On 01/20/2012 10:23 AM, Jimmy wrote:
You are correct. I had installed as an Enterprise root, but the doc I
was reading(original link) seemed to say that I had to do the certreq
manually, my bad. I think I'm getting closer I can establish an
openssl connection from DS to AD but I get these errors:
openssl s_client -connect 192.168.201.150:636
<http://192.168.201.150:636> -showcerts -CAfile dsca.crt
CONNECTED(00000003)
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=21:unable to verify the first certificate
verify return:1
I thought I had imported the cert from AD but it doesn't seem so. I'm
still researching but if you guys have a suggestion let me know.
Is dsca.crt the CA that issued the DS server cert? If so, that won't
work. You need the CA cert from the CA that issued the AD server cert
(i.e. the CA cert from the MS Enterprise Root CA).
-J
On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson <rmegg...@redhat.com
<mailto:rmegg...@redhat.com>> wrote:
On 01/19/2012 02:59 PM, Jimmy wrote:
ok. I started from scratch this week on this and I think I've got
the right doc and understand better where this is going. My
problem now is that when configuring SSL on the AD server (step c
in this url:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
)
I get this error:
certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
{25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
ldap:
RequestId: 3
RequestId: "3"
Certificate not issued (Denied) Denied by Policy Module
0x80094801, The request does not contain a certificate template
extension or the CertificateTemplate request attribute.
The request contains no certificate template information.
0x80094801 (-2146875391 <tel:%28-2146875391>)
Certificate Request Processor: The request contains no
certificate template information. 0x80094801 (-2146875391
<tel:%28-2146875391>)
Denied by Policy Module 0x80094801, The request does not contain
a certificate template extension or the CertificateTemplate
request attribute.
The RH doc says to use the browser if an error occurs and IIS is
running but I'm not running IIS. I researched that error but
didn't find anything that helps with FreeIPA and passsync.
Hmm - try installing Microsoft Certificate Authority in Enterprise
Root CA mode - it will usually automatically create and install
the AD server cert.
http://directory.fedoraproject.org/wiki/Howto:WindowsSync
Jimmy
On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
<rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:
On 01/11/2012 11:22 AM, Jimmy wrote:
We need to be able to replicate user/pass between Windows
2008 AD and FreeIPA.
That's what IPA Windows Sync is supposed to do.
I have followed many different documents and posted here
about it and from what I've read and procedures I've
followed we are unable to accomplish this.
What have you tried, and what problems have you run into?
It doesn't need to be a full trust.
Thanks
On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
<jzel...@redhat.com <mailto:jzel...@redhat.com>> wrote:
> Just wondering if there was anyone listening on the
list that might be
> available for little work integrating FreeIPA with
Active Directory
> (preferrably in the south east US.) I hope this isn't
against the list
> rules, I just thought one of you guys could help or
point me in the right
> direction.
If you want some help, it is certainly not against list
rules ;-) But in that
case, it would be much better if you asked what exactly
do you need.
I'm not an AD expert, but a couple tips: If you are
looking for cross-domain
(cross-realm) trust, then you might be a bit
disappointed, it is still in
development, so it probably won't be 100% functional at
this moment.
If you are looking for something else, could you be a
little more specific what
it is?
I also recommend starting with reading some doc:
http://freeipa.org/page/DocumentationPortal
Thanks
Jan
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
