Fedora directory users - Oct 2006 - Trouble getting windows to talk to fds

Hi everyone,
I''m having trouble with the directions in the wiki that deals with
getting windows to sync with fds; I''m having trouble with this step;
there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert
database, the other is the key database; are either of these the
parameters that I''m suppose to be passing the -P option below?  Thanks
for your help.

Aaron

*	From your Fedora Directory Server, export the server certificate
using pk12util. 

   cd "/opt/fedora-ds/alias/"
   pk12util -d . -P slapd-<instance>  -o servercert.p12 -n Server-Cert



Confidentiality Notice:
The information contained in this electronic message is intended for the
exclusive use of the individual or entity named above and may contain privileged
or confidential information.  If the reader of this message is not the intended
recipient or the employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that dissemination, distribution or copying
of this information is prohibited.  If you have received this communication in
error, please notify the sender immediately by telephone and destroy the copies
you received.

On a separate issue, when attempting to verify connectivity to the ad
box, I''m receiving the following error: ; any ideas? Thanks.
 
/shared/bin/ldapsearch: error while loading shared libraries:
libssldap50.so: cannot open shared object file: No such file or
directory

________________________________

From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Bliss,
Aaron
Sent: Monday, October 30, 2006 10:17 PM
To: General discussion list for the Fedora Directory server project.
Subject: [Fedora-directory-users] Trouble getting windows to talk to fds



Hi everyone, 
I''m having trouble with the directions in the wiki that deals with
getting windows to sync with fds; I''m having trouble with this step;
there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert
database, the other is the key database; are either of these the
parameters that I''m suppose to be passing the -P option below?  Thanks
for your help.

Aaron 

*	From your Fedora Directory Server, export the server certificate
using pk12util. 
	

   cd "/opt/fedora-ds/alias/"
   pk12util -d . -P slapd-<instance>  -o servercert.p12 -n Server-Cert


Confidentiality Notice:
The information contained in this electronic message is intended for the
exclusive use of the individual or entity named above and may contain
privileged or confidential information.  If the reader of this message
is not the intended recipient or the employee or agent responsible to
deliver it to the intended recipient, you are hereby notified that
dissemination, distribution or copying of this information is
prohibited.  If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.

Trouble getting windows to talk to fds"-P" takes the part of the
filename leading up to "cert8.db" or "key3.db".
e.g.
Say you have:
slapd-example-cert8.db
slapd-example-key3.db

Then you would do this:
... -P slapd-example- ...


  ----- Original Message ----- 
  From: Bliss, Aaron 
  To: General discussion list for the Fedora Directory server project. 
  Sent: Monday, October 30, 2006 7:17 PM
  Subject: [Fedora-directory-users] Trouble getting windows to talk to fds


  Hi everyone, 
  I''m having trouble with the directions in the wiki that deals with
getting windows to sync with fds; I''m having trouble with this step;
there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert database, the
other is the key database; are either of these the parameters that I''m
suppose to be passing the -P option below?  Thanks for your help.

  Aaron 

    a.. From your Fedora Directory Server, export the server certificate using
pk12util.

     cd "/opt/fedora-ds/alias/"
     pk12util -d . -P slapd-<instance>  -o servercert.p12 -n Server-Cert


  Confidentiality Notice:
  The information contained in this electronic message is intended for the
exclusive use of the individual or entity named above and may contain privileged
or confidential information.  If the reader of this message is not the intended
recipient or the employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that dissemination, distribution or copying
of this information is prohibited.  If you have received this communication in
error, please notify the sender immediately by telephone and destroy the copies
you received.



------------------------------------------------------------------------------


  --
  Fedora-directory-users mailing list
  Fedora-directory-users@redhat.com
  https://www.redhat.com/mailman/listinfo/fedora-directory-users

Bliss, Aaron wrote:
>
> Hi everyone,
> I''m having trouble with the directions in the wiki that deals with
> getting windows to sync with fds; I''m having trouble with this
step;
> there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert 
> database, the other is the key database; are either of these the 
> parameters that I''m suppose to be passing the -P option below? 
Thanks
> for your help.
>
> Aaron
>
>     * From your Fedora Directory Server, export the server certificate
>       using pk12util.
>
>    cd "/opt/fedora-ds/alias/"
>    pk12util -d . -P slapd-<instance>  -o servercert.p12 -n
Server-Cert
>
Firstly, you only need this pk12 file for backup purposes - you don''t 
need it to get FDS to talk to AD or vice versa.
Secondly, the argument to -P is the filename prefix of either your key 
or cert db file e.g. if you have
slapd-instance-cert8.db and slapd-instance-key3.db
your -P argument will be "slapd-instance-" <- note the trailing
"-"
after "slapd-instance" - this is critical - it is part of the filename
prefix and must not be omitted.
>
> Confidentiality Notice:
> The information contained in this electronic message is intended for 
> the exclusive use of the individual or entity named above and may 
> contain privileged or confidential information.  If the reader of this 
> message is not the intended recipient or the employee or agent 
> responsible to deliver it to the intended recipient, you are hereby 
> notified that dissemination, distribution or copying of this 
> information is prohibited.  If you have received this communication in 
> error, please notify the sender immediately by telephone and destroy 
> the copies you received.
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Bliss, Aaron wrote:
> On a separate issue, when attempting to verify connectivity to the ad 
> box, I''m receiving the following error: ; any ideas? Thanks.
>  
> ./shared/bin/ldapsearch: error while loading shared libraries: 
> libssldap50.so: cannot open shared object file: No such file or directory
cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>
> ------------------------------------------------------------------------
> *From:* fedora-directory-users-bounces@redhat.com 
> [mailto:fedora-directory-users-bounces@redhat.com] *On Behalf Of 
> *Bliss, Aaron
> *Sent:* Monday, October 30, 2006 10:17 PM
> *To:* General discussion list for the Fedora Directory server project.
> *Subject:* [Fedora-directory-users] Trouble getting windows to talk to fds
>
> Hi everyone,
> I''m having trouble with the directions in the wiki that deals with
> getting windows to sync with fds; I''m having trouble with this
step;
> there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert 
> database, the other is the key database; are either of these the 
> parameters that I''m suppose to be passing the -P option below? 
Thanks
> for your help.
>
> Aaron
>
>     * From your Fedora Directory Server, export the server certificate
>       using pk12util.
>
>    cd "/opt/fedora-ds/alias/"
>    pk12util -d . -P slapd-<instance>  -o servercert.p12 -n
Server-Cert
>
> Confidentiality Notice:
> The information contained in this electronic message is intended for 
> the exclusive use of the individual or entity named above and may 
> contain privileged or confidential information.  If the reader of this 
> message is not the intended recipient or the employee or agent 
> responsible to deliver it to the intended recipient, you are hereby 
> notified that dissemination, distribution or copying of this 
> information is prohibited.  If you have received this communication in 
> error, please notify the sender immediately by telephone and destroy 
> the copies you received.
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

That was it, thanks George.
 
Aaron

________________________________

From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of George
Holbert
Sent: Monday, October 30, 2006 10:40 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to
fds


"-P" takes the part of the filename leading up to "cert8.db"
or
"key3.db".
e.g.
Say you have:
slapd-example-cert8.db
slapd-example-key3.db
 
Then you would do this:
.. -P slapd-example- ...
 
 

	----- Original Message ----- 
	From: Bliss, Aaron <mailto:ABliss@preferredcare.org>  
	To: General discussion list for the Fedora Directory server
project. <mailto:fedora-directory-users@redhat.com>  
	Sent: Monday, October 30, 2006 7:17 PM
	Subject: [Fedora-directory-users] Trouble getting windows to
talk to fds


	Hi everyone, 
	I''m having trouble with the directions in the wiki that deals
with getting windows to sync with fds; I''m having trouble with this
step; there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert
database, the other is the key database; are either of these the
parameters that I''m suppose to be passing the -P option below?  Thanks
for your help.

	Aaron 

	*	From your Fedora Directory Server, export the server
certificate using pk12util. 
		

	   cd "/opt/fedora-ds/alias/"
	   pk12util -d . -P slapd-<instance>  -o servercert.p12 -n
Server-Cert
	

	Confidentiality Notice:
	The information contained in this electronic message is intended
for the exclusive use of the individual or entity named above and may
contain privileged or confidential information.  If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited.  If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.

	
________________________________


	

	--
	Fedora-directory-users mailing list
	Fedora-directory-users@redhat.com
	https://www.redhat.com/mailman/listinfo/fedora-directory-users

Thanks very much; changing the the shared directory did the trick.

Aaron 

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
Megginson
Sent: Monday, October 30, 2006 10:42 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to
fds

Bliss, Aaron wrote:
>
> Hi everyone,
> I''m having trouble with the directions in the wiki that deals with
> getting windows to sync with fds; I''m having trouble with this
step;
> there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert 
> database, the other is the key database; are either of these the 
> parameters that I''m suppose to be passing the -P option below? 
Thanks
> for your help.
>
> Aaron
>
>     * From your Fedora Directory Server, export the server certificate
>       using pk12util.
>
>    cd "/opt/fedora-ds/alias/"
>    pk12util -d . -P slapd-<instance>  -o servercert.p12 -n
Server-Cert
>
Firstly, you only need this pk12 file for backup purposes - you don''t 
need it to get FDS to talk to AD or vice versa.
Secondly, the argument to -P is the filename prefix of either your key 
or cert db file e.g. if you have
slapd-instance-cert8.db and slapd-instance-key3.db
your -P argument will be "slapd-instance-" <- note the trailing
"-"
after "slapd-instance" - this is critical - it is part of the filename
prefix and must not be omitted.
>
> Confidentiality Notice:
> The information contained in this electronic message is intended for 
> the exclusive use of the individual or entity named above and may 
> contain privileged or confidential information.  If the reader of this
> message is not the intended recipient or the employee or agent 
> responsible to deliver it to the intended recipient, you are hereby 
> notified that dissemination, distribution or copying of this 
> information is prohibited.  If you have received this communication in
> error, please notify the sender immediately by telephone and destroy 
> the copies you received.
>
>
------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

I must apologize for all of the questions, however this (getting windows
to talk to fds) is very new to me; I believe that I have the ssl piece
as far as the service is concerned configured properly; passync service
is installed to the ad box, however after rebooting I checked the
logfile and noticed some errors; 
failed to load entries from file, 
ldap bind error, 
no such object 
Can not connect to ldap server in syncpasswords
It sounds like I have not configured the service properly to bind to the
fds database; on the fds side of the house, I''ve configured an account
called dn=psync,cn=config in the config ou (simular to setting up an
account used for setting up a supplier/consumer setup, such that the
account itself will not be replicated);  I then installed the passsync
service on the ad box usning the following values:
Host name: hostname of fds suppler server
Port: 636
Username: uid=psync,cn=config
Password: same as user setup in database on fds box
Cert token: password to local passync database
Search base: dc=mydomain,dc=org

Couple of questions; does it appear that I''ve set things up properly on
both the fds side of the house and the ad side of the house?  What is
the best way to further troubleshoot this?  Thanks again.

Aaron

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
Megginson
Sent: Monday, October 30, 2006 11:00 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to
fds

Bliss, Aaron wrote:
> On a separate issue, when attempting to verify connectivity to the ad 
> box, I''m receiving the following error: ; any ideas? Thanks.
>  
> ./shared/bin/ldapsearch: error while loading shared libraries: 
> libssldap50.so: cannot open shared object file: No such file or
directory
cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>
>
------------------------------------------------------------------------
> *From:* fedora-directory-users-bounces@redhat.com 
> [mailto:fedora-directory-users-bounces@redhat.com] *On Behalf Of 
> *Bliss, Aaron
> *Sent:* Monday, October 30, 2006 10:17 PM
> *To:* General discussion list for the Fedora Directory server project.
> *Subject:* [Fedora-directory-users] Trouble getting windows to talk to
fds
>
> Hi everyone,
> I''m having trouble with the directions in the wiki that deals with
> getting windows to sync with fds; I''m having trouble with this
step;
> there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert 
> database, the other is the key database; are either of these the 
> parameters that I''m suppose to be passing the -P option below? 
Thanks
> for your help.
>
> Aaron
>
>     * From your Fedora Directory Server, export the server certificate
>       using pk12util.
>
>    cd "/opt/fedora-ds/alias/"
>    pk12util -d . -P slapd-<instance>  -o servercert.p12 -n
Server-Cert
>
> Confidentiality Notice:
> The information contained in this electronic message is intended for 
> the exclusive use of the individual or entity named above and may 
> contain privileged or confidential information.  If the reader of this
> message is not the intended recipient or the employee or agent 
> responsible to deliver it to the intended recipient, you are hereby 
> notified that dissemination, distribution or copying of this 
> information is prohibited.  If you have received this communication in
> error, please notify the sender immediately by telephone and destroy 
> the copies you received.
>
>
------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Bliss, Aaron wrote:
> I must apologize for all of the questions, however this (getting windows
> to talk to fds) is very new to me; I believe that I have the ssl piece
> as far as the service is concerned configured properly; passync service
> is installed to the ad box, however after rebooting I checked the
> logfile and noticed some errors; 
> failed to load entries from file, 
> ldap bind error, 
> no such object 
> Can not connect to ldap server in syncpasswords
> It sounds like I have not configured the service properly to bind to the
> fds database; on the fds side of the house, I''ve configured an
account
> called dn=psync,cn=config in the config ou (simular to setting up an
> account used for setting up a supplier/consumer setup, such that the
> account itself will not be replicated);  I then installed the passsync
> service on the ad box usning the following values:
> Host name: hostname of fds suppler server
> Port: 636
> Username: uid=psync,cn=config
> Password: same as user setup in database on fds box
> Cert token: password to local passync database
> Search base: dc=mydomain,dc=org
>
> Couple of questions; does it appear that I''ve set things up
properly on
> both the fds side of the house and the ad side of the house?  What is
> the best way to further troubleshoot this?  Thanks again.
>   
The best thing to do when setting up Windows Sync is to go one step at a 
time.  First get your user & group sync working.  It will work just fine 
without setting up the PassSync service.  Do you have this part working 
already?

If PassSync is having trouble binding to FDS, you should start 
troubleshooting by looking at the FDS access logs when PassSync attempts 
to connect.  It sounds like the bind DN may be incorrect.

-NGK
> Aaron
>

I''m a little confused here; what is the purpose of the passsync service
(I''ve successfully created a replication agreement over ssl via fds and
ad).  Thanks again.

Aaron 

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan
Kinder
Sent: Tuesday, October 31, 2006 11:57 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to
fds

Bliss, Aaron wrote:
> I must apologize for all of the questions, however this (getting
windows
> to talk to fds) is very new to me; I believe that I have the ssl piece
> as far as the service is concerned configured properly; passync
service
> is installed to the ad box, however after rebooting I checked the
> logfile and noticed some errors; 
> failed to load entries from file, 
> ldap bind error, 
> no such object 
> Can not connect to ldap server in syncpasswords
> It sounds like I have not configured the service properly to bind to
the
> fds database; on the fds side of the house, I''ve configured an
account
> called dn=psync,cn=config in the config ou (simular to setting up an
> account used for setting up a supplier/consumer setup, such that the
> account itself will not be replicated);  I then installed the passsync
> service on the ad box usning the following values:
> Host name: hostname of fds suppler server
> Port: 636
> Username: uid=psync,cn=config
> Password: same as user setup in database on fds box
> Cert token: password to local passync database
> Search base: dc=mydomain,dc=org
>
> Couple of questions; does it appear that I''ve set things up
properly
on
> both the fds side of the house and the ad side of the house?  What is
> the best way to further troubleshoot this?  Thanks again.
>   
The best thing to do when setting up Windows Sync is to go one step at a

time.  First get your user & group sync working.  It will work just fine

without setting up the PassSync service.  Do you have this part working 
already?

If PassSync is having trouble binding to FDS, you should start 
troubleshooting by looking at the FDS access logs when PassSync attempts

to connect.  It sounds like the bind DN may be incorrect.

-NGK
> Aaron
>   


Confidentiality Notice:
The information contained in this electronic message is intended for the
exclusive use of the individual or entity named above and may contain privileged
or confidential information.  If the reader of this message is not the intended
recipient or the employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that dissemination, distribution or copying
of this information is prohibited.  If you have received this communication in
error, please notify the sender immediately by telephone and destroy the copies
you received.

Bliss, Aaron wrote:
> I''m a little confused here; what is the purpose of the passsync
service
> (I''ve successfully created a replication agreement over ssl via
fds and
> ad).  Thanks again.
>   
To synchronize passwords as they change.

-- 
Pete

Pete Rowley wrote:
> Bliss, Aaron wrote:
>
>> I''m a little confused here; what is the purpose of the
passsync service
>> (I''ve successfully created a replication agreement over ssl
via fds and
>> ad).  Thanks again.
>>   
>
> To synchronize passwords as they change.
Specifically, in the AD->FDS direction.

Read here : 
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2878913
the paragraph beginning ''In addition to the entry synchronization 
mechanisms discussed above, the Password Sync Service is needed to catch 
password changes made on the Windows server..''

Ok, I''m with you; now I noticed by default, that the windows sync
replication agreement will initially synchronize users that are in the
users OU on the domain controller to the People ou in fds; it seems that
I would want to change this and have the synchronization agreement to
bring the users over to the users ou in fds?  If so, will it ignore
(i.e. not overwrite existing fds user accounts if there is a conflict;
in other words, if the user john exists in fds and he exists with the
same dn in active directory, will he get overwritten when synchronizing?
Thanks again.

Aaron 

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Pete
Rowley
Sent: Tuesday, October 31, 2006 4:32 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to
fds

Bliss, Aaron wrote:
> I''m a little confused here; what is the purpose of the passsync
service
> (I''ve successfully created a replication agreement over ssl via
fds
and
> ad).  Thanks again.
>   
To synchronize passwords as they change.

-- 
Pete



Confidentiality Notice:
The information contained in this electronic message is intended for the
exclusive use of the individual or entity named above and may contain privileged
or confidential information.  If the reader of this message is not the intended
recipient or the employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that dissemination, distribution or copying
of this information is prohibited.  If you have received this communication in
error, please notify the sender immediately by telephone and destroy the copies
you received.

Bliss, Aaron wrote:
> I''m a little confused here; what is the purpose of the passsync
service
> (I''ve successfully created a replication agreement over ssl via
fds and
> ad).  Thanks again.
>   
The PassSync service is only responsible for sending password changes 
initiated on the AD side to FDS.  Any password that is changed on the 
FDS side will be sent to AD over the synchronization agreement along 
with other user & group changes.  The synchronization agreement will 
also pull changes that happened on the AD side over to FDS.

The problem is that AD hashes the password differently than FDS does, so 
FDS needs access to the clear-text password.  The only way for this to 
happen when a password change is initiated on the AD side is to have a 
password plug-in installed on the domain controller to get a copy of the 
clear-text password.  This is exactly what the PassSync service does.  
It installs a plugin (passhook.dll) that receives the clear-text 
password which passsync.exe sends across to FDS over LDAPS.

Hopefully that clears things up.

-NGK
> Aaron 
>
>

That makes perfect sense, as I noticed that the replication agreement I
created was a supplier/consumer agreement between fds and ad; now I have
another question, if a new user is created in ad, since the fds box is
the supplier, how will that uid be replicated to fds?

Aaron 

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan
Kinder
Sent: Tuesday, October 31, 2006 4:44 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to
fds

Bliss, Aaron wrote:
> I''m a little confused here; what is the purpose of the passsync
service
> (I''ve successfully created a replication agreement over ssl via
fds
and
> ad).  Thanks again.
>   
The PassSync service is only responsible for sending password changes 
initiated on the AD side to FDS.  Any password that is changed on the 
FDS side will be sent to AD over the synchronization agreement along 
with other user & group changes.  The synchronization agreement will 
also pull changes that happened on the AD side over to FDS.

The problem is that AD hashes the password differently than FDS does, so

FDS needs access to the clear-text password.  The only way for this to 
happen when a password change is initiated on the AD side is to have a 
password plug-in installed on the domain controller to get a copy of the

clear-text password.  This is exactly what the PassSync service does.  
It installs a plugin (passhook.dll) that receives the clear-text 
password which passsync.exe sends across to FDS over LDAPS.

Hopefully that clears things up.

-NGK
> Aaron 
>
>   


Confidentiality Notice:
The information contained in this electronic message is intended for the
exclusive use of the individual or entity named above and may contain privileged
or confidential information.  If the reader of this message is not the intended
recipient or the employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that dissemination, distribution or copying
of this information is prohibited.  If you have received this communication in
error, please notify the sender immediately by telephone and destroy the copies
you received.

Bliss, Aaron wrote:
> That makes perfect sense, as I noticed that the replication agreement I
> created was a supplier/consumer agreement between fds and ad; now I have
> another question, if a new user is created in ad, since the fds box is
> the supplier, how will that uid be replicated to fds?
>   
When FDS connects to AD, it will send the dirsync control.  This control 
contains a cookie of sorts.  This basically tells AD to give us all 
modifications since the last time we sent the dirsync control (which it 
knows from the cookie we are sending).  Ad then gives us the 
modifications along with a new cookie to use next time.  You can think 
of this as pull-style replication in the AD->FDS direction.  FDS pushes 
it''s changes to AD while pulling changes from AD to itself.

-NGK
> Aaron 
>
> -----Original Message-----
> From: fedora-directory-users-bounces@redhat.com
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan
> Kinder
> Sent: Tuesday, October 31, 2006 4:44 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to
> fds
>
> Bliss, Aaron wrote:
>   
>> I''m a little confused here; what is the purpose of the
passsync
>>     
> service
>   
>> (I''ve successfully created a replication agreement over ssl
via fds
>>     
> and
>   
>> ad).  Thanks again.
>>   
>>     
> The PassSync service is only responsible for sending password changes 
> initiated on the AD side to FDS.  Any password that is changed on the 
> FDS side will be sent to AD over the synchronization agreement along 
> with other user & group changes.  The synchronization agreement will 
> also pull changes that happened on the AD side over to FDS.
>
> The problem is that AD hashes the password differently than FDS does, so
>
> FDS needs access to the clear-text password.  The only way for this to 
> happen when a password change is initiated on the AD side is to have a 
> password plug-in installed on the domain controller to get a copy of the
>
> clear-text password.  This is exactly what the PassSync service does.  
> It installs a plugin (passhook.dll) that receives the clear-text 
> password which passsync.exe sends across to FDS over LDAPS.
>
> Hopefully that clears things up.
>
> -NGK
>   
>> Aaron 
>>
>>   
>>     
>
>
>
> Confidentiality Notice:
> The information contained in this electronic message is intended for the
exclusive use of the individual or entity named above and may contain privileged
or confidential information.  If the reader of this message is not the intended
recipient or the employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that dissemination, distribution or copying
of this information is prohibited.  If you have received this communication in
error, please notify the sender immediately by telephone and destroy the copies
you received.
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Thanks very much for your explanations; they have cleared up a lot of
grey area for me.  

Aaron 

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan
Kinder
Sent: Tuesday, October 31, 2006 5:49 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to
fds

Bliss, Aaron wrote:
> That makes perfect sense, as I noticed that the replication agreement
I
> created was a supplier/consumer agreement between fds and ad; now I
have
> another question, if a new user is created in ad, since the fds box is
> the supplier, how will that uid be replicated to fds?
>   
When FDS connects to AD, it will send the dirsync control.  This control

contains a cookie of sorts.  This basically tells AD to give us all 
modifications since the last time we sent the dirsync control (which it 
knows from the cookie we are sending).  Ad then gives us the 
modifications along with a new cookie to use next time.  You can think 
of this as pull-style replication in the AD->FDS direction.  FDS pushes 
it''s changes to AD while pulling changes from AD to itself.

-NGK
> Aaron 
>
> -----Original Message-----
> From: fedora-directory-users-bounces@redhat.com
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan
> Kinder
> Sent: Tuesday, October 31, 2006 4:44 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] Trouble getting windows to talk
to
> fds
>
> Bliss, Aaron wrote:
>   
>> I''m a little confused here; what is the purpose of the
passsync
>>     
> service
>   
>> (I''ve successfully created a replication agreement over ssl
via fds
>>     
> and
>   
>> ad).  Thanks again.
>>   
>>     
> The PassSync service is only responsible for sending password changes 
> initiated on the AD side to FDS.  Any password that is changed on the 
> FDS side will be sent to AD over the synchronization agreement along 
> with other user & group changes.  The synchronization agreement will 
> also pull changes that happened on the AD side over to FDS.
>
> The problem is that AD hashes the password differently than FDS does,
so
>
> FDS needs access to the clear-text password.  The only way for this to
> happen when a password change is initiated on the AD side is to have a
> password plug-in installed on the domain controller to get a copy of
the
>
> clear-text password.  This is exactly what the PassSync service does.
> It installs a plugin (passhook.dll) that receives the clear-text 
> password which passsync.exe sends across to FDS over LDAPS.
>
> Hopefully that clears things up.
>
> -NGK
>   
>> Aaron 
>>
>>   
>>     
>
>
>
> Confidentiality Notice:
> The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may
contain privileged or confidential information.  If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited.  If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

This is a little scary; in testing in getting fds to talk to ad (were
running ad 2003, fds 1.0.2 on 2 redhat 4 boxes), sometimes (2 of 5 times
so far) when changing a users password from the fds console, it actually
deletes the user from the active directory box !!! Has anyone else seen
this behavior?  What can I do to troubleshoot this?  Thanks again.

Aaron 

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Bliss,
Aaron
Sent: Tuesday, October 31, 2006 5:51 PM
To: General discussion list for the Fedora Directory server project.
Subject: RE: [Fedora-directory-users] Trouble getting windows to talk to
fds

Thanks very much for your explanations; they have cleared up a lot of
grey area for me.  

Aaron 

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan
Kinder
Sent: Tuesday, October 31, 2006 5:49 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to
fds

Bliss, Aaron wrote:
> That makes perfect sense, as I noticed that the replication agreement
I
> created was a supplier/consumer agreement between fds and ad; now I
have
> another question, if a new user is created in ad, since the fds box is
> the supplier, how will that uid be replicated to fds?
>   
When FDS connects to AD, it will send the dirsync control.  This control

contains a cookie of sorts.  This basically tells AD to give us all 
modifications since the last time we sent the dirsync control (which it 
knows from the cookie we are sending).  Ad then gives us the 
modifications along with a new cookie to use next time.  You can think 
of this as pull-style replication in the AD->FDS direction.  FDS pushes 
it''s changes to AD while pulling changes from AD to itself.

-NGK
> Aaron 
>
> -----Original Message-----
> From: fedora-directory-users-bounces@redhat.com
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan
> Kinder
> Sent: Tuesday, October 31, 2006 4:44 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] Trouble getting windows to talk
to
> fds
>
> Bliss, Aaron wrote:
>   
>> I''m a little confused here; what is the purpose of the
passsync
>>     
> service
>   
>> (I''ve successfully created a replication agreement over ssl
via fds
>>     
> and
>   
>> ad).  Thanks again.
>>   
>>     
> The PassSync service is only responsible for sending password changes 
> initiated on the AD side to FDS.  Any password that is changed on the 
> FDS side will be sent to AD over the synchronization agreement along 
> with other user & group changes.  The synchronization agreement will 
> also pull changes that happened on the AD side over to FDS.
>
> The problem is that AD hashes the password differently than FDS does,
so
>
> FDS needs access to the clear-text password.  The only way for this to
> happen when a password change is initiated on the AD side is to have a
> password plug-in installed on the domain controller to get a copy of
the
>
> clear-text password.  This is exactly what the PassSync service does.
> It installs a plugin (passhook.dll) that receives the clear-text 
> password which passsync.exe sends across to FDS over LDAPS.
>
> Hopefully that clears things up.
>
> -NGK
>   
>> Aaron 
>>
>>   
>>     
>
>
>
> Confidentiality Notice:
> The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may
contain privileged or confidential information.  If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited.  If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

I''ve found that by not mixing the old fds directory users with current
ad users (i.e. doing a full sync for the users ou in ad to the People ou
in fds and then manually fixing missing host attributes of the ad
objects, that this issue has been resolved); I have however found
something else; I''ve found that some ad users didn''t come over
with the
initial sync, turns out these accounts in ad don''t have first or last
names; after fixing these attributes, is there an easy way to make the
users appear as new users to the fds synchronization mechanism so that
those objects that were not originally synchronized will be brought
over?  Thanks again.

Aaron 

-----Original Message-----
From: Bliss, Aaron 
Sent: Tuesday, October 31, 2006 9:52 PM
To: Bliss, Aaron; General discussion list for the Fedora Directory
server project.
Subject: RE: [Fedora-directory-users] Trouble getting windows to talk to
fds

This is a little scary; in testing in getting fds to talk to ad (were
running ad 2003, fds 1.0.2 on 2 redhat 4 boxes), sometimes (2 of 5 times
so far) when changing a users password from the fds console, it actually
deletes the user from the active directory box !!! Has anyone else seen
this behavior?  What can I do to troubleshoot this?  Thanks again.

Aaron 

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Bliss,
Aaron
Sent: Tuesday, October 31, 2006 5:51 PM
To: General discussion list for the Fedora Directory server project.
Subject: RE: [Fedora-directory-users] Trouble getting windows to talk to
fds

Thanks very much for your explanations; they have cleared up a lot of
grey area for me.  

Aaron 

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan
Kinder
Sent: Tuesday, October 31, 2006 5:49 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to
fds

Bliss, Aaron wrote:
> That makes perfect sense, as I noticed that the replication agreement
I
> created was a supplier/consumer agreement between fds and ad; now I
have
> another question, if a new user is created in ad, since the fds box is
> the supplier, how will that uid be replicated to fds?
>   
When FDS connects to AD, it will send the dirsync control.  This control

contains a cookie of sorts.  This basically tells AD to give us all 
modifications since the last time we sent the dirsync control (which it 
knows from the cookie we are sending).  Ad then gives us the 
modifications along with a new cookie to use next time.  You can think 
of this as pull-style replication in the AD->FDS direction.  FDS pushes 
it''s changes to AD while pulling changes from AD to itself.

-NGK
> Aaron 
>
> -----Original Message-----
> From: fedora-directory-users-bounces@redhat.com
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan
> Kinder
> Sent: Tuesday, October 31, 2006 4:44 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] Trouble getting windows to talk
to
> fds
>
> Bliss, Aaron wrote:
>   
>> I''m a little confused here; what is the purpose of the
passsync
>>     
> service
>   
>> (I''ve successfully created a replication agreement over ssl
via fds
>>     
> and
>   
>> ad).  Thanks again.
>>   
>>     
> The PassSync service is only responsible for sending password changes 
> initiated on the AD side to FDS.  Any password that is changed on the 
> FDS side will be sent to AD over the synchronization agreement along 
> with other user & group changes.  The synchronization agreement will 
> also pull changes that happened on the AD side over to FDS.
>
> The problem is that AD hashes the password differently than FDS does,
so
>
> FDS needs access to the clear-text password.  The only way for this to
> happen when a password change is initiated on the AD side is to have a
> password plug-in installed on the domain controller to get a copy of
the
>
> clear-text password.  This is exactly what the PassSync service does.
> It installs a plugin (passhook.dll) that receives the clear-text 
> password which passsync.exe sends across to FDS over LDAPS.
>
> Hopefully that clears things up.
>
> -NGK
>   
>> Aaron 
>>
>>   
>>     
>
>
>
> Confidentiality Notice:
> The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may
contain privileged or confidential information.  If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited.  If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users