Follow meThis article describes how to synchronize the Active Directory password to 389 Directory Server using the PassSync utility.
Configuring the User Permission
The 389 Directory Server sync user account should be given permission to update the password field. In our example, it is uid=SMaster,cn=config. You can create a sync user account using this article.
2. Click the + sign corresponding to your server. Next, click the + sign corresponding to Server Group and click Directory Server. Finally, click the Open button in the Directory Server page.
3. Click the Directory tab and click the folder corresponding to your domain. Next, right click that same folder and click Set Access Permissions.
4. In the Manage Access Control window, click New.
5. In the Edit ACI window, click Edit Manually.
6. Change the value of the ACI to the one below. Click Ok when you are done.
(targetattr = "*") (version 3.0; acl "PassSync"; allow (all) (userdn = "ldap:///uid=SMaster,cn=config") ;)userdn should correspond to your sync user account.
7. Finally, click Ok.Installing PassSync
PassSync should be installed in every Windows domain controller in your domain. You can download the PassSync installer here.
1. Launch the PassSync installer and click Next.
2. Fill up the Password Synchronization Information page and click Next. Below are the description of the fields. Specify in Cert Token the password you plan to assign to the certificate database when you create it later. The password should be at least 8 characters long, and should contain at least one non-alphabetic character.
Host Name
389 Directory Server host name
Port Number
389 Directory Server SSL port number
User Name
User account in 389 Directory Server
Password
Password of user account
Cert Token
Certificate database password
Search Base
389 Directory Server base DN
The settings above will be stored in the registry located in the HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync path.
3. Click Next in the Ready to Install page.
4. Finally, click Finish.Creating the Certificate Database
1. Export the 389 Directory Server certificate using the command below. Execute the command in the /etc/dirsrv/slapd-xxx directory where xxx corresponds to your directory server identifier. Copy the output file servercert.p12 to your target Windows Server.
pk12util -d . -o servercert.p12 -n Server-Cert -k pwdfile.txtpwdfile.txt contains the certificate database password created by the setupssl2.sh script. Use -K password to provide your own password if you manually configured SSL in 389 Directory Server.
2. In the Windows Server, create the certificate database and load the 389 Directory Server certificate into it using the commands below. Before executing the commands below, change the Command Prompt’s current directory to the installation directory of PassSync, usually at “C:\Program Files\Red Hat Directory Password Synchronization”.
certutil -d . -N pk12util -d . -i servercert.p12 certutil -d . -M -n Server-Cert -t "P,P,P"
Testing PassSync
1. Restart the Password Synchronization service.
2. Reset a user password and check if it synchronizes with 389 Directory Server.If you encounter any problems, check the log file at C:\Program Files\Red Hat Directory Password Synchronization\passsync.logVisit the forum to ask for help or to give a comment.
***
Posted on 2/10/2009 and last updated on 11/6/2009
Filed under 389 Directory Server , Active Directory
May 5th, 2009 at 3:00 pm
hi,
i have got this error “pk12util: find user certs from nickname failed: security library: bad database.” when i was trying to:
“pk12util -d . -o servercert.p12 -n Server-Cert -k pwdfile.txt”
(i want to sync fds with win2003 active directory and you know that i need to export certificates from fds to win2003…)
where is the problem?