Correct, you will have to install it on any DC that could perform the password change. In fact recently we had an issue where passwords were not being updated in ldap due to some new servers coming online that did not have the services installed.
The encrypted hash will be present in AD, not sure how acceptable that is to security, but it is the same hash that is in ldap or a unix /etc/passwd file. It will be stored in the unixUserPassword attribute for any user set to use unix attributes; and it will populate on their next password change. It will not extract it from AD, but will catch it and put it in place on update. If I recall the packages are part of Identity Management for Unix or SFU depending on your version. The other major bummer was that the server had to be rebooted after install. Not sure if there is a way to avoid that. This is however all Microsoft provided, so not exactly a hack. On Tue, May 13, 2014 at 12:04 PM, DER-KRIKORIAN Anthony < [email protected]> wrote: > Interesting > > > > What do you mean ? > > By enabling this feature on the DC all passwords hash will be available in > a field I can query ? > > > > If I have 200 domain controllers, I’ve to install it on each domain > controller ? > > > > thks > > > > *From:* Joel Foote [mailto:[email protected]] > *Sent:* Tuesday, May 13, 2014 1:17 PM > *To:* DER-KRIKORIAN Anthony > *Cc:* [email protected] > *Subject:* Re: [lsc-users] Active Directory password hash sync > > > > You can actually install the services for unix and nis packages on the > domain controllers. Once setup the hash will be saved in AD on all password > changes. You can then expose it via NIS or LDAP (requires and admin account > by default) to sync with openldap. > > > > > > On Tue, May 13, 2014 at 8:09 AM, DER-KRIKORIAN Anthony < > [email protected]> wrote: > > Hi lsc members > > > > I’ve a question concerning Active Directory password hash > > > > Is there a way to extract AD password hash (officially, without hack !) > and to synchronize it in another directory for example ? > > > > I know Microsoft Azure DirSync is capable to do that ! > > I also know the old technique of Password Filter which requires you to > install a component on each domain controller to get the password in Clear > Text which I don’t like… > > > > Any help is appreciated > > Thks > > > > Anthony DER KRIKORIAN > > R&D Manager > > Gemalto Identity & Access Business Line > > Mobile : +1 512 998 9897 > > Mail : [email protected] > > > > > ------------------------------ > > This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for > the message if altered, changed or falsified. If you are not the intended > recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission > free from viruses, the sender will not be liable for damages caused by a > transmitted virus > > > _______________________________________________________________ > Ldap Synchronization Connector (LSC) - http://lsc-project.org > > lsc-users mailing list > [email protected] > http://lists.lsc-project.org/listinfo/lsc-users > > > > ------------------------------ > This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for > the message if altered, changed or falsified. If you are not the intended > recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission > free from viruses, the sender will not be liable for damages caused by a > transmitted virus >
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
