[Fedora-directory-users] Password replication problems between a multi-master system and AD
Richard Megginson
rmeggins at redhat.com
Wed Mar 21 02:44:20 UTC 2007
Alexandre Augusto da Rocha wrote:
> I am using RHDS instead of FD, so if this issue has been addressed in
> FD please forgive me.
>
> To exemplify the issues I'll use the model:
> AD <-> RHDS1 <-> RHDS2.
>
> Only one master is setup to sync to AD, which is the standard setup.
> Since password sync uses clear text to replicate to AD, password
> changes on RHDS2 will not propagate correctly to AD. RHDS2 sends the
> hash to RHDS1 which in turn sends it to AD. AD assumes the hash to be
> the actual clear text pw and attempts to use it to login to RHDS1.
> This creates a loop where one server keeps sending what it believes to
> be the new password to the other.
> I _think_ that if I add a replication agreement between RHDS2 and AD
> it will not fix my problem as even if RHDS2 sends the password ok to
> AD, RHDS1 will still try to send the update it received from RHDS2.
> Is this assumption correct?
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207893
> What is the best course of action? How can I tell if a password
> update is done on the server or pushed thru replication?
>
> ------------------------------------------------------------------------
>
> Subject:
> Password replication problems between a multi-master system and AD
> From:
> Alexandre Augusto da Rocha <augusto.rocha at augustschell.com>
> Date:
> Mon, 19 Mar 2007 19:23:17 -0500
> To:
> fedora-directory-users at redhat.com
>
> To:
> fedora-directory-users at redhat.com
>
>
> I am using RHDS instead of FD, so if this issue has been addressed in
> FD please forgive me.
>
> To exemplify the issues I'll use the model:
> AD <-> RHDS1 <-> RHDS2.
>
> Only one master is setup to sync to AD, which is the standard setup.
> Since password sync uses clear text to replicate to AD, password
> changes on RHDS2 will not propagate correctly to AD. RHDS2 sends the
> hash to RHDS1 which in turn sends it to AD. AD assumes the hash to be
> the actual clear text pw and attempts to use it to login to RHDS1.
> This creates a loop where one server keeps sending what it believes to
> be the new password to the other.
> I _think_ that if I add a replication agreement between RHDS2 and AD
> it will not fix my problem as even if RHDS2 sends the password ok to
> AD, RHDS1 will still try to send the update it received from RHDS2.
> Is this assumption correct?
> What is the best course of action? How can I tell if a password
> update is done on the server or pushed thru replication?
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070320/6df86918/attachment.bin>
More information about the Fedora-directory-users
mailing list