<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 01/20/2012 01:08 PM, Jimmy wrote:
<blockquote
cite="mid:CAG8E47T6rmpB21xEsvvD-1ao_DDqqjXhMUH=wU4+_MiECbpdwA@mail.gmail.com"
type="cite">That was it! I have passwords syncing, *BUT*(at the
risk of sounding stupid)-- is it not possible to also sync(add)
the users from AD to DS?</blockquote>
Yes, it is. Just configure IPA Windows Sync<br>
<blockquote
cite="mid:CAG8E47T6rmpB21xEsvvD-1ao_DDqqjXhMUH=wU4+_MiECbpdwA@mail.gmail.com"
type="cite">I created a new user in AD and it doesn't propogate to
DS, just says:
<div><br>
</div>
<div>
<div>attempting to sync password for testuser3</div>
<div>searching for (ntuserdomainid=testuser3)</div>
<div>There are no entries that match: testuser3</div>
<div>deferring password change for testuser3</div>
<br>
<div class="gmail_quote">On Fri, Jan 20, 2012 at 2:46 PM, Rich
Megginson <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div class="im"> On 01/20/2012 12:46 PM, Jimmy wrote:
<blockquote type="cite">Getting close here... Now I see
this message in the sync log file:
<div><br>
</div>
<div>
<div>attempting to sync password for testuser</div>
<div>searching for (ntuserdomainid=testuser)</div>
<div>ldap error in queryusername</div>
<div> 32: no such object</div>
<div>deferring password change for testuser</div>
</div>
</blockquote>
</div>
This usually means the search base is incorrect or not
found. You can look at the 389 access log to see what it
was using as the search criteria.
<div>
<div class="h5"><br>
<blockquote type="cite">
<div><br>
<div class="gmail_quote">On Fri, Jan 20, 2012 at
12:23 PM, Rich Megginson <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:
0pt 0pt 0pt 0.8ex; border-left: 1px solid
rgb(204, 204, 204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div> On 01/20/2012 10:23 AM, Jimmy wrote:
<blockquote type="cite">You are correct. I
had installed as an Enterprise root, but
the doc I was reading(original link)
seemed to say that I had to do the
certreq manually, my bad. I think I'm
getting closer I can establish an
openssl connection from DS to AD but I
get these errors:
<div> <br>
</div>
<div>
<div> openssl s_client -connect <a
moz-do-not-send="true"
href="http://192.168.201.150:636"
target="_blank">192.168.201.150:636</a>
-showcerts -CAfile dsca.crt</div>
<div>CONNECTED(00000003)</div>
<div>depth=0 CN = csp-ad.cspad.pdh.csp</div>
<div> verify error:num=20:unable to
get local issuer certificate</div>
<div>verify return:1</div>
<div>depth=0 CN = csp-ad.cspad.pdh.csp</div>
<div>verify error:num=27:certificate
not trusted</div>
<div>verify return:1</div>
<div>depth=0 CN = csp-ad.cspad.pdh.csp</div>
<div>verify error:num=21:unable to
verify the first certificate</div>
<div>verify return:1</div>
<div><br>
</div>
<div>I thought I had imported the cert
from AD but it doesn't seem so. I'm
still researching but if you guys
have a suggestion let me know.</div>
</div>
</blockquote>
</div>
Is dsca.crt the CA that issued the DS server
cert? If so, that won't work. You need the
CA cert from the CA that issued the AD
server cert (i.e. the CA cert from the MS
Enterprise Root CA).
<div>
<div><br>
<blockquote type="cite">
<div>
<div>-J</div>
<br>
<div class="gmail_quote"> On Thu,
Jan 19, 2012 at 5:04 PM, Rich
Megginson <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid
rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff"
text="#000000">
<div> On 01/19/2012 02:59 PM,
Jimmy wrote:
<blockquote type="cite">ok.
I started from scratch
this week on this and I
think I've got the right
doc and understand better
where this is going. My
problem now is that when
configuring SSL on the AD
server (step c in this
url: <a
moz-do-not-send="true"
href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service"
target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service</a> )
<div> I get this error: </div>
<div><br>
</div>
<div>
<div>certreq -submit
request.req
certnew.cer</div>
<div>Active Directory
Enrollment Policy</div>
<div>
{25DDA1E7-3A99-4893-BA32-9955AC9EAC42}</div>
<div> ldap:</div>
<div>RequestId: 3</div>
<div>RequestId: "3"</div>
<div>Certificate not
issued (Denied) Denied
by Policy Module
0x80094801, The
request does not
contain a certificate
template extension or
the
CertificateTemplate
request attribute.</div>
<div> The request
contains no
certificate template
information.
0x80094801 <a
moz-do-not-send="true"
href="tel:%28-2146875391" value="+12146875391" target="_blank">(-2146875391</a>)</div>
<div>Certificate Request
Processor: The request
contains no
certificate template
information.
0x80094801 <a
moz-do-not-send="true"
href="tel:%28-2146875391" value="+12146875391" target="_blank">(-2146875391</a>)</div>
<div> Denied by Policy
Module 0x80094801,
The request does not
contain a certificate
template extension or
the
CertificateTemplate
request attribute.</div>
<div><br>
</div>
<div>The RH doc says to
use the browser if an
error occurs and IIS
is running but I'm not
running IIS. I
researched that error
but didn't find
anything that helps
with FreeIPA and
passsync.</div>
</div>
</blockquote>
</div>
Hmm - try installing Microsoft
Certificate Authority in
Enterprise Root CA mode - it
will usually automatically
create and install the AD
server cert. <a
moz-do-not-send="true"
href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync"
target="_blank">http://directory.fedoraproject.org/wiki/Howto:WindowsSync</a>
<div>
<div><br>
<blockquote type="cite">
<div>
<div><br>
</div>
<div>Jimmy</div>
<div><br>
<div
class="gmail_quote">On
Wed, Jan 11, 2012
at 3:32 PM, Rich
Megginson <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:
0pt 0pt 0pt
0.8ex;
border-left: 1px
solid rgb(204,
204, 204);
padding-left:
1ex;">
<div
bgcolor="#ffffff"
text="#000000">
<div> On
01/11/2012
11:22 AM,
Jimmy wrote:
<blockquote
type="cite">We
need to be
able to
replicate
user/pass
between
Windows 2008
AD and
FreeIPA.</blockquote>
<br>
</div>
That's what
IPA Windows
Sync is
supposed to
do.
<div><br>
<br>
<blockquote
type="cite">I
have followed
many different
documents and
posted here
about it and
from what I've
read and
procedures
I've followed
we are unable
to accomplish
this.</blockquote>
<br>
</div>
What have you
tried, and
what problems
have you run
into?<br>
<br>
<blockquote
type="cite">
<div>It
doesn't need
to be a full
trust.
<div> <br>
</div>
<div>Thanks<br>
<br>
<div
class="gmail_quote">On
Tue, Jan 10,
2012 at 3:03
AM, Jan Zelený
<span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:jzeleny@redhat.com" target="_blank">jzeleny@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:
0pt 0pt 0pt
0.8ex;
border-left:
1px solid
rgb(204, 204,
204);
padding-left:
1ex;">
<div>
<div>> Just
wondering if
there was
anyone
listening on
the list that
might be<br>
> available
for little
work
integrating
FreeIPA with
Active
Directory<br>
>
(preferrably
in the south
east US.) I
hope this
isn't against
the list<br>
> rules, I
just thought
one of you
guys could
help or point
me in the
right<br>
>
direction.<br>
<br>
</div>
</div>
If you want
some help, it
is certainly
not against
list rules ;-)
But in that<br>
case, it would
be much better
if you asked
what exactly
do you need.<br>
<br>
I'm not an AD
expert, but a
couple tips:
If you are
looking for
cross-domain<br>
(cross-realm)
trust, then
you might be a
bit
disappointed,
it is still in<br>
development,
so it probably
won't be 100%
functional at
this moment.<br>
<br>
If you are
looking for
something
else, could
you be a
little more
specific what<br>
it is?<br>
<br>
I also
recommend
starting with
reading some
doc:<br>
<a
moz-do-not-send="true"
href="http://freeipa.org/page/DocumentationPortal" target="_blank">http://freeipa.org/page/DocumentationPortal</a><br>
<br>
Thanks<br>
<span><font
color="#888888">Jan<br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>