Chapter 10. Installing, updating, and uninstalling the password synchronization service
To synchronize passwords between Active Directory and Red Hat Directory Server, you use the password password synchronization service. You can install, update, and remove the password synchronization service.
10.1. The password synchronization service
When you set up password synchronization with Active Directory, Directory Server retrieves all attributes of user objects except the password. Active Directory stores only encrypted passwords, but Directory Server uses different encryption. As a result, Active Directory users passwords must be encrypted by Directory Server.
To enable password synchronization between Active Directory and Directory Server, the Red Hat Directory Password Sync
service hooks up into the Windows password changing routine of a domain controller (DC). If a user or administrator sets or updates a password, the service retrieves the password in plain text before it is encrypted and stored in Active Directory. This process enables Red Hat Directory Password Sync
to send the plain text password to Directory Server. To protect the password, the service supports only LDAPS connections to Directory Server. When Directory Server stores the password in the user’s entry, the password is automatically encrypted with the password storage scheme configured in Directory Server.
In an Active Directory, all writable DCs can process password actions. Therefore, you must install Red Hat Directory Password Sync
on every writable DC in the Active Directory domain.
10.2. Downloading the password synchronization service installer
To install Red Hat Directory Password Sync service, download the installer from the Customer Portal.
Prerequisites
- You have a valid Red Hat Directory Server subscription.
- You have an account on the Red Hat Customer Portal.
Procedure
- Log into the Red Hat Customer Portal.
- Click Downloads at the top of the page.
-
Select
Red Hat Directory Server
from the product list. -
Select
12
in theVersion
field. -
Download
PassSync Installer
. - Copy the installer to every writable Active Directory domain controller (DC).
10.3. Installing the password synchronization service
This section describes how to install the Red Hat Directory Password Sync
on Windows domain controllers (DC). Perform this procedure on every writable Windows DC.
Prerequisites
-
You downloaded the latest version of the
PassSync Installer
to the Windows Active Directory domain controller (DC). - You enabled TLS encryption in Directory Server.
- You prepared the Active Directory domain.
- You created an account for synchronization in Directory Server.
Procedure
- Log in to the Active Directory DC with a user that has permissions to install software on the DC.
-
Double-click the
RedHat-PassSync-ds12.*-x86_64.msi
file to install it. -
The
Red Hat Directory Password Sync Setup
appears. Click Next. Fill the fields according to your Directory Server environment. For example:
Fill the following information of the Directory Server host into the fields:
-
Host Name
: Sets the name of the Directory Server host. Alternatively, you can set the field to the IPv4 or IPv6 address of the Directory Server host. -
Port Number
: Sets the LDAPS port number. -
User Name
: Sets the distinguished name (DN) of the synchronization user account. -
Password
: Sets the password of the synchronization user. -
Cert Token
: Sets the password of the server certificate copied from the Directory Server host. -
Search Base
: Sets the DN of the Directory Server entry that contains the synchronized user accounts.
-
- Click Next to start the installation.
- Click Finish.
Reboot the Windows DC.
ImportantWithout rebooting the DC, the
PasswordHook.dll
library is not enabled and password synchronization fails.- Enable replication in Directory Server and create a WinSync agreement.
Additional resources
10.4. Updating the password synchronization service
This section describes how to update an existing Red Hat Directory Password Sync
installation on a Windows domain controller (DC).
Perform this procedure on every writable Windows DC.
Prerequisites
- Red Hat Directory Password Sync is running on your Windows DC.
-
You downloaded the latest version of the
PassSync Installer
to the Windows Active Directory DC.
Procedure
- Log in to the Active Directory domain controller with a user that has permissions to install software on the DC.
-
Double-click the
RedHat-PassSync-ds12.*-x86_64.msi
file. - Click Next to begin installing.
-
Click the
Modify
button. - The setup displays the configuration set during the previous installation. Click Next to keep the existing settings.
- Click Next to start the installation.
- Click Finish.
Reboot the Windows DC.
ImportantWithout rebooting the DC, the
PasswordHook.dll
library is not enabled and password synchronization will fail.
10.5. Uninstalling the password synchronization service
If you no longer require the Red Hat Directory Password Sync
service, remove it from the Active Directory domain controller (DC).
Prerequisites
-
Red Hat Directory Password Sync
is installed on the Windows DC.
Procedure
Log in to the Active Directory domain controller with a user that has permissions to remove software from the DC.
-
Open the
Control Panel
- Click Programs and then Programs and Features
Select the
Red Hat Directory Password Sync
entry, and click the Uninstall button.- Click Yes to confirm.