Fedora directory users - Jan 2008 - Windows Syncronization inbound changes problem

First of all I have to mention that Windows Users & Groups were  
created before Fedora Directory was installed, so when FDS was  
installed I started up with replicated windows users in FDS without  
passwords being synchronized. Therefore, the scenario is a Windows  
tree with users (with passwords) & groups and FDS with users and  
groups replicated without their passwords.

I am trying to define a mechanism to reset every password in both  
directories so they begin to work synchronized.

Doing some tests, I realized that a change made in Windows is  
replicated into FDS binding as the users subject of change, so as the  
entry doesn''t have it''s password, the following lines are
logged in
FDS access log:

[08/Jan/2008:15:51:35 -0300] conn=1033 op=0 BIND  
dn="uid=USERXXX,OU=People,ou=Active Directory,dc=example,dc=com"  
method=128 version=2
[08/Jan/2008:15:51:35 -0300] conn=1033 op=0 RESULT err=49 tag=97  
nentries=0 etime=0
[08/Jan/2008:15:51:35 -0300] conn=1033 op=1 UNBIND
[08/Jan/2008:15:51:35 -0300] conn=1033 op=1 fd=80 closed - U1
[08/Jan/2008:15:51:35 -0300] conn=1032 op=2 RESULT err=50 tag=103  
nentries=0 etime=0
[08/Jan/2008:15:51:35 -0300] conn=1032 op=3 UNBIND

I haven''t found any documentation about inbound changes, specifically  
password change, being done as the same user subject of the change. Is  
this true?

Thanks in advance, and sorry for my bad English

-- 
Lic. Christian A. Rodriguez

Christian A. Rodriguez wrote:
> First of all I have to mention that Windows Users & Groups were 
> created before Fedora Directory was installed, so when FDS was 
> installed I started up with replicated windows users in FDS without 
> passwords being synchronized. Therefore, the scenario is a Windows 
> tree with users (with passwords) & groups and FDS with users and 
> groups replicated without their passwords.
>
> I am trying to define a mechanism to reset every password in both 
> directories so they begin to work synchronized.
>
> Doing some tests, I realized that a change made in Windows is 
> replicated into FDS binding as the users subject of change, so as the 
> entry doesn''t have it''s password, the following lines are
logged in
> FDS access log:
>
> [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 BIND 
> dn="uid=USERXXX,OU=People,ou=Active Directory,dc=example,dc=com" 
> method=128 version=2
> [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 RESULT err=49 tag=97 
> nentries=0 etime=0
> [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 UNBIND
> [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 fd=80 closed - U1
> [08/Jan/2008:15:51:35 -0300] conn=1032 op=2 RESULT err=50 tag=103 
> nentries=0 etime=0
> [08/Jan/2008:15:51:35 -0300] conn=1032 op=3 UNBIND
>
> I haven''t found any documentation about inbound changes,
specifically
> password change, being done as the same user subject of the change. Is 
> this true?
Yes.  That''s how it verifies the new password is
valid.
>
> Thanks in advance, and sorry for my bad English
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rich Megginson escribió:
> Christian A. Rodriguez wrote:
>> First of all I have to mention that Windows Users & Groups were
>> created before Fedora Directory was installed, so when FDS was
>> installed I started up with replicated windows users in FDS without
>> passwords being synchronized. Therefore, the scenario is a Windows
>> tree with users (with passwords) & groups and FDS with users and
>> groups replicated without their passwords.
>>
>> I am trying to define a mechanism to reset every password in both
>> directories so they begin to work synchronized.
>>
>> Doing some tests, I realized that a change made in Windows is
>> replicated into FDS binding as the users subject of change, so as the
>> entry doesn''t have it''s password, the following lines
are logged in
>> FDS access log:
>>
>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 BIND
>> dn="uid=USERXXX,OU=People,ou=Active
Directory,dc=example,dc=com"
>> method=128 version=2
>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 RESULT err=49 tag=97
>> nentries=0 etime=0
>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 UNBIND
>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 fd=80 closed - U1
>> [08/Jan/2008:15:51:35 -0300] conn=1032 op=2 RESULT err=50 tag=103
>> nentries=0 etime=0
>> [08/Jan/2008:15:51:35 -0300] conn=1032 op=3 UNBIND
>>
>> I haven''t found any documentation about inbound changes,
specifically
>> password change, being done as the same user subject of the change. Is
>> this true?
> Yes.  That''s how it verifies the new password is valid.
So, how can I do to define a procedure for initializing both
directories? Are there any tips?

Thanks
>>
>> Thanks in advance, and sorry for my bad English
>>
> 
> 
> ------------------------------------------------------------------------
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

- --
Lic. Christian A. Rodriguez
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHhYjaLiwwyzG4Y1QRAp8YAJ4lJEr2/lFBEDIF5m2Ck6Z8tEd2UQCfVBUu
xen2FPcuKSep8a3xj5kfQf4=ji/K
-----END PGP SIGNATURE-----

Christian A. Rodriguez wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rich Megginson escribió:
>   
>> Christian A. Rodriguez wrote:
>>     
>>> First of all I have to mention that Windows Users & Groups were
>>> created before Fedora Directory was installed, so when FDS was
>>> installed I started up with replicated windows users in FDS without
>>> passwords being synchronized. Therefore, the scenario is a Windows
>>> tree with users (with passwords) & groups and FDS with users
and
>>> groups replicated without their passwords.
>>>
>>> I am trying to define a mechanism to reset every password in both
>>> directories so they begin to work synchronized.
>>>
>>> Doing some tests, I realized that a change made in Windows is
>>> replicated into FDS binding as the users subject of change, so as
the
>>> entry doesn''t have it''s password, the following
lines are logged in
>>> FDS access log:
>>>
>>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 BIND
>>> dn="uid=USERXXX,OU=People,ou=Active
Directory,dc=example,dc=com"
>>> method=128 version=2
>>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 RESULT err=49 tag=97
>>> nentries=0 etime=0
>>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 UNBIND
>>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 fd=80 closed - U1
>>> [08/Jan/2008:15:51:35 -0300] conn=1032 op=2 RESULT err=50 tag=103
>>> nentries=0 etime=0
>>> [08/Jan/2008:15:51:35 -0300] conn=1032 op=3 UNBIND
>>>
>>> I haven''t found any documentation about inbound changes,
specifically
>>> password change, being done as the same user subject of the change.
Is
>>> this true?
>>>       
>> Yes.  That''s how it verifies the new password is valid.
>>     
>
> So, how can I do to define a procedure for initializing both
> directories?
I''m not sure what you mean.  For passwords, you just need to set/reset 
the clear text password on either side, either the AD side or the Fedora 
DS side.  Assuming you have windows sync and password sync configured 
correctly, setting/resetting the clear text password on AD will sync it 
to Fedora DS, and vice versa.
> Are there any tips?
>
> Thanks
>
>   
>>> Thanks in advance, and sorry for my bad English
>>>
>>>       
>>
------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>     
>
>
> - --
> Lic. Christian A. Rodriguez
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHhYjaLiwwyzG4Y1QRAp8YAJ4lJEr2/lFBEDIF5m2Ck6Z8tEd2UQCfVBUu
> xen2FPcuKSep8a3xj5kfQf4> =ji/K
> -----END PGP SIGNATURE-----
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Quoting Rich Megginson <rmeggins@redhat.com>:
> Christian A. Rodriguez wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Rich Megginson escribió:
>>
>>> Christian A. Rodriguez wrote:
>>>
>>>> First of all I have to mention that Windows Users & Groups
were
>>>> created before Fedora Directory was installed, so when FDS was
>>>> installed I started up with replicated windows users in FDS
without
>>>> passwords being synchronized. Therefore, the scenario is a
Windows
>>>> tree with users (with passwords) & groups and FDS with
users and
>>>> groups replicated without their passwords.
>>>>
>>>> I am trying to define a mechanism to reset every password in
both
>>>> directories so they begin to work synchronized.
>>>>
>>>> Doing some tests, I realized that a change made in Windows is
>>>> replicated into FDS binding as the users subject of change, so
as the
>>>> entry doesn''t have it''s password, the
following lines are logged in
>>>> FDS access log:
>>>>
>>>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 BIND
>>>> dn="uid=USERXXX,OU=People,ou=Active
Directory,dc=example,dc=com"
>>>> method=128 version=2
>>>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 RESULT err=49
tag=97
>>>> nentries=0 etime=0
>>>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 UNBIND
>>>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 fd=80 closed - U1
>>>> [08/Jan/2008:15:51:35 -0300] conn=1032 op=2 RESULT err=50
tag=103
>>>> nentries=0 etime=0
>>>> [08/Jan/2008:15:51:35 -0300] conn=1032 op=3 UNBIND
>>>>
>>>> I haven''t found any documentation about inbound
changes, specifically
>>>> password change, being done as the same user subject of the
change. Is
>>>> this true?
>>>>
>>> Yes.  That''s how it verifies the new password is valid.
>>>
>>
>> So, how can I do to define a procedure for initializing both
>> directories?
> I''m not sure what you mean.  For passwords, you just need to
set/reset
> the clear text password on either side, either the AD side or the
> Fedora DS side.  Assuming you have windows sync and password sync
> configured correctly, setting/resetting the clear text password on AD
> will sync it to Fedora DS, and vice versa.
The problem is that Active Directory Passwords were setted before FDS  
was installed. So, the initial synchronization of passwords didn''t set
FDS passwords, so changing the passwords in Active Directory will not  
update FDS passwords because of its way to sync passwords, ie binding  
to FDS as the user whose password is changed.
The only way to change passwords in both directories for users  
synchronized in Active Directory is resetting their passwords only in  
FDS, not in Windows because of the binding issue I mentioned.

Thanks
>
>> Are there any tips?
>>
>> Thanks
>>
>>
>>>> Thanks in advance, and sorry for my bad English
>>>>
>>>>
>>>
------------------------------------------------------------------------
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>
>>
>> - --
>> Lic. Christian A. Rodriguez
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.6 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFHhYjaLiwwyzG4Y1QRAp8YAJ4lJEr2/lFBEDIF5m2Ck6Z8tEd2UQCfVBUu
>> xen2FPcuKSep8a3xj5kfQf4>> =ji/K
>> -----END PGP SIGNATURE-----
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>


-- 
Lic. Christian A. Rodriguez