Re: [Freeipa-users] Passsync fails to connect to LDAP

2015-02-18 Thread Hugh 
Sorry to be a pest, but I don't suppose you've heard back about this yet,
have you?

Thanks,

Hugh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Passsync fails to connect to LDAP

2015-02-17 Thread Rich Megginson 

On 02/17/2015 02:03 PM, Hugh wrote:


On Tue, Feb 17, 2015 at 2:46 PM, Rich Megginson > wrote:



Ok, so I'm assuming 389-ds-base is 1.2.11.15-48 or later?  I think
we may need a new version of passsync.

I didn't even know those were installed, but you're spot on. Here are 
the versions of *389*:


389-ds-base-1.2.11.15-48.el6_6.x86_64
389-ds-base-libs-1.2.11.15-48.el6_6.x86_64
From what I can tell in the passsync installer, it was packaged just 
last month, so I wouldn't think it would be too far out of date. 
Certainly more recent than my version of IPA.  Were there changes to 
TLS support in passync or the 389-ds-base?


I'm trying to find out now.


Thanks,
Hugh




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Passsync fails to connect to LDAP

2015-02-17 Thread Hugh 
On Tue, Feb 17, 2015 at 2:46 PM, Rich Megginson  wrote:

>
> Ok, so I'm assuming 389-ds-base is 1.2.11.15-48 or later?  I think we may
> need a new version of passsync.
>

I didn't even know those were installed, but you're spot on. Here are the
versions of *389*:

389-ds-base-1.2.11.15-48.el6_6.x86_64
389-ds-base-libs-1.2.11.15-48.el6_6.x86_64
>From what I can tell in the passsync installer, it was packaged just last
month, so I wouldn't think it would be too far out of date. Certainly more
recent than my version of IPA.  Were there changes to TLS support in
passync or the 389-ds-base?

Thanks,

Hugh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Passsync fails to connect to LDAP

2015-02-17 Thread Rich Megginson 

On 02/17/2015 01:33 PM, Hugh wrote:



What version of 389-ds-base are you using?

# rpm -q 389-ds-base

 Sorry for not specifying. I'm running FreeIPA on CentOS 6.5. 
Installed via yum - ipa-server-3.0.0-42.el6.centos.x86_64



Ok, so I'm assuming 389-ds-base is 1.2.11.15-48 or later?  I think we 
may need a new version of passsync.








-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Passsync fails to connect to LDAP

2015-02-17 Thread Hugh 
>
>
> What version of 389-ds-base are you using?
>
> # rpm -q 389-ds-base
>
>
>

 Sorry for not specifying. I'm running FreeIPA on CentOS 6.5. Installed via
yum - ipa-server-3.0.0-42.el6.centos.x86_64
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Passsync fails to connect to LDAP

2015-02-17 Thread Rich Megginson 

On 02/17/2015 12:55 PM, Hugh wrote:

All,
After my education on what IPA/AD trusts can and can't do, I decided 
to give the IPA-AD sync option a try. After finally finding what I 
think is the proper software to install on the AD DC 
(389-PassSync-1.1.6-x86_64.exe from the Fedora site), I believe I have 
the settings correct, but the Password Synchronization software 
refuses to connect. After changing the Log Level option to 1, I get 
the below in the log file, which doesn't really tell me much of anything.



02/17/15 13:18:20: Backoff time expired.  Attempting sync
02/17/15 13:18:20: Password list has 1 entries
02/17/15 13:18:20: Ldap bind error in Connect
 81: Can't contact LDAP server
02/17/15 13:18:20: Attempting to sync password for ADSERVER$
02/17/15 13:18:20: Searching for (ntuserdomainid=ADSERVER$)
02/17/15 13:18:20: Ldap error in QueryUsername
 81: Can't contact LDAP server
02/17/15 13:18:20: Deferring password change for ADSERVER$
02/17/15 13:18:20: Backing off for 256000ms
The credentials are definitely correct and IPA is set up to do LDAPS 
as, on the same AD server,  I can connect and bind using ldp.exe with 
the same settings/credentials and I'm able to browse the LDAP tree. 
I've done a wireshark capture and it looks like it's failing in the 
TLS negotiation. I can see this entry in the capture:

TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Protocol Version (70)


What version of 389-ds-base are you using?

# rpm -q 389-ds-base


I added the IPA CA cert to the cert files in the 389 passsynch 
directory and I can confirm that as below.

C:\Program Files\389 Directory Password Synchronization>certutil -d . -L
Certificate Nickname Trust 
Attributes

SSL,S/MIME,JAR/XPI
IPA CA cert  CT,,
When I list that specific certificate, I can see the below in the output.
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Object Signing Flags:
Any pointers/ideas?
Thanks in advance,
Hugh




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Passsync fails to connect to LDAP

2015-02-17 Thread Hugh 
All,

After my education on what IPA/AD trusts can and can't do, I decided to
give the IPA-AD sync option a try. After finally finding what I think is
the proper software to install on the AD DC (389-PassSync-1.1.6-x86_64.exe
from the Fedora site), I believe I have the settings correct, but the
Password Synchronization software refuses to connect. After changing the
Log Level option to 1, I get the below in the log file, which doesn't
really tell me much of anything.

02/17/15 13:18:20: Backoff time expired.  Attempting sync
02/17/15 13:18:20: Password list has 1 entries
02/17/15 13:18:20: Ldap bind error in Connect
 81: Can't contact LDAP server
02/17/15 13:18:20: Attempting to sync password for ADSERVER$
02/17/15 13:18:20: Searching for (ntuserdomainid=ADSERVER$)
02/17/15 13:18:20: Ldap error in QueryUsername
 81: Can't contact LDAP server
02/17/15 13:18:20: Deferring password change for ADSERVER$
02/17/15 13:18:20: Backing off for 256000ms
The credentials are definitely correct and IPA is set up to do LDAPS as, on
the same AD server,  I can connect and bind using ldp.exe with the same
settings/credentials and I'm able to browse the LDAP tree. I've done a
wireshark capture and it looks like it's failing in the TLS negotiation. I
can see this entry in the capture:

TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Protocol Version (70)

I added the IPA CA cert to the cert files in the 389 passsynch directory
and I can confirm that as below.

C:\Program Files\389 Directory Password Synchronization>certutil -d . -L
Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI
IPA CA cert  CT,,


When I list that specific certificate, I can see the below in the output.

Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Object Signing Flags:



Any pointers/ideas?

Thanks in advance,

Hugh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project