This article describes how to synchronize the Active Directory password to 389 Directory Server using the PassSync utility.
Configuring the User Permission
The 389 Directory Server sync user account should be given permission to update the password field. In our example, it is uid=SMaster,cn=config. You can create a sync user account using this article.
2. Click the + sign corresponding to your server. Next, click the + sign corresponding to Server Group
and click Directory Server
. Finally, click the Open
button in the Directory Server
3. Click the Directory
tab and click the folder corresponding to your domain. Next, right click that same folder and click Set Access Permissions
4. In the Manage Access Control
window, click New
5. In the Edit ACI
window, click Edit Manually
6. Change the value of the ACI to the one below. Click Ok
when you are done.
(targetattr = "*")
(userdn = "ldap:///uid=SMaster,cn=config")
should correspond to your sync user account.
7. Finally, click Ok
PassSync should be installed in every Windows domain controller in your domain. You can download the PassSync installer here.
1. Launch the PassSync
installer and click Next
2. Fill up the Password Synchronization Information
page and click Next
. Below are the description of the fields. Specify in Cert Token
the password you plan to assign to the certificate database when you create it later. The password should be at least 8 characters long, and should contain at least one non-alphabetic character.
389 Directory Server host name
389 Directory Server SSL port number
User account in 389 Directory Server
Password of user account
Certificate database password
389 Directory Server base DN
The settings above will be stored in the registry located in the HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync
3. Click Next
in the Ready to Install
4. Finally, click Finish
Creating the Certificate Database
1. Export the 389 Directory Server certificate using the command below. Execute the command in the /etc/dirsrv/slapd-xxx
directory where xxx
corresponds to your directory server identifier. Copy the output file servercert.p12
to your target Windows Server.
pk12util -d . -o servercert.p12 -n Server-Cert -k pwdfile.txt
contains the certificate database password created by the setupssl2.sh script. Use -K password
to provide your own password if you manually configured SSL in 389 Directory Server.
2. In the Windows Server, create the certificate database and load the 389 Directory Server certificate into it using the commands below. Before executing the commands below, change the Command Prompt’s current directory to the installation directory of PassSync, usually at “C:\Program Files\Red Hat Directory Password Synchronization”.
certutil -d . -N
pk12util -d . -i servercert.p12
certutil -d . -M -n Server-Cert -t "P,P,P"
1. Restart the Password Synchronization
2. Reset a user password and check if it synchronizes with 389 Directory Server.
If you encounter any problems, check the log file at C:\Program Files\Red Hat Directory Password Synchronization\passsync.log
Visit the forum to ask for help or to give a comment.
Posted on 2/10/2009 and last updated on 11/6/2009
Filed under 389 Directory Server , Active Directory