Password Sync Service Question (IdM to Active Directory)

Latest response

i would like some validation whether you actually need to install the Password Sync Service on "every" domain controller.  Or whether it actually needs to be installed on a DC, at all - I.E. can it simply be another Windows 2008 Server.

 

This will be my first attempt at installing IdM to work with Active Directory and the customer is fairly adament about limiting the impact on their exisitng AD (and rightfully so).  So far I have identified the only modification to AD to include importing the IdM cert and creating the AD user with the correct AD permissions.

 

Thanks in advance!

 

Section 8.5.2 of the identity management document explains the requirement.

Install the Password Sync Service on every domain controller in the Active Directory domain in order to synchronize Windows passwords.
1. Download the PassSync.msi file from the Red Hat Enterprise Linux channels, and save it to the Active Directory machine.

Responses

Hey James, no response from the community so far, but I'll see if one of our engineers can help you out with this.

Hi James.  Yes, you must install PassSynch.msi on all of your domain controllers to ensure all communications are captured and properly handled.  

 

I've got a few links that might help you and others working down this path.  The first is a nice overview of the process with links to the install guide you already referenced:

 

 

   How to configure Windows Sync to synchronization between Red Hat Directory Server and Windows Active Directory ?

     https://access.redhat.com/knowledge/solutions/42800

 

this next one is a bit more advanced, and may assist you as you continue your install:

 

 

   IPA Frequently Asked Questions

     https://access.redhat.com/knowledge/solutions/117223

 

Also, so you know, we're in the process of building an IDM community here on portal, where all the directory experts will hang out.  Keep an eye out for it, questions like this are what that channel will be for once it's launched.  Please let me know if you have any additional questions as your install progresses.  Good luck!

 

-Chris Robinson

Technical Account Manager, Red Hat Inc.

Thanks David.  I should also provide a bit more detail.  I'm interested in the "intellectual" response - i.e. how people interpret the documentation... and then, I suppose I am looking for the "real world" implementation that people have tried.  

 

I am hoping/expecting that I can select a smaller subset of Active Directory systems and when I go to add an IPA connection, I limit my the hosts I will attempt a relationship with to the AD systems which have the software installed.  Another consideration to limit the number of hosts that this Password Sync software is installed on is that it requires a reboot on the Windows Server :-(

 

Thank you for your response Chris.  I think my carryover perspective of AD probably clouded my vision.  I am realizing I have a lot to learn about AD and IdM.

 

The IdM documentation mentions that it will sync every 5 minutes

IdM Guide 6.3, sec 8.1 

A synchronization operation runs every five minutes.

 

After the initial setup of IdM and after you establish the relationship between your IdM env and AD:

Q:  do you need to somehow push the passwords for each user that already exists in AD?  Or does the password validation against their AD credentials happen when the user attempts to login?  At this point, I can su to a user, but I can not login via ssh.

 

Is that sync outside the scope of the password sync functionality?  I guess what I am wondering is whether a password change in AD triggers a push to the IdM systems (via PassSync.msi) and vice-versa?  As opposed to the password change in AD possibly taking up to 5 minutes to wait for the next sync event.

 

I am making fair progress in that I have everything installed and seemingly communicating ;-)  I now will pursue determining how you allow particular AD users on to a particular Linux host.

 

Thanks again! - there are so many questions I have and it's a bummer that there does not seem to be class out there for this product.  (The DS class seems like overkill and focuses on topics not-related to this specific goal - AD to IdM integration).

 

 

G'dAy James,

 

Q do you need to somehow push the passwords for each user that already exists in AD?  Or does the password validation against their AD credentials happen when the user attempts to login?  At this point, I can su to a user, but I can not login via ssh.

 

Answer : Yes. AD uses different password encryption mechanism. So PassSync.msi captures that information and send it through to IPA.

 

To answer your other question Every time change happens at AD end it logs everything in the change logs. Passsync make sure it it send that updated information to IPA. Hope that make sense.. So yes you have to wait till next sync happens.

 

Frank

 

 

 

James,

 

Forgot to mention , after the sync it flushes the change logs. So it doesnt try to sync the same changes all over again.

 

Frank