Found the reason for the ldap search not working- when I created the AD certificate role, I accidentally entered a new sub-domain so in stead of the FQDN in the cert being csp-ad.pdh.csp it came out csp-ad.cspad.pdh.csp. I updated DNS and now the ldap search seems to work-<div>
<br></div><div>ldif output-- <a href="http://fpaste.org/xbOC/">http://fpaste.org/xbOC/</a> </div><div>debug-
<a href="http://fpaste.org/6g8q/">http://fpaste.org/6g8q/</a> </div><div><br></div><div>I guess I need to redo the sync agreement to fix the server DNS name.</div><div><br></div><div>I will be traveling for work for the next couple days but should still be working on this issue some. I'll take VM's of the servers on my laptop to be able to keep working.</div>
<div>-Jimmy</div><div><br><div class="gmail_quote">On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div bgcolor="#ffffff" text="#000000"><div class="im">
On 01/19/2012 02:59 PM, Jimmy wrote:
<blockquote type="cite">ok. I started from scratch this week on this and I
think I've got the right doc and understand better where this is
going. My problem now is that when configuring SSL on the AD
server (step c in this url:
<a href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service" target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service</a> )
<div>
I get this error: </div>
<div><br>
</div>
<div>
<div>certreq -submit request.req certnew.cer</div>
<div>Active Directory Enrollment Policy</div>
<div> {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}</div>
<div> ldap:</div>
<div>RequestId: 3</div>
<div>RequestId: "3"</div>
<div>Certificate not issued (Denied) Denied by Policy Module
0x80094801, The request does not contain a certificate
template extension or the CertificateTemplate request
attribute.</div>
<div> The request contains no certificate template information.
0x80094801 <a href="tel:%28-2146875391" value="+12146875391" target="_blank">(-2146875391</a>)</div>
<div>Certificate Request Processor: The request contains no
certificate template information. 0x80094801 <a href="tel:%28-2146875391" value="+12146875391" target="_blank">(-2146875391</a>)</div>
<div>
Denied by Policy Module 0x80094801, The request does not
contain a certificate template extension or the
CertificateTemplate request attribute.</div>
<div><br>
</div>
<div>The RH doc says to use the browser if an error occurs and
IIS is running but I'm not running IIS. I researched that
error but didn't find anything that helps with FreeIPA and
passsync.</div>
</div>
</blockquote></div>
Hmm - try installing Microsoft Certificate Authority in Enterprise
Root CA mode - it will usually automatically create and install the
AD server cert.
<a href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync" target="_blank">http://directory.fedoraproject.org/wiki/Howto:WindowsSync</a><div><div class="h5"><br>
<blockquote type="cite">
<div>
<div><br>
</div>
<div>Jimmy</div>
<div><br>
<div class="gmail_quote">On Wed, Jan 11, 2012 at 3:32 PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div> On 01/11/2012 11:22 AM, Jimmy wrote:
<blockquote type="cite">We need to be able to
replicate user/pass between Windows 2008 AD and
FreeIPA.</blockquote>
<br>
</div>
That's what IPA Windows Sync is supposed to do.
<div><br>
<br>
<blockquote type="cite">I have followed many different
documents and posted here about it and from what
I've read and procedures I've followed we are unable
to accomplish this.</blockquote>
<br>
</div>
What have you tried, and what problems have you run
into?<br>
<br>
<blockquote type="cite">
<div>It doesn't need to be a full trust.
<div> <br>
</div>
<div>Thanks<br>
<br>
<div class="gmail_quote">On Tue, Jan 10, 2012 at
3:03 AM, Jan Zelený <span dir="ltr"><<a href="mailto:jzeleny@redhat.com" target="_blank">jzeleny@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>> Just wondering if there was anyone
listening on the list that might be<br>
> available for little work integrating
FreeIPA with Active Directory<br>
> (preferrably in the south east US.) I
hope this isn't against the list<br>
> rules, I just thought one of you guys
could help or point me in the right<br>
> direction.<br>
<br>
</div>
</div>
If you want some help, it is certainly not
against list rules ;-) But in that<br>
case, it would be much better if you asked
what exactly do you need.<br>
<br>
I'm not an AD expert, but a couple tips: If
you are looking for cross-domain<br>
(cross-realm) trust, then you might be a bit
disappointed, it is still in<br>
development, so it probably won't be 100%
functional at this moment.<br>
<br>
If you are looking for something else, could
you be a little more specific what<br>
it is?<br>
<br>
I also recommend starting with reading some
doc:<br>
<a href="http://freeipa.org/page/DocumentationPortal" target="_blank">http://freeipa.org/page/DocumentationPortal</a><br>
<br>
Thanks<br>
<span><font color="#888888">Jan<br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>