<div dir="ltr"><div>Hi Rich,</div> <div>After I did all the steps, I am getting this error:</div> <div> </div> <div> </div> <div>INFO:root:Added CA certificate /etc/dirsrv/slapd-XXXX-COM/adcert.cer to certificate database for <a href="http://tesipa001.test.com">tesipa001.test.com</a><br>INFO:root:Restarted directory server <a href="http://tesipa001.test.com">tesipa001.test.com</a><br> INFO:root:Could not validate connection to remote server <a href="http://windows.test.ad:636">windows.test.ad:636</a> - continuing<br>INFO:root:The error was: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"}<br> The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com<br>Windows PassSync entry exists, not resetting password<br>INFO:root:Added new sync agreement, waiting for it to become ready . . .<br> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP error: Can't contact LDAP server: start: 0: end: 0<br>INFO:root:Agreement is ready, starting replication . . .<br>Starting replication, please wait until this has completed.<br> [<a href="http://saprhds001.bmibank.com">saprhds001.bmibank.com</a>] reports: Update failed! Status: [81 - LDAP error: Can't contact LDAP server]<br>INFO:root:Added agreement for other host <a href="http://windows.test.ad">windows.test.ad</a><br> <br>Please help me to fix this issue.</div> <div> </div> <div>The syntex I used: ipa-replica-manage add --winsync --binddn CN=Administrator,CN=Users,DC=test,DC=com --bindpw "password" --cacert /etc/dirsrv/slapd-TEST-COM/adcert.cer <a href="http://windows.test.ad">windows.test.ad</a> -v --passsync "password"</div> <div> </div> <div><br> </div> <div class="gmail_quote">On Mon, Aug 16, 2010 at 6:06 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> <div class="im">Shan Kumaraswamy wrote:<br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Rich,<br> While installing IPA its creates its won CA cert right? (cacert.p12),<br></blockquote></div>Right. <div class="im"><br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">and also I done the setep of export this CA file as dsca.crt.<br></blockquote></div>Right. You have to do that so that AD can be an SSL client to the IPA SSL server. <div class="im"><br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Please let me know steps to generate the IPA CA and server cert?<br></blockquote></div>The other part is that you have to install the AD CA cert in IPA so that IPA can be the SSL client to the AD SSL server. <div> <div></div> <div class="h5"><br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> <br><br> On Mon, Aug 16, 2010 at 5:41 PM, Rich Megginson <<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>> wrote:<br> <br> Shan Kumaraswamy wrote:<br><br><br> Hi,<br><br> I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I want to sync<br> with Active Directory (windows 2008 R2). Can please anyone<br> have step-by-step configuration doc and share to me?<br> Previously I have done the same exercise, but now that is not<br> working for me and I am facing lot of challenges to make this<br> happen.<br><br> Please find the steps what exactly I done so for:<br> <br> 1. Installed RHDS 8.1 and FreeIPA 1.2.1 and configured<br> properly and tested its working fine<br><br> 2. In AD side, installed Active Directory certificate<br> Server as a Enterprise Root<br> <br> 3. Copy the “cacert.p12” file and imported under<br> Certificates –Service (Active Directory Domain service) on<br> Local Computer using MMC.<br><br> 4. Installed PasSync.msi file and given all the required<br> information<br><br> 5. Run the command “certutil -d . -L -n "CA certificate"<br> -a > dsca.crt” from IPA server and copied the .crt file in to<br> AD server and ran this command from “cd "C:\Program Files\Red<br> Hat Directory Password Synchronization"<br><br> 6. certutil.exe -d . -N<br><br> 7. certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i<br> \path\to\dsca.crt<br><br> 8. certutil.exe -d . -L -n "DS CA cert" and rebooted the<br> AD server.<br><br> After this steps, when try to create sync agreement from IPA<br> server I am getting this error:<br><br> ldap_simple_bind: Can't contact LDAP server<br><br> SSL error -8179 (Peer's Certificate issuer is not<br> recognized.)<br><br> Please share the steps to configure AD Sync with IPA server.<br><br> <a href="http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html" target="_blank">http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html</a><br> <br> But it looks as though there is a step missing. If you use MS AD<br> CA to generate the AD cert, and use IPA to generate the IPA CA and<br> server cert, then you have to import the MS AD CA cert into IPA.<br><br> <br> <br> -- Thanks & Regards<br> Shan Kumaraswamy<br><br><br><br><br><br>-- <br>Thanks & Regards<br>Shan Kumaraswamy<br><br></blockquote><br></div></div></blockquote></div><br> <br clear="all"><br>-- <br>Thanks & Regards<br>Shan Kumaraswamy<br><br></div>