[Fedora-directory-users] Trouble getting windows to talk to fds

Nathan Kinder nkinder at redhat.com
Tue Oct 31 22:49:12 UTC 2006 

Bliss, Aaron wrote:
> That makes perfect sense, as I noticed that the replication agreement I
> created was a supplier/consumer agreement between fds and ad; now I have
> another question, if a new user is created in ad, since the fds box is
> the supplier, how will that uid be replicated to fds?
>   
When FDS connects to AD, it will send the dirsync control.  This control 
contains a cookie of sorts.  This basically tells AD to give us all 
modifications since the last time we sent the dirsync control (which it 
knows from the cookie we are sending).  Ad then gives us the 
modifications along with a new cookie to use next time.  You can think 
of this as pull-style replication in the AD->FDS direction.  FDS pushes 
it's changes to AD while pulling changes from AD to itself.

-NGK
> Aaron 
>
> -----Original Message-----
> From: fedora-directory-users-bounces at redhat.com
> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Nathan
> Kinder
> Sent: Tuesday, October 31, 2006 4:44 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to
> fds
>
> Bliss, Aaron wrote:
>   
>> I'm a little confused here; what is the purpose of the passsync
>>     
> service
>   
>> (I've successfully created a replication agreement over ssl via fds
>>     
> and
>   
>> ad).  Thanks again.
>>   
>>     
> The PassSync service is only responsible for sending password changes 
> initiated on the AD side to FDS.  Any password that is changed on the 
> FDS side will be sent to AD over the synchronization agreement along 
> with other user & group changes.  The synchronization agreement will 
> also pull changes that happened on the AD side over to FDS.
>
> The problem is that AD hashes the password differently than FDS does, so
>
> FDS needs access to the clear-text password.  The only way for this to 
> happen when a password change is initiated on the AD side is to have a 
> password plug-in installed on the domain controller to get a copy of the
>
> clear-text password.  This is exactly what the PassSync service does.  
> It installs a plugin (passhook.dll) that receives the clear-text 
> password which passsync.exe sends across to FDS over LDAPS.
>
> Hopefully that clears things up.
>
> -NGK
>   
>> Aaron 
>>
>>   
>>     
>
>
>
> Confidentiality Notice:
> The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information.  If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited.  If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20061031/3adf9f79/attachment.bin>

More information about the Fedora-directory-users mailing list