Anne Cross
2009-Oct-20 16:56 UTC
[389-users] 389, Active Directory, PassSync, Multi-Masters, and multiple AD servers
We have two AD servers, and we''re working on having four 389 Masters
geographically distributed, multi-mastered between them, etc, etc, etc.
The goal here is to stop having network hiccups take things out.
The AD servers talk to each other nigh-on instantaneously. Likewise for
the 389 servers. Is it safe to set up sync agreements to *both* AD
servers, in case one goes down? Likewise, is it safe to set up an
agreement to a single AD server on multiple masters, in case we lose one
master?
And for further fun, do I need to install PassSync on both AD servers?
Our windows admin wants to set it up on the password server, and the
documentation on RedHat''s site doesn''t say it specifically
needs to be
on the AD box, but I''m wondering what happens if the password changes
circumvent the password server (an admin manually changes someone''s
password on the AD server, for example.)
-- juniper (this is moderately hairy, but once it''s worked out, I
will never need to touch it again, I hope)
--
,___,
{o,o} Anne "Juniper" Cross
(___) Senior Linux Systems Engineer and Extropic Crusader
-"-"-- Information Technology, ITA Software
/^^^
Rich Megginson
2009-Oct-20 18:36 UTC
Re: [389-users] 389, Active Directory, PassSync, Multi-Masters, and multiple AD servers
Anne Cross wrote:> We have two AD servers, and we''re working on having four 389 Masters > geographically distributed, multi-mastered between them, etc, etc, > etc. The goal here is to stop having network hiccups take things out. > > The AD servers talk to each other nigh-on instantaneously. Likewise > for the 389 servers. Is it safe to set up sync agreements to *both* > AD servers, in case one goes down?No. See https://bugzilla.redhat.com/show_bug.cgi?id=182515 and https://bugzilla.redhat.com/show_bug.cgi?id=184155> Likewise, is it safe to set up an agreement to a single AD server on > multiple masters, in case we lose one master?You might run into the same issues as specified in the bugs above.> > And for further fun, do I need to install PassSync on both AD > servers? Our windows admin wants to set it up on the password server, > and the documentation on RedHat''s site doesn''t say it specifically > needs to be on the AD box, but I''m wondering what happens if the > password changes circumvent the password server (an admin manually > changes someone''s password on the AD server, for example.)You must install PassSync on each and every domain controller. That''s the only way PassSync can intercept the clear text password when someone changes his/her password.> > -- juniper (this is moderately hairy, but once it''s worked out, I > will never need to touch it again, I hope) >
Anne Cross
2009-Oct-21 16:39 UTC
Re: [389-users] 389, Active Directory, PassSync, Multi-Masters, and multiple AD servers
Rich Megginson wrote:> Anne Cross wrote: >> We have two AD servers, and we''re working on having four 389 Masters >> geographically distributed, multi-mastered between them, etc, etc, >> etc. The goal here is to stop having network hiccups take things out. >> >> The AD servers talk to each other nigh-on instantaneously. Likewise >> for the 389 servers. Is it safe to set up sync agreements to *both* >> AD servers, in case one goes down? > No. See https://bugzilla.redhat.com/show_bug.cgi?id=182515 and > https://bugzilla.redhat.com/show_bug.cgi?id=184155Ah. OK, so that *is* a bug, and hopefully will get fixed at some future date. Good to know for now, however. Passwords continue to plague us, but that will be an email for another day. (With a lot more in the way of logs attached to it.) -- ,___, {o,o} Anne "Juniper" Cross (___) Senior Linux Systems Engineer and Extropic Crusader -"-"-- Information Technology, ITA Software /^^^