Password replication problems between a multi-master system and AD

I am using RHDS instead of FD, so if this issue has been
addressed in FD please 
forgive me.

To exemplify the issues I'll use the model:
AD <-> RHDS1 <-> RHDS2.

Only one master is setup to sync to AD, which is the
standard setup.  Since 
password sync uses clear text to replicate to AD, password
changes  on RHDS2 
will not propagate correctly to AD.  RHDS2 sends the hash to
RHDS1 which in turn 
sends it to AD.  AD assumes the hash to be the actual clear
text pw and attempts 
to use it to login to RHDS1.  This creates a loop where one
server keeps sending 
what it believes to be the new password to the other.
I _think_ that if I add a replication agreement between
RHDS2 and AD it will not 
fix my problem as even if RHDS2 sends the password ok to AD,
RHDS1 will still 
try to send the update it received from RHDS2.  Is this
assumption correct?
What is the best course of action?  How can I tell if a
password update is done 
on the server or pushed thru replication?

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

Alexandre Augusto da Rocha wrote:
> I am using RHDS instead of FD, so if this issue has
been addressed in 
> FD please forgive me.
>
> To exemplify the issues I'll use the model:
> AD <-> RHDS1 <-> RHDS2.
>
> Only one master is setup to sync to AD, which is the
standard setup.  
> Since password sync uses clear text to replicate to AD,
password 
> changes  on RHDS2 will not propagate correctly to AD. 
RHDS2 sends the 
> hash to RHDS1 which in turn sends it to AD.  AD assumes
the hash to be 
> the actual clear text pw and attempts to use it to
login to RHDS1.  
> This creates a loop where one server keeps sending what
it believes to 
> be the new password to the other.
> I _think_ that if I add a replication agreement between
RHDS2 and AD 
> it will not fix my problem as even if RHDS2 sends the
password ok to 
> AD, RHDS1 will still try to send the update it received
from RHDS2.  
> Is this assumption correct?
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=
207893
> What is the best course of action?  How can I tell if a
password 
> update is done on the server or pushed thru
replication?
>
>
------------------------------------------------------------
------------
>
> Subject:
> Password replication problems between a multi-master
system and AD
> From:
> Alexandre Augusto da Rocha <augusto.rochaaugustschell.com>
> Date:
> Mon, 19 Mar 2007 19:23:17 -0500
> To:
> fedora-directory-usersredhat.com
>
> To:
> fedora-directory-usersredhat.com
>
>
> I am using RHDS instead of FD, so if this issue has
been addressed in 
> FD please forgive me.
>
> To exemplify the issues I'll use the model:
> AD <-> RHDS1 <-> RHDS2.
>
> Only one master is setup to sync to AD, which is the
standard setup.  
> Since password sync uses clear text to replicate to AD,
password 
> changes  on RHDS2 will not propagate correctly to AD. 
RHDS2 sends the 
> hash to RHDS1 which in turn sends it to AD.  AD assumes
the hash to be 
> the actual clear text pw and attempts to use it to
login to RHDS1.  
> This creates a loop where one server keeps sending what
it believes to 
> be the new password to the other.
> I _think_ that if I add a replication agreement between
RHDS2 and AD 
> it will not fix my problem as even if RHDS2 sends the
password ok to 
> AD, RHDS1 will still try to send the update it received
from RHDS2.  
> Is this assumption correct?
> What is the best course of action?  How can I tell if a
password 
> update is done on the server or pushed thru
replication?
>
------------------------------------------------------------
------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>   

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users