Getting close here... Now I see this message in the sync log file:<div><br></div><div><div>attempting to sync password for testuser</div><div>searching for (ntuserdomainid=testuser)</div><div>ldap error in queryusername</div>
<div> 32: no such object</div><div>deferring password change for testuser</div><br><div class="gmail_quote">On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div bgcolor="#ffffff" text="#000000"><div class="im">
On 01/20/2012 10:23 AM, Jimmy wrote:
<blockquote type="cite">You are correct. I had installed as an Enterprise
root, but the doc I was reading(original link) seemed to say that
I had to do the certreq manually, my bad. I think I'm getting
closer I can establish an openssl connection from DS to AD but I
get these errors:
<div>
<br>
</div>
<div>
<div> openssl s_client -connect <a href="http://192.168.201.150:636" target="_blank">192.168.201.150:636</a>
-showcerts -CAfile dsca.crt</div>
<div>CONNECTED(00000003)</div>
<div>depth=0 CN = csp-ad.cspad.pdh.csp</div>
<div>
verify error:num=20:unable to get local issuer certificate</div>
<div>verify return:1</div>
<div>depth=0 CN = csp-ad.cspad.pdh.csp</div>
<div>verify error:num=27:certificate not trusted</div>
<div>verify return:1</div>
<div>depth=0 CN = csp-ad.cspad.pdh.csp</div>
<div>verify error:num=21:unable to verify the first certificate</div>
<div>verify return:1</div>
<div><br>
</div>
<div>I thought I had imported the cert from AD but it doesn't
seem so. I'm still researching but if you guys have a
suggestion let me know.</div>
</div>
</blockquote></div>
Is dsca.crt the CA that issued the DS server cert? If so, that
won't work. You need the CA cert from the CA that issued the AD
server cert (i.e. the CA cert from the MS Enterprise Root CA).<div><div class="h5"><br>
<blockquote type="cite">
<div>
<div>-J</div>
<br>
<div class="gmail_quote">
On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div> On 01/19/2012 02:59 PM, Jimmy wrote:
<blockquote type="cite">ok. I started from scratch this
week on this and I think I've got the right doc and
understand better where this is going. My problem now
is that when configuring SSL on the AD server (step c
in this url: <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service" target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service</a> )
<div> I get this error: </div>
<div><br>
</div>
<div>
<div>certreq -submit request.req certnew.cer</div>
<div>Active Directory Enrollment Policy</div>
<div> {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}</div>
<div> ldap:</div>
<div>RequestId: 3</div>
<div>RequestId: "3"</div>
<div>Certificate not issued (Denied) Denied by
Policy Module 0x80094801, The request does not
contain a certificate template extension or the
CertificateTemplate request attribute.</div>
<div> The request contains no certificate template
information. 0x80094801 <a href="tel:%28-2146875391" value="+12146875391" target="_blank">(-2146875391</a>)</div>
<div>Certificate Request Processor: The request
contains no certificate template information.
0x80094801 <a href="tel:%28-2146875391" value="+12146875391" target="_blank">(-2146875391</a>)</div>
<div> Denied by Policy Module 0x80094801, The
request does not contain a certificate template
extension or the CertificateTemplate request
attribute.</div>
<div><br>
</div>
<div>The RH doc says to use the browser if an error
occurs and IIS is running but I'm not running IIS.
I researched that error but didn't find anything
that helps with FreeIPA and passsync.</div>
</div>
</blockquote>
</div>
Hmm - try installing Microsoft Certificate Authority in
Enterprise Root CA mode - it will usually automatically
create and install the AD server cert. <a href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync" target="_blank">http://directory.fedoraproject.org/wiki/Howto:WindowsSync</a>
<div>
<div><br>
<blockquote type="cite">
<div>
<div><br>
</div>
<div>Jimmy</div>
<div><br>
<div class="gmail_quote">On Wed, Jan 11, 2012 at
3:32 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div> On 01/11/2012 11:22 AM, Jimmy wrote:
<blockquote type="cite">We need to be
able to replicate user/pass between
Windows 2008 AD and FreeIPA.</blockquote>
<br>
</div>
That's what IPA Windows Sync is supposed
to do.
<div><br>
<br>
<blockquote type="cite">I have followed
many different documents and posted
here about it and from what I've read
and procedures I've followed we are
unable to accomplish this.</blockquote>
<br>
</div>
What have you tried, and what problems
have you run into?<br>
<br>
<blockquote type="cite">
<div>It doesn't need to be a full
trust.
<div> <br>
</div>
<div>Thanks<br>
<br>
<div class="gmail_quote">On Tue, Jan
10, 2012 at 3:03 AM, Jan Zelený <span dir="ltr"><<a href="mailto:jzeleny@redhat.com" target="_blank">jzeleny@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>> Just wondering if
there was anyone listening
on the list that might be<br>
> available for little
work integrating FreeIPA
with Active Directory<br>
> (preferrably in the
south east US.) I hope this
isn't against the list<br>
> rules, I just thought
one of you guys could help
or point me in the right<br>
> direction.<br>
<br>
</div>
</div>
If you want some help, it is
certainly not against list rules
;-) But in that<br>
case, it would be much better if
you asked what exactly do you
need.<br>
<br>
I'm not an AD expert, but a
couple tips: If you are looking
for cross-domain<br>
(cross-realm) trust, then you
might be a bit disappointed, it
is still in<br>
development, so it probably
won't be 100% functional at this
moment.<br>
<br>
If you are looking for something
else, could you be a little more
specific what<br>
it is?<br>
<br>
I also recommend starting with
reading some doc:<br>
<a href="http://freeipa.org/page/DocumentationPortal" target="_blank">http://freeipa.org/page/DocumentationPortal</a><br>
<br>
Thanks<br>
<span><font color="#888888">Jan<br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>