Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

16.4. Setting up Synchronization Between Active Directory and Directory Server

Configuring synchronization is very similar to configuring replication. It requires configuring the database as a supplier with a changelog and creating an agreement to define synchronization. A common user identity, a synchronization user, connects to the Active Directory (AD) domain controller (DC) to send updates from Directory Server to AD and to check AD for updates to synchronize them to Directory Server.

Note

To enable users to use their accounts on Directory Server and AD, synchronize passwords. Password synchronization requires to use an encrypted connection.
Synchronization for user and group entries is passive from the AD side. Directory Server send updates to AD and polls for updates on the AD domain. For passwords, the AD server requires a separate password service. This service actively sends password changes from the AD domain to Directory Server.

16.4.1. Step 1: Enabling TLS on the Directory Server Host
Copiar o link

The Password Sync service requires to synchronize passwords over an encrypted connection. If TLS is not yet enabled in your Directory Server instance, enable it. For details, see Section 9.4.1, “Enabling TLS in Directory Server”.

16.4.2. Step 2: Enabling Password Complexity in the AD Domain
Copiar o link

Enable password complexity in the AD domain using a group policy. For example:
  1. Open the Group Policy Management console and create a new Group Policy Object (GPO) in the domain.
    For details about using the Group Policy Management console, see the Windows documentation.
  2. Right-click the GPO, and select Edit to open the Group Policy Management Editor.
  3. Navigate to Computer Configuration Windows Settings Security Settings Account Policies Password Policy, and double-click the policy named Password must meet complexity requirements.
  4. Enable the policy and click OK.
    View larger image
  5. Close the Group Policy Management Editor and the Group Policy Management console.

16.4.3. Step 3: Extracting the CA Certificate from AD
Copiar o link

Extract the root certificate authority (CA) certificate and copy it to the Directory Server host:
  • If your AD CA certificate is self-signed:
    1. On an AD DC with the Certification Authority application installed, press the Super key+R combination to open the Run dialog.
    2. Enter the certsrv.msc command and click OK to open the Certification Authority application.
    3. Right-click on the name of the local Certificate Authority and choose Properties.
    4. On the General tab, select the certificate to export in the CA certificates field and click View Certificate.
    5. On the Details tab, click Copy to File to start the Certificate Export Wizard.
    6. Click Next, and then select Base-64 encoded X.509 (.CER).
      View larger image
    7. Specify a suitable directory and file name for the exported file. Click Next to export the certificate, and then click Finish.
    8. Copy the root CA certificate to the Directory Server host.
  • If your AD CA certificate is signed by an external CA:
    1. Determine the root CA. For example: 
      # openssl s_client -connect adserver.example.com:636
CONNECTED(00000003)
depth=1 C = US, O = Demo Company, OU = IT, CN = Demo CA-28
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/O=Demo Company/OU=IT/CN=adserver.example.com
   i:/C=US/O=Demo Company/OU=IT/CN=Demo CA-1
 1 s:/C=US/O=Demo Company/OU=IT/CN=Demo CA-1
   i:/C=US/O=Demo Company/OU=IT/CN=Demo Root CA 2
      Copy to Clipboard Toggle word wrap
      The previous example shows that the AD server's CA certificate is signed by CN=Demo CA-1, which is signed by CN=Demo Root CA 2. This means that CN=Demo Root CA 2 is the root CA.
    2. Contact the operator of the root CA about how to retrieve the CA certificate.
    3. Copy the root CA certificate to the Directory Server host.
To extract the CA certificate from the Directory Server's NSS database:
  1. List the certificates in the database: 
    # certutil -d /etc/dirsrv/slapd-instance_name/ -L

Certificate Nickname                Trust Attributes
                                    SSL,S/MIME,JAR/XPI

Server-Cert                         u,u,u
Example CA                          C,,
    Copy to Clipboard Toggle word wrap
  2. Extract the CA certificate from the database. For example, to extract the CA certificate with the Example CA nickname and store it in the /root/ds-ca.crt file: 
    # certutil -d /etc/dirsrv/slapd-instance_name/ -L -n "Example CA" -a > /root/ds-ca.crt
    Copy to Clipboard Toggle word wrap
  3. Copy the CA certificate to the AD DC.

16.4.5. Step 5: Creating the Synchronization Accounts
Copiar o link

For synchronization between AD and Directory Server, you require one account in AD and one in Directory Server. This section explains further details about creating these accounts.

Creating an Account in Directory Server

The AD DCs use a Directory Server account in the Password Sync service to synchronize passwords to Directory Server. For example, to create the cn=pw_sync_user,dc=config user in Directory Server:
  1. Create the user account: 
    # ldapadd -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: cn=pw_sync_user,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: pw_sync_user
sn: pw_sync_user
userPassword: password
passwordExpirationTime: 20380101000000Z
    Copy to Clipboard Toggle word wrap
    This creates the cn=pw_sync_user,dc=config account and sets its expiration time to January 01 2038.

    Important

    For security reasons, do not create the account in the synchronized subtree.
  2. Set an ACI at the top of the subtree that will be synchronized and grants write and compare permissions to the cn=pw_sync_user,dc=config user. For example, to add such an ACI to the ou=People,dc=example,dc=com entry: 
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="userPassword")(version 3.0;acl "Password synchronization";
 allow (write,compare) userdn="ldap:///cn=pw_sync_user,dc=config";)
    Copy to Clipboard Toggle word wrap
  3. Configure that Directory Server can store passwords in clear text in the changelog: 
    # dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-unhashed-pw-switch=on
    Copy to Clipboard Toggle word wrap
    Because Directory Server uses a different password encryption than Active Directory, Directory Server must send the password in clear text to the Windows server. However, the clear text password is sent over a TLS encrypted connection that is required for password synchronization and is, therefore, not exposed to the network.

Creating an Account in AD

To send and receive updates, Directory Server uses an AD account when connecting to AD. This account must be a member of the Domain Admins group or have equivalent permissions in AD. For details about creating AD accounts, see your AD documentation.

16.4.6. Step 6: Installing the Password Sync Service
Copiar o link

Install the Password Sync on every writable DC in your AD. For details about installing the Password Sync service, see the Installing the password synchronization service section in the Red Hat Directory Server Installation Guide.
For a list of operating systems running the Password Sync service that Red Hat supports, see the Red Hat Directory Server Release Notes.
On every DC that has the Password Sync service installed, add the CA certificate Directory Server uses to the Password Sync service's certificate database:
  1. Change into the C:\Program Files\Red Hat Directory Password Synchronization\ directory: 
    > cd "C:\Program Files\Red Hat Directory Password Synchronization\"
    Copy to Clipboard Toggle word wrap
  2. Create the certificate databases in the current directory: 
    > certutil.exe -d . -N
    Copy to Clipboard Toggle word wrap
    The certutil.exe utility prompts to set a password to the new database it creates.
  3. Import the CA certificate used by the Directory Server instance. You copied this certificate in Section 16.4.4, “Step 4: Extracting the CA Certificate from the Directory Server's NSS Database” to the Windows DC. For example, to import the certificate from the C:\ds-ca.crt file and store it in the database with the Example CA nickname: 
    > certutil.exe -d . -A -n "Example CA" -t CT,, -a -i "C:\ds-ca.crt"
    Copy to Clipboard Toggle word wrap
  4. Optionally, verify that the CA certificate was stored correctly in the database: 
    > certutil.exe -d . -L

Certificate Nickname                Trust Attributes
                                    SSL,S/MIME,JAR/XPI

Example CA                          CT,,
    Copy to Clipboard Toggle word wrap
  5. Reboot the Windows DC. The Password Sync service is not available until you reboot the system.

Note

If any AD user accounts exist when you install Password Sync, the service cannot synchronize the passwords for those accounts until the passwords are changed. This happens because Password Sync cannot decrypt a password once it has been stored in Active Directory. For details about enforcing a password reset for AD users, see the Active Directory documentation.
On the Directory Server host, add the CA certificate AD uses to the certificate database:
  1. Import the CA certificate AD uses. You copied this certificate in Section 16.4.3, “Step 3: Extracting the CA Certificate from AD” to the Directory Server host. For example, to import the certificate from the /root/ad-ca.crt file and store it in the database with the Example CA nickname: 
    > certutil -d /etc/dirsrv/slapd-instance_name/ -A -n "Example CA" -t CT,, -a -i /root/ad-ca.crt
    Copy to Clipboard Toggle word wrap
  2. Optionally, verify that the CA certificate was stored correctly in the database: 
    > certutil -d /etc/dirsrv/slapd-instance_name/ -L

Certificate Nickname                Trust Attributes
                                    SSL,S/MIME,JAR/XPI
...
Example CA                          CT,,
    Copy to Clipboard Toggle word wrap
This section describes how to configure the database for synchronization and create the synchronization agreement.
The following example assumes that you have Directory Server running on a host named ds.example.com and an AD DC running on a host named win-server.ad.example.com. The following procedure describes how to configure synchronization between these hosts:
  1. Enable replication for the suffix: 
    # dsconf -D "cn=Directory Manager" ldap://ds.example.com replication \
    enable --suffix="dc=example,dc=com" --role="supplier" --replica-id=1
    Copy to Clipboard Toggle word wrap
    This command configures the ds.example.com host as a supplier for the dc=example,dc=com suffix and sets the replica ID for this entry to 1.

    Important

    The replica ID must be a unique integer between 1 and 65534 for a suffix across all suppliers in the topology.
  2. Add the synchronization agreement and initialize the agreement. For example: 
    # dsconf -D "cn=Directory Manager" ldap://ds.example.com repl-winsync-agmt \
     create --suffix="dc=example,dc=com" --host="win-server.ad.example.com" --port=636 \
     --conn-protocol="LDAPS" --bind-dn="cn=user_name,cn=Users,dc=ad,dc=example,dc=com" \
     --bind-passwd="password" --win-subtree="cn=Users,dc=example,dc=com" \
     --ds-subtree="ou=People,dc=example,dc=com" --win-domain="AD" \
     --init example-agreement
    Copy to Clipboard Toggle word wrap
    This command creates a replication agreement named example-agreement. The replication agreement defines settings, such as AD DC's host name, protocol, and authentication information, Directory Server uses when connecting and synchronizing data to the DC.
    After the agreement is created, Directory Server initializes the agreement. To initialize the agreement later, omit the --init option. Note that synchronization does not start before you initialized the agreement. For details about initializing a synchronization agreement, see Section 16.11.2.1, “Performing a Full Synchronization Using the Command Line”.
    Optionally, pass the --sync-users="on" and --sync-groups="on" option to the command to automatically synchronize new Windows users and groups to Directory Server.
    For further details about the options used in the command, enter: 
    # dsconf -D "cn=Directory Manager" ldap://ds.example.com repl-agmt --help
    Copy to Clipboard Toggle word wrap
  3. Verify that the initialization was successful: 
    # dsconf -D "cn=Directory Manager" ldap://ds.example.com repl-winsync-agmt \
     init-status --suffix="dc=example,dc=com" example-agreement
Agreement successfully initialized.
    Copy to Clipboard Toggle word wrap
The following example assumes that you have Directory Server running on a host named ds.example.com and an AD DC running on a host named win-server.ad.example.com. The following procedure describes how to configure synchronization between these hosts:
  1. Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
  2. Select the instance.
  3. Enable replication for the suffix:
    1. Open the Replication menu.
    2. Select the dc=example,dc=com suffix, and click Enable Replication.
    3. Select Supplier in the Replication Role field and enter a replica ID. For example:
      View larger image
      These settings configure the ds.example.com host as a supplier for the dc=example,dc=com suffix and sets the replica ID for this entry to 1.

      Important

      The replica ID must be a unique integer between 1 and 65534 for a suffix across all suppliers in the topology.
    4. Click Enable Replication.
  4. Add the synchronization agreement and initialize agreement:
    1. Open the Replication menu and select the Winsync Agreements entry.
    2. Click Create Agreement and fill the fields. For example:
      View larger image
      These settings will create a synchronization agreement named example-agreement. The synchronization agreement defines settings, such as the DC's host name, protocol, and authentication information, Directory Server uses when connecting and synchronizing data.
      Optionally, select Sync New Windows Users and Sync New Windows Groups to automatically synchronize new Windows users and groups to Directory Server.
      After the agreement is created, Directory Server initializes the agreement. To initialize the agreement later, do not select Do Online Initialization. Note that synchronization does not start before you initialized the agreement. For details about initializing a synchronization agreement, see Section 16.11.2.2, “Performing a Full Synchronization Using the Web Console”.
    3. Click Save Agreement.
  5. Verify that the initialization was successful:
    1. Open the Replication menu.
    2. Select the Agreements entry.
      If the initialization completed successfully, the web console displays the Error (0) Replica acquired successfully: Incremental update succeeded message in the Last Update Status column.
      View larger image
      Depending of the amount of data to synchronize, the initialization can take up to several hours.
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat