Johan Venter wrote: > Hi all, > > I have the following situation: > - ds1 running 1.2.6.a3 > - ds2 running 1.2.5.rc3 (yes, I will get around to bringing them up to > the same version soon) > - Multi-master replication agreements between both hosts > - A synchronisation agreement to a Windows 2008 AD on ds1 > > Although I am sure I have tested password changes on ds2 synchronising > to ds1 then to the AD I have recently put ds2 in production and found > that this is not working. To be more specific: > - Password changes on Windows work fine, as the Password Sync service > picks them up, pushes them to ds1, which then replicates the change > to ds2 > - Password changes on ds1 work fine, are replicated to ds2 and are > synchronised to AD > - Password changes on ds2 replicate to ds1, and while there are > entries in the Replication log on ds1 for a modification to the AD, > the Windows password is not changed > > Looking at the documentation at > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html#Windows_Sync-About_Windows_Sync > there are no caveats mentioned regarding multi-master replication and AD > password sync, in fact their provided architecture diagram (lower part > of the page) seems to indicate it should work in this situation. > I guess we should make it clear, because it does not work. See https://bugzilla.redhat.com/show_bug.cgi?id=182507 > Furthermore, the text backs this up with: > > "The Directory Server relies on the Multi-Master Replication Plug-in to > synchronize user and group entries. The same changelog that is used for > multi-master replication is also used to send updates from the Directory > Server to Active Directory as LDAP operations." > > and > > "Directory Server passwords are synchronized along with other entry > attributes because plain-text passwords are retained in the Directory > Server changelog." > > I did search the mailing list and turned up > http://lists.fedoraproject.org/pipermail/389-users/2010-January/010903.html > but I was hoping there is a different answer 6 months on. It seems to me > that if 389 is storing password changes in the clear in the changelog > that it should be able to push this cleartext password to AD when ds1 > gets the replication? > > Alternatively if this is absolutely just not a supported feature, would > it be possible to setup a second AD synchronisation agreement on ds2 to > the AD but specify ONLY to sync userPassword attribute changes? > (disabling the create/delete new user/group options in the sync > agreement of course to try and not cause loops or other problems). > > The same documentation references above specifically says NOT to have > different DS's syncing to the same AD domain, but does that still apply > if it's a very limited attribute synchronisation? > > Any help appreciated. > > Cheers, > Johan > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users >
