Chapter 6. Installing, updating, and uninstalling the password synchronization service
To synchronize passwords between Active Directory and Red Hat Directory Server, you must use the password password synchronization service. This chapter contains information about how the password synchronization service functions, as well as how to install, update, and remove it.
6.1. Understanding how the password synchronization service works
When you set up password synchronization with Active Directory, Directory Server retrieves all attributes of user objects except the password. Active Directory stores only encrypted passwords, but Directory Server uses different encryption. As a result, Active Directory users passwords must be encrypted by Directory Server.
To enable password synchronization between Active Directory and Directory Server, the Red Hat Directory Password Sync service hooks up into the Windows password changing routine of a DC. If a user or administrator sets or updates a password, the service retrieves the password in plain text before it is encrypted and stored in Active Directory. This process enables Red Hat Directory Password Sync to send the plain text password to Directory Server. To protect the password, the service supports only LDAPS connections to Directory Server. When Directory Server stores the password in the user’s entry, the password is automatically encrypted with the password storage scheme configured in Directory Server.
In an Active Directory, all writable DCs can process password actions. Therefore, you must install Red Hat Directory Password Sync on every writable DC in the Active Directory domain.
6.2. Downloading the password synchronization service installer
Before you can install the Red Hat Directory Password Sync service, download the installer from the Customer Portal.
Prerequisites
- A valid Red Hat Directory Server subscription
- An account on the Red Hat Customer Portal
Procedure
- Log into the Red Hat Customer Portal.
- Click Downloads at the top of the page.
- Select Red Hat Directory Server from the product list.
-
Select
11
in theVersion
field. -
Download the
PassSync Installer
. - Copy the installer to every writeable Active Directory domain controller (DC).
6.3. Installing the password synchronization service
This section describes how to install the Red Hat Directory Password Sync on Windows domain controllers (DC). For further detail, see Section 6.1, “Understanding how the password synchronization service works”.
Prerequisites
- The latest version of the PassSync Installer downloaded to the Windows Active Directory domain controller (DC). For details, see Section 6.2, “Downloading the password synchronization service installer”.
- A prepared Directory Server host as described in Setting up Synchronization Between Active Directory and Directory Server in the Red Hat Directory Server Administration Guide.
Procedure
- Log in to the Active Directory domain controller with a user that has permissions to install software on the DC.
-
Double-click the
RedHat-PassSync-ds11.*-x86_64.msi
file to install it. -
The
Red Hat Directory Password Sync Setup
appears. Click Next. Fill the fields according to your Directory Server environment. For example:
Fill the following information of the Directory Server host into the fields:
-
Host Name
: Sets the name of the Directory Server host. Alternatively, you can set the field to the IPv4 or IPv6 address of the Directory Server host. -
Port Number
: Sets the LDAPS port number. -
User Name
: Sets the distinguished name (DN) of the synchronization user account. -
Password
: Sets the password of the synchronization user. -
Cert Token
: Sets the password of the server certificate copied from the Directory Server host. -
Search Base
: Sets the DN of the Directory Server entry that contains the synchronized user accounts.
-
- Click Next to start the installation.
- Click Finish.
Reboot the Windows DC.
NoteWithout rebooting the DC, the
PasswordHook.dll
library is not enabled and password synchronization will fail.- Set up synchronization between Active Directory and Directory Server as described in the Setting up Synchronization Between Active Directory and Directory Server section in the Red Hat Directory Server Administration Guide. Until the synchronization is fully configured, password synchronization will fail.
Repeat this procedure on every writable Windows DC.
6.4. Updating the password synchronization service
This section describes how to update an existing Red Hat Directory Password Sync installation on a Windows domain controller (DC).
Prerequisites
- Red Hat Directory Password Sync is running on your Windows DCs.
- The latest version of the PassSync Installer downloaded to the Windows Active Directory domain controller (DC). For details, see Section 6.2, “Downloading the password synchronization service installer”.
Procedure
- Log in to the Active Directory domain controller with a user that has permissions to install software on the DC.
-
Double-click the
RedHat-PassSync-ds11.*-x86_64.msi
file. - Click Next to begin installing.
-
Click the
Modify
button. - The setup displays the configuration set during the previous installation. Click Next to keep the existing settings.
- Click Next to start the installation.
- Click Finish.
Reboot the Windows DC.
NoteWithout rebooting the DC, the
PasswordHook.dll
library is not enabled and password synchronization will fail.
Repeat this procedure on every writable Windows DC.
6.5. Uninstalling the password synchronization service
This section contains information about uninstalling the Red Hat Directory Password Sync service from a Windows domain controller (DC).
Prerequisites
- Red Hat Directory Password Sync running on the Windows DC.
Procedure
- Log in to the Active Directory domain controller with a user that has permissions to remove software from the DC.
- Open the Control Panel
- Click Programs and then Programs and Features
Select the Red Hat Directory Password Sync entry, and click the Uninstall button.
- Click Yes to confirm.