4.7. Installing the Password Sync Service

Windows Synchronization is mostly handled by the Directory Server alone, but synchronizing passwords requires a special "hook" that catches password changes and sends them over a secure connection between the Directory Server and Active Directory sync peers. For password synchronization, it is necessary to install the Password Sync Service.
Password Sync can be installed on every domain controller in the Active Directory domain in order to synchronize Windows passwords.
Passwords can only be synchronized if both the Directory Server and Windows server are running in SSL, the sync agreement is configured over an SSL connection, and certificate databases are configured for Password Sync to access.

4.7.1. Installing the Password Sync Service

These steps show how to install the Password Sync Service.

Procedure 4.1. Installing the Password Sync Service

  1. Click Downloads at the top of the page.
  2. Select Red Hat Directory Server from the product list.
  3. Select your Directory Server Version and Architecture. After this, a link to download the WinSync Installer is available. This is the Password Sync MSI file. Save the file to the Active Directory machine.

    Note

    There are two WinSync packages available, one for 32-bit Windows servers and one for 64-bit. Make sure to select the appropriate packages for your Windows platform.
  4. Double-click the Password Sync MSI file to install it.
  5. The Password Sync Setup window appears. Hit Next to begin installing.
  6. Fill in the Directory Server host name, secure port number, user name (such as cn=sync manager,cn=config), the certificate token (password), and the search base (for example, ou=People,dc=example,dc=com).
    Hit Next, then Finish to install Password Sync.
  7. Reboot the Windows machine to start Password Sync.

    Note

    The Windows machine must be rebooted. Without the rebooting, PasswordHook.dll is not enabled, and password synchronization will not function.
    The first attempt to synchronize passwords, which happened when the Password Sync application is installed, will always fail because the SSL connection between the Directory Server and Active Directory sync peers. The tools to create the certificate and key databases is installed with the .msi.

Table 4.5. Installed Password Sync Libraries

Directory Library Directory Library
C:\WINDOWS\system32 passhook.dll C:\WINDOWS\system32 libnspr4.dll
C:\WINDOWS\system32 nss3.dll C:\WINDOWS\system32 sqlite3.dll
C:\WINDOWS\system32 softokn3.dll C:\WINDOWS\system32 nssdbm3.dll
C:\WINDOWS\system32 nssutil3.dll   
C:\WINDOWS\system32 smime3.dll C:\WINDOWS\system32 freebl3.dll
C:\Program Files\Red Hat Directory Password Synchronization nsldap32v60.dll C:\Program Files\Red Hat Directory Password Synchronization certutil.exe
C:\Program Files\Red Hat Directory Password Synchronization nsldappr32v60.dll C:\Program Files\Red Hat Directory Password Synchronization nsldapssl32v60.dll
C:\WINDOWS\system32 ssl3.dll C:\WINDOWS\system32 libplc4.dll
C:\Program Files\Red Hat Directory Password Synchronization nssckbi.dll C:\Program Files\Red Hat Directory Password Synchronization nsldif32v60.dll
C:\Program Files\Red Hat Directory Password Synchronization passsync.log[a] C:\Program Files\Red Hat Directory Password Synchronization passsync.exe
C:\Program Files\Red Hat Directory Password Synchronization pk12util.exe C:\Program Files\Red Hat Directory Password Synchronization msvcr71.dll
C:\WINDOWS\system32 libplds4.dll   
[a] This log file is not an installed library, but it is created at installation.

4.7.2. Configuring the Password Sync Service

Configure the Password Sync Service by setting up certificates that Password Sync uses to access the Directory Server over SSL.

Note

SSL is required for Password Sync to send passwords to Directory Server. The service will not send the passwords except over SSL to protect the clear text password sent from the Active Director y machine to the Directory Server machine. This means that Password Sync will not work until SSL is configured.

Procedure 4.2. Configuring the Password Sync Service

  1. On the Directory Server, export the server certificate.
    # certutil -d /etc/dirsrv/slapd-instance_name -L -n "CA certificate" -a > dsca.crt
  2. Copy the exported certificate from the Directory Server to the Windows machine.
  3. Open a command prompt on the Windows machine, and open the Password Sync installation directory.
    > cd "C:\Program Files\Red Hat Directory Password Synchronization"
  4. Create new cert8.db and key.db databases on the Windows machine.
    > certutil.exe -d . -N
  5. Import the server certificate from the Directory Server into the new certificate database.
    > certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i \path\to\dsca.crt
  6. Verify that the CA certificate was correctly imported.
    > certutil.exe -d . -L -n "DS CA cert"
  7. Reboot the Windows machine. The Password Sync service is not available until after a system reboot.

Note

If any Active Directory user accounts exist when Password Sync is first installed, then the passwords for those user accounts cannot be synchronized until they are changed because Password Sync cannot decrypt a password once it has been hashed in Active Directory.