<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 06/20/2011 09:37 AM, Attila Bogár wrote:
<blockquote cite="mid:4DFF6955.3050300@linguamatics.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
Hi,<br>
<br>
I'm trying to set up the AD-FreeIPA sync agreement and I'm always
getting this error:<br>
<br>
# ipa-replica-manage connect --winsync --binddn cn="IPA
Sync",cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007
--cacert /root/dc1.cer --passsync JamesBond007 dc1.win.example.com
-v<br>
<br>
Added CA certificate /root/dc1.cer to certificate database for
ipa1.example.com<br>
ipa: INFO: AD Suffix is: DC=win,DC=example,DC=com<br>
<b>Insufficient access</b><br>
<br>
Where does this insufficient access come from?<br>
Can you please provide some guidance with this issue?<br>
</blockquote>
Not sure. First check the directory server access log - look for
err=50 around the time of your command -
/var/log/dirsrv/slapd-YOUR-INSTANCE/access<br>
<blockquote cite="mid:4DFF6955.3050300@linguamatics.com" type="cite">
<br>
<br>
IPA Sync user on the AD side has Domain Admins, Enterprise Admins,
Schema Admins group memberships.<br>
<br>
I'm able to query the AD using ldapsearch and binding with the
credentials and have an also an admin kerberos ticket.<br>
<br>
On the other hand the documentation in the freeipa enterprise
guide is rather succint than adequate as it doesn't provide at
least one working example.<br>
<br>
I've read all the corresponding documentation and it's still
unclear what password do I have to specify with the --passsync to
ipa-replica-manage?<br>
<br>
"the password for the Windows PassSync user, and a required
argument to <code class="command">ipa-replica-manage</code> when
creating winsync agreements." I can't see any documentation
mentioning that a passync user has to (or being) created in the
AD.<br>
The bindpw already gives read/write permission to the AD tree, so
I'm wondering why is this --passync required?<br>
<br>
It's rather annoying to set up the passync on the Windows side.<br>
The only documentation for this (what FreeIPA refers to) I can see
is:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html</a><br>
<br>
However, "cn=sync,cn=config" on the screenshot for the user name
is misleading as full dn was working only for us. I assume
instead of ou=People,dc=example,dc=com
cn=user,cn=accounts,dc=example,dc=com has to be substituted (or it
has to be cn=compat?)<br>
<br>
Thanks for any help in advance,<br>
Attila<br>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>