Univention Bugzilla – Bug 47069
Logon failure in Password-Sync via DRS when not using Administrator
Last modified: 2018-12-05 14:39:12 CET
In a customers environment a special AD-Sync user is used to replicate from MS/AD. While ldap objects are successfully replicated the passwords are not. We figured out that this is because for the PWD-Sync via DRS the sAMAccountName is used for authentication. The ad-connector uses the CN part of the BindDN as sAMAccountName - which is ok while using Administrator - but in this scenario both attributes differ. We should determine the correct sAMAccountName from the AD-Object to use it in the PWD-Sync via DRS.
Created attachment 9536 [details] bug47069.patch Good catch! The attached patch may be suitable to fix this.
Created attachment 9537 [details] bug47069.patch Fixed syntax error
Patch applied. bce52836f6 | Fix AD to UCS password hash synchronization in case a custom Domain Admin account is used 7bba9ad416 | Advisory
OK - works with -> univention-adsearch cn=Administrator dn sAMAccountName DN: CN=Administrator,CN=Users,DC=w2k12,DC=test sAMAccountName: Admin OK - YAML
<http://errata.software-univention.de/ucs/4.3/354.html>