First of all, you can verify the functionality of the sync via the following commands and Logfiles:
univention-connector-list-rejected
/var/log/univention/connector.log
/var/log/univention/connector-status.log
If the passwords (or other stuff) are not synchronized, you will most likely see rejects and tracebacks in the connector logfiles.
Next, have a look at: http://sdb.univention.de/1332. There you find mentioned the new password sync process, I citate for easy use:
[quote]Since UCS4.1 the password service is no longer needed on the AD server.
Independend of the UCS version, the synchronization of encrypted password hashes needs to be activated manually via Univention Config Registry:
By default, in AD member mode, the UCS AD Connector reads object data from Microsoft Active Directory with the permissions of the machine account of the UCS DC Master. This machine account usually isn’t authorized to read encrypted password hashes from Active Directory. The Active Directory object LDAP DN of a privileged replication user should be configured in the Univention Configuration Registry variable connector/ad/ldap/binddn. This must be a member of the Domain Admins group in the AD.
The corresponding password must be saved in a file on the master domain controller and the file name entered in the Univention Configuration Registry variable connector/ad/ldap/bindpw. If the access password is changed at a later point in time, the new password must be entered in this file. The access rights for the file should be restricted so that only the root owner has access.
The following commands demonstrate the steps in an example:
ucr set connector/ad/ldap/binddn=Administrator
ucr set connector/ad/ldap/bindpw=/etc/univention/connector/password
touch /etc/univention/connector/password
chmod 600 /etc/univention/connector/password
echo -n “Administrator password” > /etc/univention/connector/password
To actually switch to password synchronization mode, the UCR variable connector/ad/mapping/user/password/kinit must be unset and all objects need to be re-synchronized from Active Directory to read their passwords:
/etc/init.d/univention-ad-connector stop
ucr unset connector/ad/mapping/user/password/kinit
find /etc/univention/connector/ ( -name “internal.cfg” -o -name “internal.sqlite” ) -exec mv “{}” “{}.bak_$(date +%s)” ;
/etc/init.d/univention-ad-connector start[/quote]
Kind Regards,
Jens Thorp-Hansen