FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 08-06-2010, 05:19 PM
Rich Megginson
 
Default Multi-master replication + AD password synchronisation

Johan Venter wrote:
> Hi all,
>
> I have the following situation:
> - ds1 running 1.2.6.a3
> - ds2 running 1.2.5.rc3 (yes, I will get around to bringing them up to
> the same version soon)
> - Multi-master replication agreements between both hosts
> - A synchronisation agreement to a Windows 2008 AD on ds1
>
> Although I am sure I have tested password changes on ds2 synchronising
> to ds1 then to the AD I have recently put ds2 in production and found
> that this is not working. To be more specific:
> - Password changes on Windows work fine, as the Password Sync service
> picks them up, pushes them to ds1, which then replicates the change
> to ds2
> - Password changes on ds1 work fine, are replicated to ds2 and are
> synchronised to AD
> - Password changes on ds2 replicate to ds1, and while there are
> entries in the Replication log on ds1 for a modification to the AD,
> the Windows password is not changed
>
> Looking at the documentation at
> http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html#Windows_Sync-About_Windows_Sync
> there are no caveats mentioned regarding multi-master replication and AD
> password sync, in fact their provided architecture diagram (lower part
> of the page) seems to indicate it should work in this situation.
>
I guess we should make it clear, because it does not work. See
https://bugzilla.redhat.com/show_bug.cgi?id=182507
> Furthermore, the text backs this up with:
>
> "The Directory Server relies on the Multi-Master Replication Plug-in to
> synchronize user and group entries. The same changelog that is used for
> multi-master replication is also used to send updates from the Directory
> Server to Active Directory as LDAP operations."
>
> and
>
> "Directory Server passwords are synchronized along with other entry
> attributes because plain-text passwords are retained in the Directory
> Server changelog."
>
> I did search the mailing list and turned up
> http://lists.fedoraproject.org/pipermail/389-users/2010-January/010903.html
> but I was hoping there is a different answer 6 months on. It seems to me
> that if 389 is storing password changes in the clear in the changelog
> that it should be able to push this cleartext password to AD when ds1
> gets the replication?
>
> Alternatively if this is absolutely just not a supported feature, would
> it be possible to setup a second AD synchronisation agreement on ds2 to
> the AD but specify ONLY to sync userPassword attribute changes?
> (disabling the create/delete new user/group options in the sync
> agreement of course to try and not cause loops or other problems).
>
> The same documentation references above specifically says NOT to have
> different DS's syncing to the same AD domain, but does that still apply
> if it's a very limited attribute synchronisation?
>
> Any help appreciated.
>
> Cheers,
> Johan
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 08:50 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org