On 09/08/2009 01:04 PM, Morris, Patrick wrote: > On Tue, 08 Sep 2009, Doug Tucker wrote: > > >> >>>> OK! The logging was a tremendous help to at least seeing where the >>>> failure is. When the password change is made on the PDC, passync DOES >>>> catch it and replicate to 389. However, if the password change occurs >>>> on the BDC, even though we see the change replicated to the PDC, passync >>>> is NOT catching it and replicating to 389. Does anyone have any ideas? >>>> >>>> >>> I believe The Password Sync Service must be installed on every Active >>> Directory domain controller. >>> >> It appeared that way for no other reason than it wasn't working, but I >> can't find anything in the documentation to indicate that, and someone >> else that responded indicated he sees the change after the BDC >> replicates it to the PDC. Was just hoping for some official word that >> states that this must be done. >> > I'm not seeing anything in the docs either, which docs are you referring to ? Have a url ?. > but it would make sense, > since I'm relatively sure that when the password syncs from one Active > Directory replica to another (no such thing as PDCs and BDCs these days, > y'know), I'd assume it's passing the hash and not the password, so > there'd be no way to get it into your LDAP server. > > If that's the case (and I'm pretty sure it is), you'd need PassSync set > up on all of your Active Directory servers, since any of them could be > the one the user gave the actual password to. > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
