa - that's what passsync does - it intercepts the clear text password modification so that it can send the clear text password to Fedora DS. >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090326/fe3313b9/attachment.bin
