On 05/15/2015 03:09 PM, nat...@nathanpeters.com wrote:
On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote:
[root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn
"cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw
supersecretpassword --passsync supersecretpassword --cacert
/etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v
Directory Manager password:
Added CA certificate /etc/openldap/cacerts/addc2-test.cer to
certificate
database for ipadc1.ipadomain.net
ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net
Windows PassSync system account exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready .
.
.
ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP
error: Connect error: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP
error:
Connect error]
Have you tried using ldapsearch to verify the connection?
# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ
-h
addc2.test.mycompany.net -D "cn=ad
sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
"supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
"objectclass=*"
and/or
# LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL
-ZZ -h addc2.test.mycompany.net -D "cn=ad
sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
"supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
"objectclass=*"
Both commands give the same successful result. I don't think it's a
problem with the credentials because I was able to generate different
error messages during the attempted sync setup if I intentionally gave a
bad password or username.
Ok. Have you tried enabling the replication log level?
http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
Ok, that helped a lot. I got this fixed now. Because the manual tells
you to export the cert using a way that doesn't work on newer versions of
windows, I tried to improvise and my first attempt exported the wrong
cert.
The correct way is to go to mmc.exe and add the certificates snap-in.
Then go to personal certificates store for the machine account and export
the one that has -CA at the end of it in the issued to column.
Now that the correct certificate was exported, replication succeeded. The
docs should be updated though to reflect the proper way to export.
I will file a doc bug. What version of Windows are you using that does
not have the correct instructions?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
