Dear list, I repost original question on my troubles....anybody has any idea on why I''m facing such a problem ? Regards, Paolo.>Thanks for reply, but I suspect I''m facing a different problem. > >Talking about SSL. > >As far as I understand SSL is used both for passync (AD -> FDS) and >replication agreement (AD <-> FDS). Note two different tasks. > >In first case work cert.db8 certificates. I''ve installed on both AD >and FDS, my CA certificate and FDS server certificate. Passync works >without a hic. When I change pasword from windows it''s exactly set >on FDS. > >Replication agreement is based on cert.db8 on FDS and MS >architecture on AD, I mean that I make use of mmc to install CA and >AD server signed certificate. > >Replication seems also work, since I see that AD and FDS users are >"merged" in one (almost) identical list. So users that were in AD >are created on FDS and viceversa, with (almost) all parameters >setted. > >My problem arise when from a linux machine authenticated on FDS I >issue and passwd change password. Really all seems go right, since >FDS register new password, and also AD tell me that the change has >been committed : > >first event >User Account Changed: > Target Account Name: barbato > Target Domain: TEST > Target Account ID: TEST\barbato > Caller User Name: sync manager > Caller Domain: TEST > Caller Logon ID: (0x0,0x318F76) > Privileges: - > Changed Attributes: > Sam Account Name: - > Display Name: - > User Principal Name: - > Home Directory: - >and after a while a second security event: > >User Account password set: > Target Account Name: barbato > Target Domain: TEST > Target Account ID: TEST\barbato > Caller User Name: sync manager > Caller Domain: TEST > Caller Logon ID: (0x0,0x318F76) > > >But when I try to log on AD with this new password AD tell me that >I''m usinig the wrong one. Note that also the previous doesn''t work, >and this confirm that it has been really changed. > >Anybody has faced this ? Some other things to look into ? > >Regards, >Paolo.-- ------------------------------------------------------------------------------------------------ Paolo Barbato email: mailto:paolo.barbato@igi.cnr.it Network Administrator phone: (39-049)-829-5097 (39-049)-829-5000 Corso Stati Uniti,4 www: http://www.igi.cnr.it 35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp ITALY JabberID: rfx_paolo_barbato@messenger.efda.org ------------------------------------------------------------------------------------------------
Hi, I ran into a concrete wall... http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 To create a synchronization agreement: * In the Directory Server Console, select the Configuration tab. * In the left-hand navigation tree, right-click on the suffix to sync, and select New Synchronization Agreement. You can also highlight the suffix, and select Menu>Object>New Synchronization Agreement. I followed the above steps in Fedora Directory Server... There is no option for New Synchronization Agreement... Perhaps it was removed or renamed??? -- Peter Santiago peters@psinergybbs.com My website: www.psinergybbs.com My spamtrap address: r34987y@psinergybbs.com ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Paolo - Have you compared password complexity rules between AD and FD? They should be the same. -Glenn. ---------- Original Message ----------- From: Paolo Barbato <paolo.barbato@igi.cnr.it> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@redhat.com> Sent: Mon, 1 Oct 2007 08:28:12 +0200 Subject: Re: [Fedora-directory-users] fds vs passsync vs AD> Dear list, > > I repost original question on my troubles....anybody has any idea on > why I''m facing such a problem ? > > Regards, > Paolo. > > >Thanks for reply, but I suspect I''m facing a different problem. > > > >Talking about SSL. > > > >As far as I understand SSL is used both for passync (AD -> FDS) and > >replication agreement (AD <-> FDS). Note two different tasks. > > > >In first case work cert.db8 certificates. I''ve installed on both AD > >and FDS, my CA certificate and FDS server certificate. Passync works > >without a hic. When I change pasword from windows it''s exactly set > >on FDS. > > > >Replication agreement is based on cert.db8 on FDS and MS > >architecture on AD, I mean that I make use of mmc to install CA and > >AD server signed certificate. > > > >Replication seems also work, since I see that AD and FDS users are > >"merged" in one (almost) identical list. So users that were in AD > >are created on FDS and viceversa, with (almost) all parameters > >setted. > > > >My problem arise when from a linux machine authenticated on FDS I > >issue and passwd change password. Really all seems go right, since > >FDS register new password, and also AD tell me that the change has > >been committed : > > > >first event > >User Account Changed: > > Target Account Name: barbato > > Target Domain: TEST > > Target Account ID: TEST\barbato > > Caller User Name: sync manager > > Caller Domain: TEST > > Caller Logon ID: (0x0,0x318F76) > > Privileges: - > > Changed Attributes: > > Sam Account Name: - > > Display Name: - > > User Principal Name: - > > Home Directory: - > >and after a while a second security event: > > > >User Account password set: > > Target Account Name: barbato > > Target Domain: TEST > > Target Account ID: TEST\barbato > > Caller User Name: sync manager > > Caller Domain: TEST > > Caller Logon ID: (0x0,0x318F76) > > > > > >But when I try to log on AD with this new password AD tell me that > >I''m usinig the wrong one. Note that also the previous doesn''t work, > >and this confirm that it has been really changed. > > > >Anybody has faced this ? Some other things to look into ? > > > >Regards, > >Paolo. > > -- > ------------------------------------------------------------------------------------------------> Paolo Barbato email: mailto:paolo.barbato@igi.cnr.it > Network Administrator phone: (39-049)-829-5097 > (39-049)-829-5000 > Corso Stati Uniti,4 www: http://www.igi.cnr.it > 35127 Camin-Padova PGP: > http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp > ITALY JabberID: > rfx_paolo_barbato@messenger.efda.org > ------------------------------------------------------------------------------------------------> > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users------- End of Original Message -------
Hi, I ran into a concrete wall... http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 To create a synchronization agreement: 1. In the Directory Server Console, select the Configuration tab. 2. In the left-hand navigation tree, right-click on the suffix to sync, and select New Synchronization Agreement. You can also highlight the suffix, and select Menu>Object>New Synchronization Agreement. I followed the above steps in Fedora Directory Server... There is no option for New Synchronization Agreement... Perhaps it was removed or renamed??? -- Peter Santiago peters@psinergybbs.com My website: www.psinergybbs.com My spamtrap address: r34987y@psinergybbs.com
Peter Santiago
2007-Oct-03 04:57 UTC
[Fedora-directory-users] need for Winsync clarification
Hi, I ran into a concrete wall... http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 To create a synchronization agreement: 1. In the Directory Server Console, select the Configuration tab. 2. In the left-hand navigation tree, right-click on the suffix to sync, and select New Synchronization Agreement. You can also highlight the suffix, and select Menu>Object>New Synchronization Agreement. I followed the above steps in Fedora Directory Server... There is no option for New Synchronization Agreement... Perhaps it was removed or renamed??? -- Peter Santiago peters@psinergybbs.com My website: www.psinergybbs.com My spamtrap address: r34987y@psinergybbs.com
David Boreham
2007-Oct-03 05:12 UTC
Re: [Fedora-directory-users] need for Winsync clarification
Peter Santiago wrote:> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 > > To create a synchronization agreement: > > 1. In the Directory Server Console, select the Configuration tab. > 2. In the left-hand navigation tree, right-click on the suffix to > sync, and select New Synchronization Agreement. You can also > highlight the suffix, and select Menu>Object>New Synchronization > Agreement. > > I followed the above steps in Fedora Directory Server... There is no > option for New Synchronization Agreement... Perhaps it was removed or > renamed???I think the menu item is disabled until the changelog is configured. Strangely, the winsync docs appear to fail to mention this step. This is the best documentation I could find on enabling the changelog : http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1100336