Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2482: Why does adquery not show the passwordhash once adclient.custom.attributes.user is set?

Centrify DirectControl ,  

12 April,16 at 11:09 AM

Applies to: Centrify DirectControl version 5.0.2 and above on all platforms

Problem:

Why does adquery not show the passwordhash once adclient.custom.attributes.user is set?

e.g.

root@rhmba~ # adquery user -H test
x

root@rhmba~ # adinfo -c | grep adclient.custom.attributes.user
adclient.custom.attributes.user: mail

root@rhmba~ #/usr/share/centrifydc/bin/ldapsearch -m -Q -b "DC=mba,DC=local" '(CN=test)' | grep  unixUserPassword
unixUserPassword: l9x2/N040sVm.


Cause:

In order to avoid unnecessary events being generated on the Domain Controller about unauthorized access to confidential attributes - starting from DirectControl Agent version 5.0.2 - adclient is no longer able to read these attributes by default.

Resolution:

1. In /etc/centrifydc/centrifydc.conf, add either unixUserPassword or msSFU30Password as a value of the following parameter:
adclient.custom.attributes.user

e.g:
adclient.custom.attributes.user: unixUserPassword mail

2. Then run adflush and restart adclient.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.