Scott,
On 15/dic/07, at 02:39, Scott Belnap wrote:
On Fri, 2007-12-14 at 18:14 -0700, Rich Megginson wrote:
Scott Belnap wrote:
I have a fresh AD install and have set up a Windows Sync between
FDS and
AD am able to populate AD with all my FDS accounts. My issue is
when I
first make the initial full synchronization FDS won't populating
AD with
the passwords. The only way I can get FDS to populate the
password in
AD is if I manually change the users' password on FDS. Can anyone
give
me some advice on how to get the passwords to sync on the first full
sync process.
The problem is that the passwords in FDS are hashed, and AD has no
way
to read those hashes - AD requires the cleartext password in order to
hash/encrypt it with its various nefarious schemes. So even if the
passwords were sent over to AD in the initial sync, they would be
useless on AD.
Mahalo!
So I have to find some way to get the cleartext passwords to
populate AD
or have all users reset their passwords. ...Wow...
I've sent a couple of mail on this subject, and now finally I see some
answer.
I paste a table from a previous e-mail:
1)password changed on AD is properly replicated on FDS
2)password changed on FDS (console) is properly replicated on AD
3)password changed on Linux (via LdapPam) is not replicated on AD. I
suspect some encoding issues, since logs seem OK.
So it appears, that when FDS knows cleartext password, it's able to
make a sync with AD (2). This is not true when it make a sync reading
already stored hashed password. See Rich answer. This explain (3)
because first linux password hashed is stored in FDS and then FDS try
to change it in AD, sending "useless" data. Right ?
I'm tring to setup an external web interface and force my users to use
only that. One other way is allow users to change password only from
windows.
I guess if it's possible and how allow only cleartext password in FDS,
since this, althought not too much secure, should face this subject.
Rich some hints ?
Regards,
Paolo.
Thanks for your help Rich.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------------------------------
Paolo Barbato email: mailto:paolo.barbato@xxxxxxxxxx
Network Administrator phone: (39-049)-829-5097
(39-049)-829-5000
Corso Stati Uniti,4 www: http://www.igi.cnr.it
35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp
ITALY JabberID: rfx_paolo_barbato@xxxxxxxxxxxxxxxxxx
------------------------------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
