Ok, I just realized that I only have passsync and not winsync, stupid oversight, but now that I know it I need to get winsync. Is there a location to download binaries or must I compile from source? I see the binaries for passsync on the directory server project downloads but I don't see the same for winsync.<div>
<br></div><div>Thanks,</div><div>Jim<br><br><div class="gmail_quote">On Mon, Jan 23, 2012 at 1:33 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div bgcolor="#ffffff" text="#000000"><div>
On 01/23/2012 11:34 AM, Jimmy wrote:
<blockquote type="cite">I did create the winsync user and it is an admin.
<div><br>
</div>
<div>I will fix the ip address(change to hostname,) I only did it
that was because this is currently a test system so I can figure
out how to get it all working.<br>
</div>
</blockquote></div>
ok - once you do that, you can check the 389 errors log at
/var/log/dirsrv/slapd-INST/errors to see if winsync is logging any
errors<div><div><br>
<blockquote type="cite">
<div>
<br>
<div class="gmail_quote">On Mon, Jan 23, 2012 at 1:06 PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div> On 01/23/2012 10:52 AM, Jimmy wrote:
<blockquote type="cite">That's what I was thinking, and
what I did, but it still doesn't replicate new users.
This is the command I used:
<div><br>
</div>
<div> ipa-replica-manage connect --passsync --binddn
cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp
--bindpw=******** --cacert
/home/winsync/AD-server-cert.cer 192.168.201.150 -v<br>
</div>
</blockquote>
<br>
</div>
Did you create the user
cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp? And does this
user have the rights to perform sync? (e.g. has to have
replicator rights, or be some sort of admin) - see <a href="http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx" target="_blank">http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx</a>
- the AD user must have replication rights and write
rights.<br>
<br>
In addition, since this process uses SSL, you cannot use
an IP address, you must use a hostname, or the SSL cert
hostname checking (for MITM) will fail.
<div>
<div><br>
<blockquote type="cite">
<div> <br>
<div class="gmail_quote">On Mon, Jan 23, 2012 at
12:30 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div> On 01/23/2012 10:19 AM, Jimmy wrote:
<blockquote type="cite">Here's what I
found in the DS admin guide. Is this all
that's needed to create the sync
agreement?</blockquote>
</div>
Not with ipa - you should use the
ipa-replica-manage command instead
<div><br>
<blockquote type="cite"> Thanks.
<div><br>
</div>
<div>
<div>add sync agreement:</div>
<div>ldapmodify -x -D "cn=Directory
Manager" -W</div>
<div>Enter LDAP Password: *******</div>
<div>dn:
cn=ExampleSyncAgreement,cn=sync
replica,cn=dc=example\,dc=com,cn=mapping
tree,cn=config</div>
</div>
</blockquote>
</div>
it should be cn=replica, not cn=sync replica
- does it use the latter in the Admin Guide?
<div>
<div><br>
<blockquote type="cite">
<div>
<div>changetype: add</div>
<div>objectclass: top</div>
<div>objectclass:
nsDSWindowsReplicationAgreement</div>
<div>cn: ExampleSyncAgreement</div>
<div>nsds7WindowsReplicaSubtree:
cn=Users,dc=ad1</div>
<div>nsds7DirectoryReplicaSubtree:
ou=People,dc=example,dc=com</div>
</div>
</blockquote>
<blockquote type="cite">
<div>
<div>nsds7NewWinUserSyncEnabled: on</div>
<div>nsds7NewWinGroupSyncEnabled: on</div>
<div>nsds7WindowsDomain: ad1</div>
<div>nsDS5ReplicaRoot:
dc=example,dc=com</div>
<div>nsDS5ReplicaHost: <a href="http://ad1.windows-server.com" target="_blank">ad1.windows-server.com</a></div>
<div>nsDS5ReplicaPort: 389</div>
<div>nsDS5ReplicaBindDN: cn=sync
user,cn=config</div>
<div>nsDS5ReplicaBindCredentials:
{DES}ffGad646dT0nnsT8nJOaMA==</div>
<div>nsDS5ReplicaTransportInfo: TLS</div>
<div>winSyncInterval: 1200</div>
<br>
<div class="gmail_quote">On Fri, Jan
20, 2012 at 3:28 PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div> On 01/20/2012 01:08 PM,
Jimmy wrote:
<blockquote type="cite">That
was it! I have passwords
syncing, *BUT*(at the risk
of sounding stupid)-- is
it not possible to also
sync(add) the users from
AD to DS?</blockquote>
</div>
Yes, it is. Just configure
IPA Windows Sync
<div>
<div><br>
<blockquote type="cite">I
created a new user in AD
and it doesn't propogate
to DS, just says:
<div><br>
</div>
<div>
<div>attempting to
sync password for
testuser3</div>
<div>searching for
(ntuserdomainid=testuser3)</div>
<div>There are no
entries that match:
testuser3</div>
<div>deferring
password change for
testuser3</div>
<br>
<div class="gmail_quote">On
Fri, Jan 20, 2012 at
2:46 PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div> On
01/20/2012
12:46 PM,
Jimmy wrote:
<blockquote type="cite">Getting
close here...
Now I see this
message in the
sync log file:
<div><br>
</div>
<div>
<div>attempting
to sync
password for
testuser</div>
<div>searching
for
(ntuserdomainid=testuser)</div>
<div>ldap
error in
queryusername</div>
<div> 32: no
such object</div>
<div>deferring
password
change for
testuser</div>
</div>
</blockquote>
</div>
This usually
means the search
base is
incorrect or not
found. You can
look at the 389
access log to
see what it was
using as the
search criteria.
<div>
<div><br>
<blockquote type="cite">
<div><br>
<div class="gmail_quote">On
Fri, Jan 20,
2012 at 12:23
PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div> On
01/20/2012
10:23 AM,
Jimmy wrote:
<blockquote type="cite">You
are correct. I
had installed
as an
Enterprise
root, but the
doc I was
reading(original
link) seemed
to say that I
had to do the
certreq
manually, my
bad. I think
I'm getting
closer I can
establish an
openssl
connection
from DS to AD
but I get
these errors:
<div> <br>
</div>
<div>
<div> openssl
s_client
-connect <a href="http://192.168.201.150:636" target="_blank">192.168.201.150:636</a>
-showcerts
-CAfile
dsca.crt</div>
<div>CONNECTED(00000003)</div>
<div>depth=0
CN =
csp-ad.cspad.pdh.csp</div>
<div> verify
error:num=20:unable
to get local
issuer
certificate</div>
<div>verify
return:1</div>
<div>depth=0
CN =
csp-ad.cspad.pdh.csp</div>
<div>verify
error:num=27:certificate
not trusted</div>
<div>verify
return:1</div>
<div>depth=0
CN =
csp-ad.cspad.pdh.csp</div>
<div>verify
error:num=21:unable
to verify the
first
certificate</div>
<div>verify
return:1</div>
<div><br>
</div>
<div>I thought
I had imported
the cert from
AD but it
doesn't seem
so. I'm still
researching
but if you
guys have a
suggestion let
me know.</div>
</div>
</blockquote>
</div>
Is dsca.crt
the CA that
issued the DS
server cert?
If so, that
won't work.
You need the
CA cert from
the CA that
issued the AD
server cert
(i.e. the CA
cert from the
MS Enterprise
Root CA).
<div>
<div><br>
<blockquote type="cite">
<div>
<div>-J</div>
<br>
<div class="gmail_quote">
On Thu, Jan
19, 2012 at
5:04 PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div> On
01/19/2012
02:59 PM,
Jimmy wrote:
<blockquote type="cite">ok.
I started from
scratch this
week on this
and I think
I've got the
right doc and
understand
better where
this is going.
My problem now
is that when
configuring
SSL on the AD
server (step c
in this url:
<a href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service" target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service</a> )
<div> I get
this error: </div>
<div><br>
</div>
<div>
<div>certreq
-submit
request.req
certnew.cer</div>
<div>Active
Directory
Enrollment
Policy</div>
<div>
{25DDA1E7-3A99-4893-BA32-9955AC9EAC42}</div>
<div> ldap:</div>
<div>RequestId:
3</div>
<div>RequestId:
"3"</div>
<div>Certificate
not issued
(Denied)
Denied by
Policy Module
0x80094801,
The request
does not
contain a
certificate
template
extension or
the
CertificateTemplate
request
attribute.</div>
<div> The
request
contains no
certificate
template
information.
0x80094801 <a href="tel:%28-2146875391" value="+12146875391" target="_blank">(-2146875391</a>)</div>
<div>Certificate
Request
Processor: The
request
contains no
certificate
template
information.
0x80094801 <a href="tel:%28-2146875391" value="+12146875391" target="_blank">(-2146875391</a>)</div>
<div> Denied
by Policy
Module
0x80094801,
The request
does not
contain a
certificate
template
extension or
the
CertificateTemplate
request
attribute.</div>
<div><br>
</div>
<div>The RH
doc says to
use the
browser if an
error occurs
and IIS is
running but
I'm not
running IIS. I
researched
that error but
didn't find
anything that
helps with
FreeIPA and
passsync.</div>
</div>
</blockquote>
</div>
Hmm - try
installing
Microsoft
Certificate
Authority in
Enterprise
Root CA mode -
it will
usually
automatically
create and
install the AD
server cert.
<a href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync" target="_blank">http://directory.fedoraproject.org/wiki/Howto:WindowsSync</a>
<div>
<div><br>
<blockquote type="cite">
<div>
<div><br>
</div>
<div>Jimmy</div>
<div><br>
<div class="gmail_quote">On
Wed, Jan 11,
2012 at 3:32
PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div> On
01/11/2012
11:22 AM,
Jimmy wrote:
<blockquote type="cite">We
need to be
able to
replicate
user/pass
between
Windows 2008
AD and
FreeIPA.</blockquote>
<br>
</div>
That's what
IPA Windows
Sync is
supposed to
do.
<div><br>
<br>
<blockquote type="cite">I
have followed
many different
documents and
posted here
about it and
from what I've
read and
procedures
I've followed
we are unable
to accomplish
this.</blockquote>
<br>
</div>
What have you
tried, and
what problems
have you run
into?<br>
<br>
<blockquote type="cite">
<div>It
doesn't need
to be a full
trust.
<div> <br>
</div>
<div>Thanks<br>
<br>
<div class="gmail_quote">On
Tue, Jan 10,
2012 at 3:03
AM, Jan Zelený
<span dir="ltr"><<a href="mailto:jzeleny@redhat.com" target="_blank">jzeleny@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>> Just
wondering if
there was
anyone
listening on
the list that
might be<br>
> available
for little
work
integrating
FreeIPA with
Active
Directory<br>
>
(preferrably
in the south
east US.) I
hope this
isn't against
the list<br>
> rules, I
just thought
one of you
guys could
help or point
me in the
right<br>
>
direction.<br>
<br>
</div>
</div>
If you want
some help, it
is certainly
not against
list rules ;-)
But in that<br>
case, it would
be much better
if you asked
what exactly
do you need.<br>
<br>
I'm not an AD
expert, but a
couple tips:
If you are
looking for
cross-domain<br>
(cross-realm)
trust, then
you might be a
bit
disappointed,
it is still in<br>
development,
so it probably
won't be 100%
functional at
this moment.<br>
<br>
If you are
looking for
something
else, could
you be a
little more
specific what<br>
it is?<br>
<br>
I also
recommend
starting with
reading some
doc:<br>
<a href="http://freeipa.org/page/DocumentationPortal" target="_blank">http://freeipa.org/page/DocumentationPortal</a><br>
<br>
Thanks<br>
<span><font color="#888888">Jan<br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>