Paolo Barbato wrote:
Scott, On 15/dic/07, at 02:39, Scott Belnap wrote:I've sent a couple of mail on this subject, and now finally I see some answer.On Fri, 2007-12-14 at 18:14 -0700, Rich Megginson wrote:Scott Belnap wrote:I have a fresh AD install and have set up a Windows Sync between FDS and AD am able to populate AD with all my FDS accounts. My issue is when I first make the initial full synchronization FDS won't populating AD withthe passwords. The only way I can get FDS to populate the password inAD is if I manually change the users' password on FDS. Can anyone giveme some advice on how to get the passwords to sync on the first full sync process.The problem is that the passwords in FDS are hashed, and AD has no way to read those hashes - AD requires the cleartext password in order to hash/encrypt it with its various nefarious schemes. So even if the passwords were sent over to AD in the initial sync, they would be useless on AD.Mahalo!So I have to find some way to get the cleartext passwords to populate AD or have all users reset their passwords. ...Wow...I paste a table from a previous e-mail:1)password changed on AD is properly replicated on FDS 2)password changed on FDS (console) is properly replicated on AD3)password changed on Linux (via LdapPam) is not replicated on AD. I suspect some encoding issues, since logs seem OK.So it appears, that when FDS knows cleartext password, it's able to make a sync with AD (2). This is not true when it make a sync reading already stored hashed password. See Rich answer. This explain (3) because first linux password hashed is stored in FDS and then FDS try to change it in AD, sending "useless" data. Right ?I'm tring to setup an external web interface and force my users to use only that. One other way is allow users to change password only from windows.I guess if it's possible and how allow only cleartext password in FDS, since this, althought not too much secure, should face this subject. Rich some hints ?
Sure. Just set the password hash in the password policy to CLEAR.
Regards, Paolo.Thanks for your help Rich.-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users------------------------------------------------------------------------------------------------Paolo Barbato email: mailto:paolo.barbato@xxxxxxxxxx Network Administrator phone: (39-049)-829-5097 (39-049)-829-5000 Corso Stati Uniti,4 www: http://www.igi.cnr.it35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgpITALY JabberID: rfx_paolo_barbato@xxxxxxxxxxxxxxxxxx-------------------------------------------------------------------------------------------------- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
