On 01/23/2012 10:19 AM, Jimmy wrote:
Here's what I found in the DS admin guide. Is this all that's needed
to create the sync agreement?
Not with ipa - you should use the ipa-replica-manage command instead
Thanks.
add sync agreement:
ldapmodify -x -D "cn=Directory Manager" -W
Enter LDAP Password: *******
dn: cn=ExampleSyncAgreement,cn=sync
replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config
it should be cn=replica, not cn=sync replica - does it use the latter in
the Admin Guide?
changetype: add
objectclass: top
objectclass: nsDSWindowsReplicationAgreement
cn: ExampleSyncAgreement
nsds7WindowsReplicaSubtree: cn=Users,dc=ad1
nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com
nsds7NewWinUserSyncEnabled: on
nsds7NewWinGroupSyncEnabled: on
nsds7WindowsDomain: ad1
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaHost: ad1.windows-server.com <http://ad1.windows-server.com>
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=sync user,cn=config
nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA==
nsDS5ReplicaTransportInfo: TLS
winSyncInterval: 1200
On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson <rmegg...@redhat.com
<mailto:rmegg...@redhat.com>> wrote:
On 01/20/2012 01:08 PM, Jimmy wrote:
That was it! I have passwords syncing, *BUT*(at the risk of
sounding stupid)-- is it not possible to also sync(add) the users
from AD to DS?
Yes, it is. Just configure IPA Windows Sync
I created a new user in AD and it doesn't propogate to DS, just
says:
attempting to sync password for testuser3
searching for (ntuserdomainid=testuser3)
There are no entries that match: testuser3
deferring password change for testuser3
On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson
<rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:
On 01/20/2012 12:46 PM, Jimmy wrote:
Getting close here... Now I see this message in the sync log
file:
attempting to sync password for testuser
searching for (ntuserdomainid=testuser)
ldap error in queryusername
32: no such object
deferring password change for testuser
This usually means the search base is incorrect or not
found. You can look at the 389 access log to see what it was
using as the search criteria.
On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson
<rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:
On 01/20/2012 10:23 AM, Jimmy wrote:
You are correct. I had installed as an Enterprise root,
but the doc I was reading(original link) seemed to say
that I had to do the certreq manually, my bad. I think
I'm getting closer I can establish an openssl
connection from DS to AD but I get these errors:
openssl s_client -connect 192.168.201.150:636
<http://192.168.201.150:636> -showcerts -CAfile dsca.crt
CONNECTED(00000003)
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=21:unable to verify the first certificate
verify return:1
I thought I had imported the cert from AD but it
doesn't seem so. I'm still researching but if you guys
have a suggestion let me know.
Is dsca.crt the CA that issued the DS server cert? If
so, that won't work. You need the CA cert from the CA
that issued the AD server cert (i.e. the CA cert from
the MS Enterprise Root CA).
-J
On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson
<rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:
On 01/19/2012 02:59 PM, Jimmy wrote:
ok. I started from scratch this week on this and I
think I've got the right doc and understand better
where this is going. My problem now is that when
configuring SSL on the AD server (step c in this
url:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
)
I get this error:
certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
{25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
ldap:
RequestId: 3
RequestId: "3"
Certificate not issued (Denied) Denied by Policy
Module 0x80094801, The request does not contain a
certificate template extension or the
CertificateTemplate request attribute.
The request contains no certificate template
information. 0x80094801 (-2146875391
<tel:%28-2146875391>)
Certificate Request Processor: The request
contains no certificate template information.
0x80094801 (-2146875391 <tel:%28-2146875391>)
Denied by Policy Module 0x80094801, The request
does not contain a certificate template extension
or the CertificateTemplate request attribute.
The RH doc says to use the browser if an error
occurs and IIS is running but I'm not running IIS.
I researched that error but didn't find anything
that helps with FreeIPA and passsync.
Hmm - try installing Microsoft Certificate
Authority in Enterprise Root CA mode - it will
usually automatically create and install the AD
server cert.
http://directory.fedoraproject.org/wiki/Howto:WindowsSync
Jimmy
On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
<rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
wrote:
On 01/11/2012 11:22 AM, Jimmy wrote:
We need to be able to replicate user/pass
between Windows 2008 AD and FreeIPA.
That's what IPA Windows Sync is supposed to do.
I have followed many different documents and
posted here about it and from what I've read
and procedures I've followed we are unable to
accomplish this.
What have you tried, and what problems have
you run into?
It doesn't need to be a full trust.
Thanks
On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
<jzel...@redhat.com
<mailto:jzel...@redhat.com>> wrote:
> Just wondering if there was anyone
listening on the list that might be
> available for little work integrating
FreeIPA with Active Directory
> (preferrably in the south east US.) I
hope this isn't against the list
> rules, I just thought one of you guys
could help or point me in the right
> direction.
If you want some help, it is certainly
not against list rules ;-) But in that
case, it would be much better if you
asked what exactly do you need.
I'm not an AD expert, but a couple tips:
If you are looking for cross-domain
(cross-realm) trust, then you might be a
bit disappointed, it is still in
development, so it probably won't be 100%
functional at this moment.
If you are looking for something else,
could you be a little more specific what
it is?
I also recommend starting with reading
some doc:
http://freeipa.org/page/DocumentationPortal
Thanks
Jan
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
