Re: [Freeipa-users] Creating password sync

Tue, 04 Feb 2014 14:20:14 -0800 

I would be so grateful for your notes as it looks like im most likely having a 
cert issue as well


I'm so damn close to having this thing working, (doesn't help to have your boss 
come by every 10 minutes)

I understand the changes concept now, if I can just get it to work
________________________________
From: Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, February 04, 2014 2:11 PM
To: Todd Maugh; Rich Megginson; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: RE: Creating password sync

I am just doing this now and works fine for me.


The password has to be changed as there is no way to de-crypt the password in 
AD and send that.  So the .msi you install on each AD server intercepts the 
password change while its in "plain text" and sends it over to IPA, hence only 
changes.


I did have issues with certs, they were a pain in the ass to get right/trusted, 
looks like you might have a similar issue.


I had to work through Redhat support to get it right.


On a brighter note I did it on RHEL6.4 and upgraded the IPA servers to RHEL6.5 
and winsync and passync still work fine.


I'll send you my notes.


You could use trusts but frankly trusting AD with all its swiss cheese security 
seems a bit too risky.


regards

Steven


________________________________
From: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> on 
behalf of Todd Maugh <tma...@boingo.com>
Sent: Wednesday, 5 February 2014 9:57 a.m.
To: Rich Megginson; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Creating password sync

I tested a ssl connection from my ldap server to AD

this is the output


  openssl s_client -connect qatestdc2.boingoqa.local:636
CONNECTED(00000003)
depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=27:certificate not trusted
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:
   i:/DC=local/DC=boingoqa/CN=SKYWARPCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGpzCCBI+gAwIBAgIKYTm2iQAAAAAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK
CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG
A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow
ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7
q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T
RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX
PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5
4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT
j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l
wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF
oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF
AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD
AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG
CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj
gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE
MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy
LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl
UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q
b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D
Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/
Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo
b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i
b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3
Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB
ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI
TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7
mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY
TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz
eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8
Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP
lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N
B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb
nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6
1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9
-----END CERTIFICATE-----
subject=
issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA
---
Acceptable client certificate CA names

/DC=local/DC=boingoqa/CN=SKYWARPCA
/CN=QATESTDC2.boingoqa.local
/DC=local/DC=boingoqa/CN=boingoqaca
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - 
For authorized use only/CN=VeriSign Class 3 Public Primary Certification 
Authority - G5
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits 
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority 
(2048)
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust 
Global Root
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/O=BOINGO.COM/CN=Certificate Authority
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft 
Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
---
SSL handshake has read 3480 bytes and written 601 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 333C0000854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A
    Session-ID-ctx:
    Master-Key: 
63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1391547347
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---



________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.com]
Sent: Tuesday, February 04, 2014 12:53 PM
To: Rich Megginson; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Creating password sync

I tried changing the password for a user in AD

this is what the passsync log shows:

02/04/14 12:29:14: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:34: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:34: Ldap error in QueryUsername
81: Can't contact LDAP server
02/04/14 12:49:36: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:36: Ldap error in QueryUsername
81: Can't contact LDAP server


and you say this is one of many issues with passsync. do you recommend another 
option?


________________________________
From: Todd Maugh
Sent: Tuesday, February 04, 2014 12:48 PM
To: Rich Megginson; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: RE: Creating password sync

but what about the "cant contact LDAP server in the passsync log"

and are you saying I should try to change one of the passwords in AD for it to 
go to IDM, or vice versa?

thanks


________________________________
From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 12:45 PM
To: Todd Maugh; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 01:42 PM, Todd Maugh wrote:
I have not changed any passwords in AD yet.

Then passsync will not have sent anything.


and the users I have in IDM  from AD, their passwords are not working

Right.  This is one of the (many) problems with the passsync approach - there 
currently is no way to populate the initial passwords - that is, passsync/IdM 
cannot copy your passwords over from AD to IdM.



________________________________
From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>]
Sent: Tuesday, February 04, 2014 12:40 PM
To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com>
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: Creating password sync

On 02/04/2014 01:20 PM, Todd Maugh wrote:
my passhook.log file is empty

Have you changed any passwords in AD?

________________________________
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on 
behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>]
Sent: Tuesday, February 04, 2014 11:56 AM
To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com>
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Creating password sync

Im seeing these errors in the passsync.log

32: No such object
02/03/14 16:23:40: Ldap error in QueryUsername
32: No such object
02/03/14 16:57:48: Abandoning password change for scottb, backoff expired
02/03/14 16:57:48: Ldap bind error in Connect
32: No such object
02/03/14 16:57:48: Ldap error in QueryUsername
32: No such object
02/03/14 18:06:04: Abandoning password change for scottb, backoff expired
02/03/14 18:06:04: Ldap bind error in Connect
32: No such object
02/04/14 10:24:59: PassSync service initialized
02/04/14 10:24:59: PassSync service running
02/04/14 10:25:00: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: PassSync service stopped
02/04/14 10:58:38: PassSync service initialized
02/04/14 10:58:38: PassSync service running
02/04/14 10:58:39: Ldap bind error in Connect
32: No such object



________________________________
From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>]
Sent: Tuesday, February 04, 2014 9:19 AM
To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com>
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: Creating password sync

On 02/04/2014 10:17 AM, Todd Maugh wrote:
also I have verified the password synchronization service is started and 
running on the windows 2008 R2 server


but I cant tell if or what it is doing because iM not getting passwords to my 
IDM
http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging

You can also look at the 389 access log to see if you have connections from the 
windows box.

________________________________
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on 
behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>]
Sent: Tuesday, February 04, 2014 9:04 AM
To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com>
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: [Freeipa-users] Creating password sync

Ok, So I have my replication agreement set up.

and I see accounts coming in to my IDM server from AD

I have followed this guide from redhat

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html

to set up my password sync.

I get no errors

but my passwords are not syncing!

Help! the documentation tells o fno way to verify or trouble shoot


Thank You

-Todd Maugh
tma...@boingo.com<mailto:tma...@boingo.com>




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to