That's what I was thinking, and what I did, but it still doesn't replicate new users. This is the command I used:
ipa-replica-manage connect --passsync --binddn cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp --bindpw=******** --cacert /home/winsync/AD-server-cert.cer 192.168.201.150 -v On Mon, Jan 23, 2012 at 12:30 PM, Rich Megginson <rmegg...@redhat.com>wrote: > ** > On 01/23/2012 10:19 AM, Jimmy wrote: > > Here's what I found in the DS admin guide. Is this all that's needed to > create the sync agreement? > > Not with ipa - you should use the ipa-replica-manage command instead > > Thanks. > > add sync agreement: > ldapmodify -x -D "cn=Directory Manager" -W > Enter LDAP Password: ******* > dn: cn=ExampleSyncAgreement,cn=sync > replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config > > it should be cn=replica, not cn=sync replica - does it use the latter in > the Admin Guide? > > changetype: add > objectclass: top > objectclass: nsDSWindowsReplicationAgreement > cn: ExampleSyncAgreement > nsds7WindowsReplicaSubtree: cn=Users,dc=ad1 > nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com > > nsds7NewWinUserSyncEnabled: on > nsds7NewWinGroupSyncEnabled: on > nsds7WindowsDomain: ad1 > nsDS5ReplicaRoot: dc=example,dc=com > nsDS5ReplicaHost: ad1.windows-server.com > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindDN: cn=sync user,cn=config > nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA== > nsDS5ReplicaTransportInfo: TLS > winSyncInterval: 1200 > > On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson <rmegg...@redhat.com>wrote: > >> On 01/20/2012 01:08 PM, Jimmy wrote: >> >> That was it! I have passwords syncing, *BUT*(at the risk of sounding >> stupid)-- is it not possible to also sync(add) the users from AD to DS? >> >> Yes, it is. Just configure IPA Windows Sync >> >> I created a new user in AD and it doesn't propogate to DS, just says: >> >> attempting to sync password for testuser3 >> searching for (ntuserdomainid=testuser3) >> There are no entries that match: testuser3 >> deferring password change for testuser3 >> >> On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson <rmegg...@redhat.com>wrote: >> >>> On 01/20/2012 12:46 PM, Jimmy wrote: >>> >>> Getting close here... Now I see this message in the sync log file: >>> >>> attempting to sync password for testuser >>> searching for (ntuserdomainid=testuser) >>> ldap error in queryusername >>> 32: no such object >>> deferring password change for testuser >>> >>> This usually means the search base is incorrect or not found. You can >>> look at the 389 access log to see what it was using as the search criteria. >>> >>> >>> On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson <rmegg...@redhat.com>wrote: >>> >>>> On 01/20/2012 10:23 AM, Jimmy wrote: >>>> >>>> You are correct. I had installed as an Enterprise root, but the doc I >>>> was reading(original link) seemed to say that I had to do the certreq >>>> manually, my bad. I think I'm getting closer I can establish an openssl >>>> connection from DS to AD but I get these errors: >>>> >>>> openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile >>>> dsca.crt >>>> CONNECTED(00000003) >>>> depth=0 CN = csp-ad.cspad.pdh.csp >>>> verify error:num=20:unable to get local issuer certificate >>>> verify return:1 >>>> depth=0 CN = csp-ad.cspad.pdh.csp >>>> verify error:num=27:certificate not trusted >>>> verify return:1 >>>> depth=0 CN = csp-ad.cspad.pdh.csp >>>> verify error:num=21:unable to verify the first certificate >>>> verify return:1 >>>> >>>> I thought I had imported the cert from AD but it doesn't seem so. I'm >>>> still researching but if you guys have a suggestion let me know. >>>> >>>> Is dsca.crt the CA that issued the DS server cert? If so, that won't >>>> work. You need the CA cert from the CA that issued the AD server cert >>>> (i.e. the CA cert from the MS Enterprise Root CA). >>>> >>>> -J >>>> >>>> On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson >>>> <rmegg...@redhat.com>wrote: >>>> >>>>> On 01/19/2012 02:59 PM, Jimmy wrote: >>>>> >>>>> ok. I started from scratch this week on this and I think I've got the >>>>> right doc and understand better where this is going. My problem now is >>>>> that >>>>> when configuring SSL on the AD server (step c in this url: >>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service >>>>> ) >>>>> >>>>> I get this error: >>>>> >>>>> certreq -submit request.req certnew.cer >>>>> Active Directory Enrollment Policy >>>>> {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} >>>>> ldap: >>>>> RequestId: 3 >>>>> RequestId: "3" >>>>> Certificate not issued (Denied) Denied by Policy Module 0x80094801, >>>>> The request does not contain a certificate template extension or the >>>>> CertificateTemplate request attribute. >>>>> The request contains no certificate template information. 0x80094801 >>>>> (-2146875391) >>>>> Certificate Request Processor: The request contains no certificate >>>>> template information. 0x80094801 (-2146875391) >>>>> Denied by Policy Module 0x80094801, The request does not contain a >>>>> certificate template extension or the CertificateTemplate request >>>>> attribute. >>>>> >>>>> The RH doc says to use the browser if an error occurs and IIS is >>>>> running but I'm not running IIS. I researched that error but didn't find >>>>> anything that helps with FreeIPA and passsync. >>>>> >>>>> Hmm - try installing Microsoft Certificate Authority in Enterprise >>>>> Root CA mode - it will usually automatically create and install the AD >>>>> server cert. >>>>> http://directory.fedoraproject.org/wiki/Howto:WindowsSync >>>>> >>>>> >>>>> Jimmy >>>>> >>>>> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson >>>>> <rmegg...@redhat.com>wrote: >>>>> >>>>>> On 01/11/2012 11:22 AM, Jimmy wrote: >>>>>> >>>>>> We need to be able to replicate user/pass between Windows 2008 AD and >>>>>> FreeIPA. >>>>>> >>>>>> >>>>>> That's what IPA Windows Sync is supposed to do. >>>>>> >>>>>> >>>>>> I have followed many different documents and posted here about it and >>>>>> from what I've read and procedures I've followed we are unable to >>>>>> accomplish this. >>>>>> >>>>>> >>>>>> What have you tried, and what problems have you run into? >>>>>> >>>>>> It doesn't need to be a full trust. >>>>>> >>>>>> Thanks >>>>>> >>>>>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený <jzel...@redhat.com>wrote: >>>>>> >>>>>>> > Just wondering if there was anyone listening on the list that >>>>>>> might be >>>>>>> > available for little work integrating FreeIPA with Active Directory >>>>>>> > (preferrably in the south east US.) I hope this isn't against the >>>>>>> list >>>>>>> > rules, I just thought one of you guys could help or point me in >>>>>>> the right >>>>>>> > direction. >>>>>>> >>>>>>> If you want some help, it is certainly not against list rules ;-) >>>>>>> But in that >>>>>>> case, it would be much better if you asked what exactly do you need. >>>>>>> >>>>>>> I'm not an AD expert, but a couple tips: If you are looking for >>>>>>> cross-domain >>>>>>> (cross-realm) trust, then you might be a bit disappointed, it is >>>>>>> still in >>>>>>> development, so it probably won't be 100% functional at this moment. >>>>>>> >>>>>>> If you are looking for something else, could you be a little more >>>>>>> specific what >>>>>>> it is? >>>>>>> >>>>>>> I also recommend starting with reading some doc: >>>>>>> http://freeipa.org/page/DocumentationPortal >>>>>>> >>>>>>> Thanks >>>>>>> Jan >>>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing >>>>>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users