[389-users] Configuring password syncing 389 -> AD
Hi, We currently are syncing passwords from Active Directory to 389 via the Passsync service installed on our domain controllers. We would like to reverse this, and set up syncing passwords (and only passwords no other attributes) from 389 to AD (while keeping password syncing from AD to 389 in place). The documentation provided seems convoluted. Can anyone tell me if this can be done, and how I would go about it? In addition, I do not want to use ADCA in our AD domain, I would rather use a 3rd party cert. Thanks, Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Unable to connect to Admin server via 389 windows console
For the record it seemed like the fix for this was installing Firefox x86 version. I only had the 64-bit version installed. Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 From: "Noriko Hosoi" <nho...@redhat.com> To: 389-users@lists.fedoraproject.org Sent: Thursday, March 3, 2016 3:17:16 PM Subject: [389-users] Re: Unable to connect to Admin server via 389 windows console On 03/03/2016 11:58 AM, Daniel Franciscus wrote: SSL3 is disabled. SSL2 is the preferred and then TLS. Is SSLv2 is enabled on your server? It should be completely disabled. What is the version of your server? $ rpm -q 389-ds-base Please note that SSL v3 was disabled since 1.3.3.6-1. - Ticket 47928 - Disable SSL v3, by default. And so is in the Windows Console. What does your cn=encryption,cn=config entry look? Thanks. BQ_BEGIN Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 From: "Noriko Hosoi" <nho...@redhat.com> To: 389-users@lists.fedoraproject.org Sent: Wednesday, March 2, 2016 5:03:56 PM Subject: [389-users] Re: Unable to connect to Admin server via 389 windows console Could you please double check your Directory Server is configured with SSLv3 disabled? http://www.port389.org/docs/389ds/howto/howto-disable-sslv3.html On 03/02/2016 01:35 PM, Daniel Franciscus wrote: BQ_BEGIN OK, new error now after upgrading: Unable to create ssl socket org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12279) Peer using unsupported version of security protocol. at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method) at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source) at com.netscape.management.client.comm.CommManager.send(Unknown Source) at com.netscape.management.client.comm.HttpManager.get(Unknown Source) at com.netscape.management.client.console.Console.invoke_task(Unknown Source) at com.netscape.management.client.console.Console.authenticate_user(Unknown Source) at com.netscape.management.client.console.Console.(Unknown Source) at com.netscape.management.client.console.Console.main(Unknown Source) JButtonFactory: button width = 54 JButtonFactory: button height = 20 JButtonFactory: button width = 54 JButtonFactory: button height = 20 JButtonFactory: button width = 54 JButtonFactory: button height = 20 JButtonFactory: button width = 54 JButtonFactory: button height = 20 Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 BQ_END BQ_END -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
[389-users] Re: Unable to connect to Admin server via 389 windows console
OK, new error now after upgrading: Unable to create ssl socket org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12279) Peer using unsupported version of security protocol. at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method) at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source) at com.netscape.management.client.comm.CommManager.send(Unknown Source) at com.netscape.management.client.comm.HttpManager.get(Unknown Source) at com.netscape.management.client.console.Console.invoke_task(Unknown Source) at com.netscape.management.client.console.Console.authenticate_user(Unknown Source) at com.netscape.management.client.console.Console.(Unknown Source) at com.netscape.management.client.console.Console.main(Unknown Source) JButtonFactory: button width = 54 JButtonFactory: button height = 20 JButtonFactory: button width = 54 JButtonFactory: button height = 20 JButtonFactory: button width = 54 JButtonFactory: button height = 20 JButtonFactory: button width = 54 JButtonFactory: button height = 20 Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 From: "Mark Reynolds" <marey...@redhat.com> To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org>, mreyno...@redhat.com Sent: Wednesday, March 2, 2016 11:03:21 AM Subject: [389-users] Re: Unable to connect to Admin server via 389 windows console On 03/02/2016 08:29 AM, Daniel Franciscus wrote: C:\Program Files\389 Management Console>"java" "-Djava.library.path=." -cp "./jss4.jar;./ldapjdk.jar;./idm-console-base.jar;./idm-console-mcc.jar;./idm-console-mcc_en.jar;./idm-console-nmclf.jar;./idm-console-nmclf_en.jar;./389-console_en.jar" -Djava.util.prefs.systemRo ot=I:\/.389-console -Djava.util.prefs.userRoot=I:\/.389-console -Djava.net.preferIPv4Stack=true com.netscape.management.client.console.Console -D 9 java.util.prefs.userRoot=I:\/.389-console java.runtime.name=Java(TM) SE Runtime Environment sun.boot.library.path=C:\Program Files\Java\jre7\bin java.vm.version=23.5-b02 java.vm.vendor=Oracle Corporation java.vendor.url= http://java.oracle.com/ path.separator=; java.vm.name=Java HotSpot(TM) 64-Bit Server VM file.encoding.pkg=sun.io user.country=US user.script= sun.java.launcher=SUN_STANDARD sun.os.patch.level= java.vm.specification.name=Java Virtual Machine Specification user.dir=C:\Program Files\389 Management Console java.runtime.version=1.7.0_09-b05 java.awt.graphicsenv=sun.awt.Win32GraphicsEnvironment java.endorsed.dirs=C:\Program Files\Java\jre7\lib\endorsed os.arch=amd64 java.io.tmpdir=C:\Users\hermes\AppData\Local\Temp\ line.separator= java.vm.specification.vendor=Oracle Corporation user.variant= os.name=Windows Server 2012 sun.jnu.encoding=Cp1252 java.library.path=. java.specification.name=Java Platform API Specification java.class.version=51.0 java.net.preferIPv4Stack=true sun.management.compiler=HotSpot 64-Bit Tiered Compilers os.version=6.2 user.home=C:\Users\hermes user.timezone=America/New_York java.awt.printerjob=sun.awt.windows.WPrinterJob file.encoding=Cp1252 java.specification.version=1.7 java.class.path=./jss4.jar;./ldapjdk.jar;./idm-console-base.jar;./idm-console-mcc.jar;./idm-console-mcc_en.jar;./idm-console-nmclf.jar;./idm-console-nmclf_en.jar;./389-console_en.jar user.name=hermes java.vm.specification.version=1.7 sun.java.command=com.netscape.management.client.console.Console -D 9 java.home=C:\Program Files\Java\jre7 sun.arch.data.model=64 java.util.prefs.systemRoot=I:\/.389-console user.language=en java.specification.vendor=Oracle Corporation awt.toolkit=sun.awt.windows.WToolkit java.vm.info=mixed mode java.version=1.7.0_09 java.ext.dirs=C:\Program Files\Java\jre7\lib\ext;C:\Windows\Sun\Java\lib\ext sun.boot.class.path=C:\Program Files\Java\jre7\lib\resources.jar;C:\Program Files\Java\jre7\lib\rt.jar;C:\Program Files\Java\jre7\lib\sunrsasign.jar;C:\Program Files\Java\jre7\lib\jsse.jar;C:\Program Files\Java\jre7\lib\jce.jar;C:\Program Files\Java\jre7\lib\charsets.ja r;C:\Program Files\Java\jre7\lib\jfr.jar;C:\Program Files\Java\jre7\classes java.vendor=Oracle Corporation file.separator=\ java.vendor.url.bug= http://bugreport.sun.com/bugreport/ sun.io.unicode.encoding=UnicodeLittle sun.cpu.endian=little sun.desktop=windows sun.cpu.isalist=amd64 389-Management-Console/1.1.14 B2015.147.2124 You are not on the latest software. The latest is 1.1.15 which fixes the ssl connection issues: 389 Windows Console 1.1.15 The 389 Directory Server team is proud to announce 389-console-win version 1.1.15. Windows installers are available to download from Download 389 Windows Console (32-bit) and Download 389 Windows Console (64-bit) . Highlights in 389-console-win- 1.1.15 * Windows Console now has the
[389-users] Re: Unable to connect to Admin server via 389 windows console
la.jss.ssl.SSLSocket.setSSLVersionRangeDefault(SSLSocket.java:1001) at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source) at com.netscape.management.client.comm.CommManager.send(Unknown Source) at com.netscape.management.client.comm.HttpManager.get(Unknown Source) at com.netscape.management.client.console.Console.invoke_task(Unknown Source) at com.netscape.management.client.console.Console.authenticate_user(Unknown Source) at com.netscape.management.client.console.Console.(Unknown Source) at com.netscape.management.client.console.Console.main(Unknown Source) Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 From: "Mark Reynolds" <marey...@redhat.com> To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Sent: Tuesday, March 1, 2016 1:27:49 PM Subject: [389-users] Re: Unable to connect to Admin server via 389 windows console Please run the console in debug mode and post the entire output: 389-console -D 9 On 03/01/2016 01:02 PM, Daniel Franciscus wrote: We are using SSL, and I am using the latest software. Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 From: "Mark Reynolds" <marey...@redhat.com> To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Sent: Tuesday, March 1, 2016 10:58:16 AM Subject: [389-users] Re: Unable to connect to Admin server via 389 windows console Are you using SSL in the Admin Server? If so, you should use the latest console for Windows: === 389 Windows Console 1.1.15 The 389 Directory Server team is proud to announce 389-console-win version 1.1.15. Windows installers are available to download from Download 389 Windows Console (32-bit) and Download 389 Windows Console (64-bit) . Highlights in 389-console-win- 1.1.15 * Windows Console now has the same bug fixes and enhancements made for the Fedora 389-console. * A connection failure problem over SSL /start TLS was fixed. ... ... ====== Mark On 03/01/2016 10:02 AM, Daniel Franciscus wrote: BQ_BEGIN Hello, I am having an issue connecting to our 389 server, but only from windows servers it seems. It works fine on a Windows 7 workstation. What I have checked: * Verified connectivity to port 9830 * Verified java version 7.0.90 installed and in the Path environment variable * Can ping the hostname of the 389 server * Tested on two Windows Server 2012 R2 servers I get the error: Cannot connect to the Admin server "" The URL is not correct or the server is not running. Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org BQ_END -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
[389-users] Re: Unable to connect to Admin server via 389 windows console
We are using SSL, and I am using the latest software. Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 From: "Mark Reynolds" <marey...@redhat.com> To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Sent: Tuesday, March 1, 2016 10:58:16 AM Subject: [389-users] Re: Unable to connect to Admin server via 389 windows console Are you using SSL in the Admin Server? If so, you should use the latest console for Windows: === 389 Windows Console 1.1.15 The 389 Directory Server team is proud to announce 389-console-win version 1.1.15. Windows installers are available to download from Download 389 Windows Console (32-bit) and Download 389 Windows Console (64-bit) . Highlights in 389-console-win- 1.1.15 * Windows Console now has the same bug fixes and enhancements made for the Fedora 389-console. * A connection failure problem over SSL /start TLS was fixed. ... ... == Mark On 03/01/2016 10:02 AM, Daniel Franciscus wrote: Hello, I am having an issue connecting to our 389 server, but only from windows servers it seems. It works fine on a Windows 7 workstation. What I have checked: * Verified connectivity to port 9830 * Verified java version 7.0.90 installed and in the Path environment variable * Can ping the hostname of the 389 server * Tested on two Windows Server 2012 R2 servers I get the error: Cannot connect to the Admin server "" The URL is not correct or the server is not running. Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
[389-users] Unable to connect to Admin server via 389 windows console
Hello, I am having an issue connecting to our 389 server, but only from windows servers it seems. It works fine on a Windows 7 workstation. What I have checked: * Verified connectivity to port 9830 * Verified java version 7.0.90 installed and in the Path environment variable * Can ping the hostname of the 389 server * Tested on two Windows Server 2012 R2 servers I get the error: Cannot connect to the Admin server "" The URL is not correct or the server is not running. Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
[389-users] Passsync error initializing SSL err=-8015
Hello, I am having an issue getting passsync to work on a Windows Server 2012 R2 server. After installing passsync, importing the cert I am getting this error when the service attempts to start and fails: error initializing SSL err=-8015 Does anyone have an idea what this error is referring to? Other info: I am using a third party certificate, and I have passsync working on an identifical server. Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Passsync not changing passwords
Yes, logging is set to 1. No errors at all, as if passsync is not detecting a password change. I am going to reboot the server after production hours again to see if that resolves it. Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 - Original Message - From: Noriko Hosoi nho...@redhat.com To: 389-users@lists.fedoraproject.org Sent: Wednesday, February 18, 2015 2:01:41 PM Subject: Re: [389-users] Passsync not changing passwords On 02/18/2015 05:17 AM, Daniel Franciscus wrote: Hello, We have two Windows server 2003 domain controllers and I installed passsync on both servers in order to sync password changes to our 389 LDAP. On one domain controller, it appears passsync is working correctly as I can see in the passsync.log when I change a password through that domain controller. On the other domain controller, when I change a password I do not see any activity in the passsync.log at all. I have passsync on both domain controllers set to verbose logging. I also restarted both domain controllers after installing passsync. On the domain controller that is not syncing passwords the log appears as: 02/18/15 07:52:59: PassSync service initialized 02/18/15 07:52:59: PassSync service running 02/18/15 07:52:59: No entries yet 02/18/15 07:52:59: Password list is empty. Waiting for passhook event Does anyone have an idea of what the issue could be? What is the version of PassSync? The latest is 1.1.6. http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html Did yo have a chance to enable passhook log? In the regedit, go to: HKEY_LOCAK_MACHINE -- SOFTWARE\PasswordSync then, set 1 to Log Level. If you add or modify a password on the Windows Server 2003 domain cotroller, what do you get? Any errors? blockquote Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users /blockquote -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Passsync not changing passwords
Hello, We have two Windows server 2003 domain controllers and I installed passsync on both servers in order to sync password changes to our 389 LDAP. On one domain controller, it appears passsync is working correctly as I can see in the passsync.log when I change a password through that domain controller. On the other domain controller, when I change a password I do not see any activity in the passsync.log at all. I have passsync on both domain controllers set to verbose logging. I also restarted both domain controllers after installing passsync. On the domain controller that is not syncing passwords the log appears as: 02/18/15 07:52:59: PassSync service initialized 02/18/15 07:52:59: PassSync service running 02/18/15 07:52:59: No entries yet 02/18/15 07:52:59: Password list is empty. Waiting for passhook event Does anyone have an idea of what the issue could be? Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Passsync not changing passwords
Ah, I do not see passhook.dat or passhook.log. I tried uninstalling and re-installing but I still do not see those files there. Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 - Original Message - From: Noriko Hosoi nho...@redhat.com To: 389-users@lists.fedoraproject.org Sent: Wednesday, February 18, 2015 5:24:33 PM Subject: Re: [389-users] Passsync not changing passwords On 02/18/2015 11:45 AM, Daniel Franciscus wrote: Yes, logging is set to 1. No errors at all, as if passsync is not detecting a password change. Sorry, I was not precise about the passhook log. cd C:\windows\system32 ls passhook* You should be able to see 3 files: passhook.dat, passhook.dll, and passhook.log. Do you see any logs in the passhook.log file? For instance, my test shows these messages on successful sync. Do you see them? blockquote 02/18/15 14:16:34 user AD_sync_user6 password changed 02/18/15 14:16:34 0 entries loaded from file 02/18/15 14:16:34 1 entries saved to file /blockquote If empty even if you update any password on AD, you may need to reboot the Windows machine... blockquote I am going to reboot the server after production hours again to see if that resolves it. Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 - Original Message - From: Noriko Hosoi nho...@redhat.com To: 389-users@lists.fedoraproject.org Sent: Wednesday, February 18, 2015 2:01:41 PM Subject: Re: [389-users] Passsync not changing passwords On 02/18/2015 05:17 AM, Daniel Franciscus wrote: blockquote Hello, We have two Windows server 2003 domain controllers and I installed passsync on both servers in order to sync password changes to our 389 LDAP. On one domain controller, it appears passsync is working correctly as I can see in the passsync.log when I change a password through that domain controller. On the other domain controller, when I change a password I do not see any activity in the passsync.log at all. I have passsync on both domain controllers set to verbose logging. I also restarted both domain controllers after installing passsync. On the domain controller that is not syncing passwords the log appears as: 02/18/15 07:52:59: PassSync service initialized 02/18/15 07:52:59: PassSync service running 02/18/15 07:52:59: No entries yet 02/18/15 07:52:59: Password list is empty. Waiting for passhook event Does anyone have an idea of what the issue could be? /blockquote What is the version of PassSync? The latest is 1.1.6. http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html Did yo have a chance to enable passhook log? In the regedit, go to: HKEY_LOCAK_MACHINE -- SOFTWARE\PasswordSync then, set 1 to Log Level. If you add or modify a password on the Windows Server 2003 domain cotroller, what do you get? Any errors? blockquote Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users /blockquote -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users /blockquote -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users