Product SiteDocumentation Site

7.4. Managing Password Synchronization

Password synchronization is configured separately from Windows Synchronization.

7.4.1. Setting up the Windows Server for Password Synchronization

To synchronize passwords requires that Active Directory be running in SSL and that the Password Sync Service be installed on each Active Directory domain controller. The Password Sync Service records password changes and synchronizes them, over a secure connection, to the FreeIPA entry.

TIP

Install the Microsoft Certificate System in Enterprise Root Mode. Active Directory will then automatically enroll to retrieve its SSL server certificate.
  1. Make sure that the Active Directory password complexity policies are enabled so that the Password Sync service will run.
    1. Run secpol.msc from the command line.
    2. Select Security Settings.
    3. Open Account Policies, and then open Password Policy.
    4. Enable the Password must meet complexity requirements option and save.
  2. If SSL is not already enabled, set up SSL on the Active Directory server. Setting up LDAPS is explained in more detail in the Microsoft knowledgebase at http://support.microsoft.com/kb/321051.
    1. Install a certificate authority in the Windows Components section in Add/Remove Programs.
    2. Select the Enterprise Root CA option.
    3. Reboot the Active Directory server. If IIS web services are running, the CA certificate can be accessed by opening http://servername/certsrv.
    4. Set up the Active Directory server to use the SSL server certificate.
      1. Create a certificate request .inf, using the fully-qualified domain name of the Active Directory as the certificate subject. For example:
        ;----------------- request.inf ----------------- 
        
        [Version] 
        
        Signature="$Windows NT$ 
        
        [NewRequest]
        
        Subject = "CN=ad.server.example.com, O=Engineering, L=Raleigh, S=North Carolina, C=US"
        KeySpec = 1 
        KeyLength = 2048 
        Exportable = TRUE 
        MachineKeySet = TRUE 
        SMIME = False 
        PrivateKeyArchive = FALSE 
        UserProtected = FALSE 
        UseExistingKeySet = FALSE 
        ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
        ProviderType = 12
        RequestType = PKCS10 
        KeyUsage = 0xa0 
        
        [EnhancedKeyUsageExtension] 
        
        OID=1.3.6.1.5.5.7.3.1 
        
        ;-----------------------------------------------
        For more information on the .inf request file, see the Microsoft documentation, such as http://technet.microsoft.com/en-us/library/cc783835.aspx.
      2. Generate the certificate request.
        certreq -new request.inf request.req
      3. Submit the request to the Active Directory CA. For example:
        certreq -submit request.req certnew.cer

        NOTE

        If the command-line tool returns an error message, then use the Web browser to access the CA and submit the certificate request. If IIS is running, then the CA URL is http://servername/certsrv.
      4. Accept the certificate request. For example:
        certreq -accept certnew.cer
      5. Make sure that the server certificate is present on the Active Directory server.
        In the File menu, click Add/Remove, then click Certificates and Personal>Certificates.
      6. Import the CA certificate from Directory Server into Active Directory. Click Trusted Root CA, then Import, and browse for the Directory Server CA certificate.
    5. Reboot the domain controller.

7.4.2. Setting up Password Synchronization

Install the Password Sync Service on every domain controller in the Active Directory domain in order to synchronize Windows passwords.
  1. Download the PassSync.msi file from the 389 Directory Server repos, and save it to the Active Directory machine.

    NOTE

    There are two PassSync packages available, one for 32-bit Windows servers and one for 64-bit. Make sure to select the appropriate packages for your Windows platform.
  2. Double-click the PassSync.msi file to install it.
  3. The Password Sync Setup window appears. Hit Next to begin installing.
  4. Fill in the information to establish the connection to the FreeIPA server.
    • The FreeIPA server connection information, including the hostname and secure port number
    • The username of the system user which Active Directory will use to connect to the FreeIPA machine; this is always uid=passsync,cn=systemaccounts,cn=etc,dc=example,dc=com.
    • The password set in the --passsync option when the sync agreement was created
    • The search base for the people subtree, such as ou=People,dc=example,dc=com
    Hit Next, then Finish to install Password Sync.
  5. Import the FreeIPA server's CA certificate into the Active Directory certificate store.
    1. Download the FreeIPA server's CA certificate from http://ipa.example.com/ipa/config/ca.crt.
    2. Copy the FreeIPA CA certificate to the Active Directory server.
    3. Install the FreeIPA CA certificate in the Password Sync database. For example:
      cd "C:\Program Files\389 Directory Password Synchronization"
      	
      certutil.exe -d . -A -n "IPA.EXAMPLE.COM IPA CA" -t CT,, -a -i ipaca.crt
  6. Reboot the Windows machine to start Password Sync.

    NOTE

    The Windows machine must be rebooted. Without the rebooting, PasswordHook.dll is not enabled, and password synchronization will not function.
The first attempt to synchronize passwords, which happened when the Password Sync application is installed, will always fail because of the SSL connection between the Directory Server and Active Directory sync peers. The tools to create the certificate and key databases is installed with the .msi.

7.4.3. Exempting Active Directory Users from Password Synchronization

The passwords in password change operations are still subject to the password policy settings, such as password expiration times. For example, in FreeIPA every password change requires an immediate password reset. While normal user passwords need to be subject to password policies, administrative passwords should be exempt from any password rules. A list of user DNs can be set in the password synchronization configuration that are exempted from the password policy.

NOTE

The Directory Manager password is always exempt from password policy.
Edit the password synchronization entry, cn=ipa_pwd_extop,cn=plugins,cn=config, and add the passSyncManagersDNs attribute with the name of the user. This attribute is multi-valued. For example:
$ ldapmodify -x -D "cn=Directory Manager" -w secret -h ldap.example.com -p 389

dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com