Chapter 10. Installing, updating, and uninstalling the password synchronization service

To synchronize passwords between Active Directory and Red Hat Directory Server, you use the password password synchronization service. You can install, update, and remove the password synchronization service.

10.1. The password synchronization service

When you set up password synchronization with Active Directory, Directory Server retrieves all attributes of user objects except the password. Active Directory stores only encrypted passwords, but Directory Server uses different encryption. As a result, Active Directory users passwords must be encrypted by Directory Server.

To enable password synchronization between Active Directory and Directory Server, the Red Hat Directory Password Sync service hooks up into the Windows password changing routine of a domain controller (DC). If a user or administrator sets or updates a password, the service retrieves the password in plain text before it is encrypted and stored in Active Directory. This process enables Red Hat Directory Password Sync to send the plain text password to Directory Server. To protect the password, the service supports only LDAPS connections to Directory Server. When Directory Server stores the password in the user’s entry, the password is automatically encrypted with the password storage scheme configured in Directory Server.

Important

In an Active Directory, all writable DCs can process password actions. Therefore, you must install Red Hat Directory Password Sync on every writable DC in the Active Directory domain.

10.2. Downloading the password synchronization service installer

To install Red Hat Directory Password Sync service, download the installer from the Customer Portal.

Prerequisites

Procedure

  1. Log into the Red Hat Customer Portal.
  2. Click Downloads at the top of the page.
  3. Select Red Hat Directory Server from the product list.
  4. Select 12 in the Version field.
  5. Download PassSync Installer.
  6. Copy the installer to every writable Active Directory domain controller (DC).

10.3. Installing the password synchronization service

This section describes how to install the Red Hat Directory Password Sync on Windows domain controllers (DC). Perform this procedure on every writable Windows DC.

Prerequisites

  • You downloaded the latest version of the PassSync Installer to the Windows Active Directory domain controller (DC).
  • You enabled TLS encryption in Directory Server.
  • You prepared the Active Directory domain.
  • You created an account for synchronization in Directory Server.

Procedure

  1. Log in to the Active Directory DC with a user that has permissions to install software on the DC.
  2. Double-click the RedHat-PassSync-ds12.*-x86_64.msi file to install it.
  3. The Red Hat Directory Password Sync Setup appears. Click Next.

  4. Fill the fields according to your Directory Server environment. For example:

    PassSync settings

    Fill the following information of the Directory Server host into the fields:

    • Host Name: Sets the name of the Directory Server host. Alternatively, you can set the field to the IPv4 or IPv6 address of the Directory Server host.
    • Port Number: Sets the LDAPS port number.
    • User Name: Sets the distinguished name (DN) of the synchronization user account.
    • Password: Sets the password of the synchronization user.
    • Cert Token: Sets the password of the server certificate copied from the Directory Server host.
    • Search Base: Sets the DN of the Directory Server entry that contains the synchronized user accounts.
  5. Click Next to start the installation.
  6. Click Finish.

  7. Reboot the Windows DC.

    Important

    Without rebooting the DC, the PasswordHook.dll library is not enabled and password synchronization fails.

  8. Enable replication in Directory Server and create a WinSync agreement.

Additional resources

10.4. Updating the password synchronization service

This section describes how to update an existing Red Hat Directory Password Sync installation on a Windows domain controller (DC).

Perform this procedure on every writable Windows DC.

Prerequisites

  • Red Hat Directory Password Sync is running on your Windows DC.
  • You downloaded the latest version of the PassSync Installer to the Windows Active Directory DC.

Procedure

  1. Log in to the Active Directory domain controller with a user that has permissions to install software on the DC.
  2. Double-click the RedHat-PassSync-ds12.*-x86_64.msi file.
  3. Click Next to begin installing.
  4. Click the Modify button.
  5. The setup displays the configuration set during the previous installation. Click Next to keep the existing settings.
  6. Click Next to start the installation.
  7. Click Finish.

  8. Reboot the Windows DC.

    Important

    Without rebooting the DC, the PasswordHook.dll library is not enabled and password synchronization will fail.

10.5. Uninstalling the password synchronization service

If you no longer require the Red Hat Directory Password Sync service, remove it from the Active Directory domain controller (DC).

Prerequisites

  • Red Hat Directory Password Sync is installed on the Windows DC.

Procedure

Log in to the Active Directory domain controller with a user that has permissions to remove software from the DC.

  1. Open the Control Panel
  2. Click Programs and then Programs and Features

  3. Select the Red Hat Directory Password Sync entry, and click the Uninstall button.

    remove PassSync using control panel
  4. Click Yes to confirm.