Show Table of Contents
4.7. Installing the Password Sync Service
Windows Synchronization is mostly handled by the Directory Server alone, but synchronizing passwords requires a special "hook" that catches password changes and sends them over a secure connection between the Directory Server and Active Directory sync peers. For password synchronization, it is necessary to install the Password Sync Service.
Password Sync can be installed on every domain controller in the Active Directory domain in order to synchronize Windows passwords.
Passwords can only be synchronized if both the Directory Server and Windows server are running in SSL, the sync agreement is configured over an SSL connection, and certificate databases are configured for Password Sync to access.
4.7.1. Installing the Password Sync Service
These steps show how to install the Password Sync Service.
Procedure 4.1. Installing the Password Sync Service
- Go to https://access.redhat.com.
- Click Downloads at the top of the page.
- Select Red Hat Directory Server from the product list.
- Select your Directory Server Version and Architecture. After this, a link to download the
WinSync Installeris available. This is the Password Sync MSI file. Save the file to the Active Directory machine.Note
There are two WinSync packages available, one for 32-bit Windows servers and one for 64-bit. Make sure to select the appropriate packages for your Windows platform. - Double-click the Password Sync MSI file to install it.
- The Password Sync Setup window appears. Hit Next to begin installing.
- Fill in the Directory Server host name, secure port number, user name (such as
cn=sync manager,cn=config), the certificate token (password), and the search base (for example,ou=People,dc=example,dc=com).
Hit , then to install Password Sync. - Reboot the Windows machine to start Password Sync.
Note
The Windows machine must be rebooted. Without the rebooting,PasswordHook.dllis not enabled, and password synchronization will not function.The first attempt to synchronize passwords, which happened when the Password Sync application is installed, will always fail because the SSL connection between the Directory Server and Active Directory sync peers. The tools to create the certificate and key databases is installed with the.msi.
Table 4.5. Installed Password Sync Libraries
| Directory | Library | Directory | Library |
|---|---|---|---|
| C:\WINDOWS\system32 | passhook.dll | C:\WINDOWS\system32 | libnspr4.dll |
| C:\WINDOWS\system32 | nss3.dll | C:\WINDOWS\system32 | sqlite3.dll |
| C:\WINDOWS\system32 | softokn3.dll | C:\WINDOWS\system32 | nssdbm3.dll |
| C:\WINDOWS\system32 | nssutil3.dll | ||
| C:\WINDOWS\system32 | smime3.dll | C:\WINDOWS\system32 | freebl3.dll |
| C:\Program Files\Red Hat Directory Password Synchronization | nsldap32v60.dll | C:\Program Files\Red Hat Directory Password Synchronization | certutil.exe |
| C:\Program Files\Red Hat Directory Password Synchronization | nsldappr32v60.dll | C:\Program Files\Red Hat Directory Password Synchronization | nsldapssl32v60.dll |
| C:\WINDOWS\system32 | ssl3.dll | C:\WINDOWS\system32 | libplc4.dll |
| C:\Program Files\Red Hat Directory Password Synchronization | nssckbi.dll | C:\Program Files\Red Hat Directory Password Synchronization | nsldif32v60.dll |
| C:\Program Files\Red Hat Directory Password Synchronization | passsync.log[a] | C:\Program Files\Red Hat Directory Password Synchronization | passsync.exe |
| C:\Program Files\Red Hat Directory Password Synchronization | pk12util.exe | C:\Program Files\Red Hat Directory Password Synchronization | msvcr71.dll |
| C:\WINDOWS\system32 | libplds4.dll | ||
[a]
This log file is not an installed library, but it is created at installation.
| |||
4.7.2. Configuring the Password Sync Service
Configure the Password Sync Service by setting up certificates that Password Sync uses to access the Directory Server over SSL.
Note
SSL is required for Password Sync to send passwords to Directory Server. The service will not send the passwords except over SSL to protect the clear text password sent from the Active Director y machine to the Directory Server machine. This means that Password Sync will not work until SSL is configured.
Procedure 4.2. Configuring the Password Sync Service
- On the Directory Server, export the server certificate.
# certutil -d /etc/dirsrv/slapd-instance_name -L -n "CA certificate" -a > dsca.crt
- Copy the exported certificate from the Directory Server to the Windows machine.
- Open a command prompt on the Windows machine, and open the Password Sync installation directory.
> cd "C:\Program Files\Red Hat Directory Password Synchronization"
- Create new
cert8.dbandkey.dbdatabases on the Windows machine.> certutil.exe -d . -N
- Import the server certificate from the Directory Server into the new certificate database.
> certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i \path\to\dsca.crt
- Verify that the CA certificate was correctly imported.
> certutil.exe -d . -L -n "DS CA cert"
- Reboot the Windows machine. The Password Sync service is not available until after a system reboot.
Note
If any Active Directory user accounts exist when Password Sync is first installed, then the passwords for those user accounts cannot be synchronized until they are changed because Password Sync cannot decrypt a password once it has been hashed in Active Directory.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.