Ldap Tester wrote: > > > On Wed, Jan 27, 2010 at 7:43 PM, Ldap Tester <ldap.tester at gmail.com > <mailto:ldap.tester at gmail.com>> wrote: > > > > On Wed, Jan 27, 2010 at 5:30 PM, Ldap Tester > <ldap.tester at gmail.com <mailto:ldap.tester at gmail.com>> wrote: > > I have two 389 servers, one under fedora 12 and one under > fedora 11. > They have the following packages: > > 389-admin-1.1.9-1.fc12.x86_64 > 389-admin-console-1.1.4-2.fc12.noarch > 389-admin-console-doc-1.1.4-2.fc12.noarch > 389-adminutil-1.1.8-4.fc12.x86_64 > 389-console-1.1.3-5.fc12.noarch > 389-ds-1.1.3-5.fc12.noarch > 389-ds-base-1.2.5-1.fc12.x86_64 > 389-ds-base-devel-1.2.5-1.fc12.x86_64 > 389-ds-console-1.2.0-5.fc12.noarch > 389-ds-console-doc-1.2.0-5.fc12.noarch > 389-dsgw-1.1.4-1.fc12.x86_64 > > 389-admin-1.1.8-4.fc11.x86_64 > 389-admin-console-1.1.4-1.fc11.noarch > 389-admin-console-doc-1.1.4-1.fc11.noarch > 389-adminutil-1.1.8-3.fc11.x86_64 > 389-console-1.1.3-4.fc11.noarch > 389-ds-1.1.3-4.fc11.noarch > 389-ds-base-1.2.5-1.fc11.x86_64 > 389-ds-base-devel-1.2.5-1.fc11.x86_64 > 389-ds-console-1.2.0-4.fc11.noarch > 389-ds-console-doc-1.2.0-4.fc11.noarch > 389-dsgw-1.1.4-1.fc11.x86_64 > > There are set up as multi masters. > > I also have a windows 2003 Active Directory server. > I have password sync'ing set up between the AD and the fedora > 12 389 server. > > This has been working for several years. > I have recently noticed a problem that may have existed for > some time now, maybe always. > > If I change a user password via windows, everything works as > expected. > The password changes on windows and both fedora machines. > If I change a user password via the fedora 12 machine, > the one that has the sync agreement with the windows machine, > again, everything works as expected, > The password changes on windows and both fedora machines. > > However, if I change a user password via the fedora 11 machine, > the one that does not have the sync agreement with the windows > machine, > then, the password changes on both fedora machines, > but NOT on the windows machine. > > This is not how it is supposed to work, right? > > I have looked at all sorts of logs, and still have now clue as > to the problem. > (I do not believe it is a fedora 11 versus fedora 12 problem.) > Does anybody have any ideas? > > > I had the same scenario. > > Remember that the encrypted passwords are not synchronized with > Windows. > > When you change your password on your F11, it is stored encrypted. Then > > MMR transmits "userPassword 'encrypted on your F12. Therefore, the > > password does not synchronize with Windows, since as already mentioned, > is encrypted. > > In my case, I decided to change to a Master / Slave scenario. Thus, your > F11 will be to read only and such changes will be forwarded to your F12 > > > (this includes passwd) which will be written. > > > Greetings > > P.D.: I apologize for my poor English. > -- > Sergio A. Morales <sergiomorales at archlinux.cl <https://admin.fedoraproject.org/mailman/listinfo/389-users>> > > > uSCI & CSRG Sysadmin > Archlinux Chile > > > > But I have set > pam_password clear > in /etc/ldap.conf on both fedora machines. > I rely on ssl for security. > I had to do this in order to get password syncing with windows to work at all. > > > Shouldn't that take care of the problem you describe above? > > > > > Also, look at > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html > figure 9.2 > That implies that it should work with my setup, right? It should, but that doc appears to be wrong. > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users
