On Wed, Jan 27, 2010 at 7:43 PM, Ldap Tester <ldap.tester at gmail.com> wrote: > > > On Wed, Jan 27, 2010 at 5:30 PM, Ldap Tester <ldap.tester at gmail.com>wrote: > >> I have two 389 servers, one under fedora 12 and one under fedora 11. >> They have the following packages: >> >> 389-admin-1.1.9-1.fc12.x86_64 >> 389-admin-console-1.1.4-2.fc12.noarch >> 389-admin-console-doc-1.1.4-2.fc12.noarch >> 389-adminutil-1.1.8-4.fc12.x86_64 >> 389-console-1.1.3-5.fc12.noarch >> 389-ds-1.1.3-5.fc12.noarch >> 389-ds-base-1.2.5-1.fc12.x86_64 >> 389-ds-base-devel-1.2.5-1.fc12.x86_64 >> 389-ds-console-1.2.0-5.fc12.noarch >> 389-ds-console-doc-1.2.0-5.fc12.noarch >> 389-dsgw-1.1.4-1.fc12.x86_64 >> >> 389-admin-1.1.8-4.fc11.x86_64 >> 389-admin-console-1.1.4-1.fc11.noarch >> 389-admin-console-doc-1.1.4-1.fc11.noarch >> 389-adminutil-1.1.8-3.fc11.x86_64 >> 389-console-1.1.3-4.fc11.noarch >> 389-ds-1.1.3-4.fc11.noarch >> 389-ds-base-1.2.5-1.fc11.x86_64 >> 389-ds-base-devel-1.2.5-1.fc11.x86_64 >> 389-ds-console-1.2.0-4.fc11.noarch >> 389-ds-console-doc-1.2.0-4.fc11.noarch >> 389-dsgw-1.1.4-1.fc11.x86_64 >> >> There are set up as multi masters. >> >> I also have a windows 2003 Active Directory server. >> I have password sync'ing set up between the AD and the fedora 12 389 >> server. >> >> This has been working for several years. >> I have recently noticed a problem that may have existed for some time now, >> maybe always. >> >> If I change a user password via windows, everything works as expected. >> The password changes on windows and both fedora machines. >> If I change a user password via the fedora 12 machine, >> the one that has the sync agreement with the windows machine, >> again, everything works as expected, >> The password changes on windows and both fedora machines. >> >> However, if I change a user password via the fedora 11 machine, >> the one that does not have the sync agreement with the windows machine, >> then, the password changes on both fedora machines, >> but NOT on the windows machine. >> >> This is not how it is supposed to work, right? >> >> I have looked at all sorts of logs, and still have now clue as to the >> problem. >> (I do not believe it is a fedora 11 versus fedora 12 problem.) >> Does anybody have any ideas? >> > > I had the same scenario. > > Remember that the encrypted passwords are not synchronized with > Windows. > > When you change your password on your F11, it is stored encrypted. Then > MMR transmits "userPassword 'encrypted on your F12. Therefore, the > > password does not synchronize with Windows, since as already mentioned, > is encrypted. > > In my case, I decided to change to a Master / Slave scenario. Thus, your > F11 will be to read only and such changes will be forwarded to your F12 > > (this includes passwd) which will be written. > > > Greetings > > P.D.: I apologize for my poor English. > -- > Sergio A. Morales <sergiomorales at archlinux.cl <https://admin.fedoraproject.org/mailman/listinfo/389-users>> > > uSCI & CSRG Sysadmin > Archlinux Chile > > > > But I have set > pam_password clear > in /etc/ldap.conf on both fedora machines. > I rely on ssl for security. > I had to do this in order to get password syncing with windows to work at all. > > Shouldn't that take care of the problem you describe above? > > Also, look at http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html figure 9.2 That implies that it should work with my setup, right? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100127/140bc3cf/attachment.html
