Chapter 6. Installing, updating, and uninstalling the password synchronization service

To synchronize passwords between Active Directory and Red Hat Directory Server, you must use the password password synchronization service. This chapter contains information about how the password synchronization service functions, as well as how to install, update, and remove it.

6.1. Understanding how the password synchronization service works

When you set up password synchronization with Active Directory, Directory Server retrieves all attributes of user objects except the password. Active Directory stores only encrypted passwords, but Directory Server uses different encryption. As a result, Active Directory users passwords must be encrypted by Directory Server.

To enable password synchronization between Active Directory and Directory Server, the Red Hat Directory Password Sync service hooks up into the Windows password changing routine of a DC. If a user or administrator sets or updates a password, the service retrieves the password in plain text before it is encrypted and stored in Active Directory. This process enables Red Hat Directory Password Sync to send the plain text password to Directory Server. To protect the password, the service supports only LDAPS connections to Directory Server. When Directory Server stores the password in the user’s entry, the password is automatically encrypted with the password storage scheme configured in Directory Server.

Important

In an Active Directory, all writable DCs can process password actions. Therefore, you must install Red Hat Directory Password Sync on every writable DC in the Active Directory domain.

6.2. Downloading the password synchronization service installer

Before you can install the Red Hat Directory Password Sync service, download the installer from the Customer Portal.

Prerequisites

Procedure

  1. Log into the Red Hat Customer Portal.
  2. Click Downloads at the top of the page.
  3. Select Red Hat Directory Server from the product list.
  4. Select 11 in the Version field.
  5. Download the PassSync Installer.
  6. Copy the installer to every writeable Active Directory domain controller (DC).

6.3. Installing the password synchronization service

This section describes how to install the Red Hat Directory Password Sync on Windows domain controllers (DC). For further detail, see Section 6.1, “Understanding how the password synchronization service works”.

Prerequisites

Procedure

  1. Log in to the Active Directory domain controller with a user that has permissions to install software on the DC.
  2. Double-click the RedHat-PassSync-ds11.*-x86_64.msi file to install it.
  3. The Red Hat Directory Password Sync Setup appears. Click Next.

  4. Fill the fields according to your Directory Server environment. For example:

    PassSync settings

    Fill the following information of the Directory Server host into the fields:

    • Host Name: Sets the name of the Directory Server host. Alternatively, you can set the field to the IPv4 or IPv6 address of the Directory Server host.
    • Port Number: Sets the LDAPS port number.
    • User Name: Sets the distinguished name (DN) of the synchronization user account.
    • Password: Sets the password of the synchronization user.
    • Cert Token: Sets the password of the server certificate copied from the Directory Server host.
    • Search Base: Sets the DN of the Directory Server entry that contains the synchronized user accounts.
  5. Click Next to start the installation.
  6. Click Finish.

  7. Reboot the Windows DC.

    Note

    Without rebooting the DC, the PasswordHook.dll library is not enabled and password synchronization will fail.

  8. Set up synchronization between Active Directory and Directory Server as described in the Setting up Synchronization Between Active Directory and Directory Server section in the Red Hat Directory Server Administration Guide. Until the synchronization is fully configured, password synchronization will fail.

Repeat this procedure on every writable Windows DC.

6.4. Updating the password synchronization service

This section describes how to update an existing Red Hat Directory Password Sync installation on a Windows domain controller (DC).

Prerequisites

Procedure

  1. Log in to the Active Directory domain controller with a user that has permissions to install software on the DC.
  2. Double-click the RedHat-PassSync-ds11.*-x86_64.msi file.
  3. Click Next to begin installing.
  4. Click the Modify button.
  5. The setup displays the configuration set during the previous installation. Click Next to keep the existing settings.
  6. Click Next to start the installation.
  7. Click Finish.

  8. Reboot the Windows DC.

    Note

    Without rebooting the DC, the PasswordHook.dll library is not enabled and password synchronization will fail.

Repeat this procedure on every writable Windows DC.

6.5. Uninstalling the password synchronization service

This section contains information about uninstalling the Red Hat Directory Password Sync service from a Windows domain controller (DC).

Prerequisites

  • Red Hat Directory Password Sync running on the Windows DC.

Procedure

  1. Log in to the Active Directory domain controller with a user that has permissions to remove software from the DC.
  2. Open the Control Panel
  3. Click Programs and then Programs and Features

  4. Select the Red Hat Directory Password Sync entry, and click the Uninstall button.

    remove PassSync using control panel
  5. Click Yes to confirm.