[Fedora-directory-users] Windows Sync
Rich Megginson
rmeggins at redhat.com
Mon Dec 17 15:35:01 UTC 2007
Paolo Barbato wrote:
> Scott,
>
> On 15/dic/07, at 02:39, Scott Belnap wrote:
>
>>
>> On Fri, 2007-12-14 at 18:14 -0700, Rich Megginson wrote:
>>> Scott Belnap wrote:
>>>> I have a fresh AD install and have set up a Windows Sync between
>>>> FDS and
>>>> AD am able to populate AD with all my FDS accounts. My issue is
>>>> when I
>>>> first make the initial full synchronization FDS won't populating AD
>>>> with
>>>> the passwords. The only way I can get FDS to populate the password in
>>>> AD is if I manually change the users' password on FDS. Can anyone
>>>> give
>>>> me some advice on how to get the passwords to sync on the first full
>>>> sync process.
>>>>
>>> The problem is that the passwords in FDS are hashed, and AD has no way
>>> to read those hashes - AD requires the cleartext password in order to
>>> hash/encrypt it with its various nefarious schemes. So even if the
>>> passwords were sent over to AD in the initial sync, they would be
>>> useless on AD.
>>>> Mahalo!
>>
>> So I have to find some way to get the cleartext passwords to populate AD
>> or have all users reset their passwords. ...Wow...
>>
> I've sent a couple of mail on this subject, and now finally I see some
> answer.
>
> I paste a table from a previous e-mail:
>
>> 1)password changed on AD is properly replicated on FDS
>> 2)password changed on FDS (console) is properly replicated on AD
>> 3)password changed on Linux (via LdapPam) is not replicated on AD. I
>> suspect some encoding issues, since logs seem OK.
>
>
> So it appears, that when FDS knows cleartext password, it's able to
> make a sync with AD (2). This is not true when it make a sync reading
> already stored hashed password. See Rich answer. This explain (3)
> because first linux password hashed is stored in FDS and then FDS try
> to change it in AD, sending "useless" data. Right ?
>
> I'm tring to setup an external web interface and force my users to use
> only that. One other way is allow users to change password only from
> windows.
>
> I guess if it's possible and how allow only cleartext password in FDS,
> since this, althought not too much secure, should face this subject.
> Rich some hints ?
Sure. Just set the password hash in the password policy to CLEAR.
>
> Regards,
> Paolo.
>
>
>> Thanks for your help Rich.
>>
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> ------------------------------------------------------------------------------------------------
>
> Paolo Barbato email: mailto:paolo.barbato at igi.cnr.it
> Network Administrator phone: (39-049)-829-5097
> (39-049)-829-5000
> Corso Stati Uniti,4 www: http://www.igi.cnr.it
> 35127 Camin-Padova PGP:
> http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp
> ITALY JabberID: rfx_paolo_barbato at messenger.efda.org
> ------------------------------------------------------------------------------------------------
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20071217/cea06cae/attachment.bin>
More information about the Fedora-directory-users
mailing list