[Fedora-directory-users] FDS AD Sync

Daniel Shackelford dshackel at arbor.edu
Wed Mar 29 19:46:12 UTC 2006 

I had some trouble myself with passwords from AD making it into FDS.  
Unfortunately no passwords are synced until they are changed on AD, 
which means that if you have a 7000 user base like we do, there are very 
few options for getting the passwords populated in FDS.  PassSync uses a 
DLL to capture passwords in plain text during the set password process, 
and send them to FDS.  This means that all those users that are synced 
magically when you set up replication, will not have passwords until 
they change their password on AD somehow.  We started collecting 
credentials from our proxy auth, and storing them for a massive import 
after a few months.  The import went well (I can tell you the process if 
you like), but we still have 5000 accounts without passwords in FDS for 
off-site users, and those who should be pruned.  Now we are looking at a 
web interface for handling these special cases (is it special when it 
effects the majority of your users?).

The PassSync that was distributed with FDS 7.1 did not give much info on 
what it was doing, and this led to an incorrect setup without knowing it 
was incorrect.  If you use the most recent version, you can enable 
verbose logging, and see what is going on (it is a registry key under 
HKEY_Local_Machine->Software->PasswordSync->Log Level).  It turned out 
that PassSync and FDS were not speaking to one another yet.  I went 
through the key import process (pk12util + certutil), restarted the 
service, and away we went.

If you think you might be able to get the unix crypted passwords via 
msSFU (Microsoft Services for Unix), and populate FDS, you would be 
right, unless you are also wanting to synchronize those passwords.  I 
tried it and blew out the password for every user on our domain, and had 
to recover from tape.  The crypt is one-way, so once it is in FDS, you 
can successfully authenticate, but it looks like junk to the password 
sync code, and it ends up syncing junk to AD, which in turn, syncs junk 
back to FDS. Bad bad bad.

So it sounds like you may not have the PassSync service set up quite 
right, or you are expecting the passwords to be synced with the 
accounts, but they won't because that is not really what PassSync does.  
Either way you will have to address the issues of missing passwords in 
FDS.  Do you have any secure way of collecting the credentials of 
users?  A proxy/sniffer in front of your POP3 server?  Just a suggestion.

-- 
Daniel Shackelford
Systems Administrator
Technology Services
Spring Arbor University
517 750-6648

"For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many"
Mark 10:45

More information about the Fedora-directory-users mailing list