On Mon, 2017-07-03 at 11:21 -0300, Alberto Viana wrote: > I have a replication setup (389 and AD): > > > 389-Directory/1.3.2.19 B2014.201.1231 > > > We are implementing password police on both side (and password expiration). > When the account has expired on AD side (It means that on AD side I have > the flag "user must change password" set on an user) , when I try to change > password on 389 side, I see the following error: > > [03/Jul/2017:10:47:07 -0300] NSMMReplicationPlugin - windows sync - > agmt="cn=AD - GTI-DF-DC01" (gti-df-dc01:636): AD entry CN=Teste > Marcelo,OU,test,DC=my,DC=domain set "user must change password at next > logon". > > And the password is not changed on AD side. > > > I thought that could be something about permission on my replication login, > so I made a script in perl to change password directly on my AD, and with > this script (using the same login that I uses on my replication) the > password is changed. > > Can you detail me a little bit better how replication occurs? Or point me > why when this flag is set the replication plugin is not be able to change > the password on AD side? > > > My first guess is: > The replication plugin try to bind this user first (to check if the user > already has this password) and when receives this error (user must change > password), so it does not try to change the password. I don't think we try and bind as the user to change their password - because we can't always know the passwords are in sync. I would have though that the account that binds to AD to do the replication would lack the permission to do the password reset. Is there a flag on the AD account perhaps marking it for a force reset? -- Sincerely, William Brown Software Engineer Red Hat, Australia/Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
