<html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body ocsi="0" fpstyle="1" bgcolor="#FFFFFF"> <div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">trying to find a command to check that connection<br> <br> <br> <div style="font-family: Times New Roman; color: #000000; font-size: 16px"> <hr tabindex="-1"> <div style="direction: ltr;" id="divRpF258307"><font size="2" face="Tahoma" color="#000000"><b>From:</b> Rich Megginson [rmeggins@redhat.com]<br> <b>Sent:</b> Tuesday, February 04, 2014 1:02 PM<br> <b>To:</b> Todd Maugh; dpal@redhat.com<br> <b>Cc:</b> freeipa-users@redhat.com<br> <b>Subject:</b> Re: Creating password sync<br> </font><br> </div> <div></div> <div> <div class="moz-cite-prefix">On 02/04/2014 01:57 PM, Todd Maugh wrote:<br> </div> <blockquote type="cite"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt">I tested a ssl connection from my ldap server to AD<br> </div> </blockquote> <br> Ok. What about the ssl connection from the windows AD machine to your IdM ldap server?<br> <br> <blockquote type="cite"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt"><br> this is the output<br> <br> <pre> openssl s_client -connect qatestdc2.boingoqa.local:636 CONNECTED(00000003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=27:certificate not trusted verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s: i:/DC=local/DC=boingoqa/CN=SKYWARPCA --- Server certificate -----BEGIN CERTIFICATE----- MIIGpzCCBI+gAwIBAgIKYTm2iQAAAAAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7 q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5 4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3 Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7 mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8 Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6 1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9 -----END CERTIFICATE----- subject= issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA --- Acceptable client certificate CA names /DC=local/DC=boingoqa/CN=SKYWARPCA /CN=QATESTDC2.boingoqa.local /DC=local/DC=boingoqa/CN=boingoqaca /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root /O=BOINGO.COM/CN=Certificate Authority /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority /CN=NT AUTHORITY --- SSL handshake has read 3480 bytes and written 601 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: 333C0000854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A Session-ID-ctx: Master-Key: 63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1391547347 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- </pre> <div style="font-family:Times New Roman; color:#000000; font-size:16px"> <hr tabindex="-1"> <div id="divRpF328658" style="direction:ltr"><font size="2" face="Tahoma" color="#000000"><b>From:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com" target="_blank"> freeipa-users-bounces@redhat.com</a> [<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a>] on behalf of Todd Maugh [<a class="moz-txt-link-abbreviated" href="mailto:tmaugh@boingo.com" target="_blank">tmaugh@boingo.com</a>]<br> <b>Sent:</b> Tuesday, February 04, 2014 12:53 PM<br> <b>To:</b> Rich Megginson; <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com" target="_blank"> dpal@redhat.com</a><br> <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com" target="_blank"> freeipa-users@redhat.com</a><br> <b>Subject:</b> Re: [Freeipa-users] Creating password sync<br> </font><br> </div> <div> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt">I tried changing the password for a user in AD<br> <br> this is what the passsync log shows: <br> <br> <div>02/04/14 12:29:14: Ldap bind error in Connect</div> <div><span class="" style="white-space:pre"></span>81: Can't contact LDAP server</div> <div>02/04/14 12:49:34: Ldap bind error in Connect</div> <div><span class="" style="white-space:pre"></span>81: Can't contact LDAP server</div> <div>02/04/14 12:49:34: Ldap error in QueryUsername</div> <div><span class="" style="white-space:pre"></span>81: Can't contact LDAP server</div> <div>02/04/14 12:49:36: Ldap bind error in Connect</div> <div><span class="" style="white-space:pre"></span>81: Can't contact LDAP server</div> <div>02/04/14 12:49:36: Ldap error in QueryUsername</div> <div><span class="" style="white-space:pre"></span>81: Can't contact LDAP server<br> <br> <br> and you say this is one of many issues with passsync. do you recommend another option?<br> <br> </div> <br> <div style="font-family:Times New Roman; color:#000000; font-size:16px"> <hr tabindex="-1"> <div id="divRpF807741" style="direction:ltr"><font size="2" face="Tahoma" color="#000000"><b>From:</b> Todd Maugh<br> <b>Sent:</b> Tuesday, February 04, 2014 12:48 PM<br> <b>To:</b> Rich Megginson; <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com" target="_blank"> dpal@redhat.com</a><br> <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com" target="_blank"> freeipa-users@redhat.com</a><br> <b>Subject:</b> RE: Creating password sync<br> </font><br> </div> <div> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt">but what about the "cant contact LDAP server in the passsync log"<br> <br> and are you saying I should try to change one of the passwords in AD for it to go to IDM, or vice versa?<br> <br> thanks<br> <br> <br> <div style="font-family:Times New Roman; color:#000000; font-size:16px"> <hr tabindex="-1"> <div id="divRpF189373" style="direction:ltr"><font size="2" face="Tahoma" color="#000000"><b>From:</b> Rich Megginson [<a class="moz-txt-link-abbreviated" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>]<br> <b>Sent:</b> Tuesday, February 04, 2014 12:45 PM<br> <b>To:</b> Todd Maugh; <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com" target="_blank"> dpal@redhat.com</a><br> <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com" target="_blank"> freeipa-users@redhat.com</a><br> <b>Subject:</b> Re: Creating password sync<br> </font><br> </div> <div> <div class="moz-cite-prefix">On 02/04/2014 01:42 PM, Todd Maugh wrote:<br> </div> <blockquote type="cite"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt">I have not changed any passwords in AD yet.<br> </div> </blockquote> <br> Then passsync will not have sent anything.<br> <br> <blockquote type="cite"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt"><br> and the users I have in IDM from AD, their passwords are not working<br> </div> </blockquote> <br> Right. This is one of the (many) problems with the passsync approach - there currently is no way to populate the initial passwords - that is, passsync/IdM cannot copy your passwords over from AD to IdM.<br> <br> <blockquote type="cite"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt"><br> <br> <div style="font-family:Times New Roman; color:#000000; font-size:16px"> <hr tabindex="-1"> <div id="divRpF355147" style="direction:ltr"><font size="2" face="Tahoma" color="#000000"><b>From:</b> Rich Megginson [<a class="moz-txt-link-abbreviated" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>]<br> <b>Sent:</b> Tuesday, February 04, 2014 12:40 PM<br> <b>To:</b> Todd Maugh; <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com" target="_blank"> dpal@redhat.com</a><br> <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com" target="_blank"> freeipa-users@redhat.com</a><br> <b>Subject:</b> Re: Creating password sync<br> </font><br> </div> <div> <div class="moz-cite-prefix">On 02/04/2014 01:20 PM, Todd Maugh wrote:<br> </div> <blockquote type="cite"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt">my passhook.log file is empty<br> </div> </blockquote> <br> Have you changed any passwords in AD?<br> <br> <blockquote type="cite"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt"> <div style="font-family:Times New Roman; color:#000000; font-size:16px"> <hr tabindex="-1"> <div id="divRpF268312" style="direction:ltr"><font size="2" face="Tahoma" color="#000000"><b>From:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com" target="_blank"> freeipa-users-bounces@redhat.com</a> [<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a>] on behalf of Todd Maugh [<a class="moz-txt-link-abbreviated" href="mailto:tmaugh@boingo.com" target="_blank">tmaugh@boingo.com</a>]<br> <b>Sent:</b> Tuesday, February 04, 2014 11:56 AM<br> <b>To:</b> Rich Megginson; <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com" target="_blank"> dpal@redhat.com</a><br> <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com" target="_blank"> freeipa-users@redhat.com</a><br> <b>Subject:</b> Re: [Freeipa-users] Creating password sync<br> </font><br> </div> <div> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt">Im seeing these errors in the passsync.log<br> <br> <span dir="ltr"> <div>32: No such object</div> <div>02/03/14 16:23:40: Ldap error in QueryUsername</div> <div>32: No such object</div> <div>02/03/14 16:57:48: Abandoning password change for scottb, backoff expired</div> <div>02/03/14 16:57:48: Ldap bind error in Connect</div> <div>32: No such object</div> <div>02/03/14 16:57:48: Ldap error in QueryUsername</div> <div>32: No such object</div> <div>02/03/14 18:06:04: Abandoning password change for scottb, backoff expired</div> <div>02/03/14 18:06:04: Ldap bind error in Connect</div> <div>32: No such object</div> <div>02/04/14 10:24:59: PassSync service initialized</div> <div>02/04/14 10:24:59: PassSync service running</div> <div>02/04/14 10:25:00: Ldap bind error in Connect</div> <div>32: No such object</div> <div>02/04/14 10:58:37: Ldap bind error in Connect</div> <div>32: No such object</div> <div>02/04/14 10:58:37: PassSync service stopped</div> <div>02/04/14 10:58:38: PassSync service initialized</div> <div>02/04/14 10:58:38: PassSync service running</div> <div>02/04/14 10:58:39: Ldap bind error in Connect</div> <div>32: No such object</div> <div><br> <br> </div> </span><br> <div style="font-family:Times New Roman; color:#000000; font-size:16px"> <hr tabindex="-1"> <div id="divRpF24542" style="direction:ltr"><font size="2" face="Tahoma" color="#000000"><b>From:</b> Rich Megginson [<a class="moz-txt-link-abbreviated" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>]<br> <b>Sent:</b> Tuesday, February 04, 2014 9:19 AM<br> <b>To:</b> Todd Maugh; <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com" target="_blank"> dpal@redhat.com</a><br> <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com" target="_blank"> freeipa-users@redhat.com</a><br> <b>Subject:</b> Re: Creating password sync<br> </font><br> </div> <div> <div class="moz-cite-prefix">On 02/04/2014 10:17 AM, Todd Maugh wrote:<br> </div> <blockquote type="cite"><style id="owaParaStyle" type="text/css">  BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;}</style> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt">also I have verified the password synchronization service is started and running on the windows 2008 R2 server<br> <br> <br> but I cant tell if or what it is doing because iM not getting passwords to my IDM<br> </div> </blockquote> <a class="moz-txt-link-freetext" href="http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging" target="_blank">http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging</a><br> <br> You can also look at the 389 access log to see if you have connections from the windows box.<br> <br> <blockquote type="cite"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt"> <div style="font-family:Times New Roman; color:#000000; font-size:16px"> <hr tabindex="-1"> <div id="divRpF273180" style="direction:ltr"><font size="2" face="Tahoma" color="#000000"><b>From:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com" target="_blank"> freeipa-users-bounces@redhat.com</a> [<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a>] on behalf of Todd Maugh [<a class="moz-txt-link-abbreviated" href="mailto:tmaugh@boingo.com" target="_blank">tmaugh@boingo.com</a>]<br> <b>Sent:</b> Tuesday, February 04, 2014 9:04 AM<br> <b>To:</b> Rich Megginson; <a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com" target="_blank"> dpal@redhat.com</a><br> <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com" target="_blank"> freeipa-users@redhat.com</a><br> <b>Subject:</b> [Freeipa-users] Creating password sync<br> </font><br> </div> <div> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt">Ok, So I have my replication agreement set up.<br> <br> and I see accounts coming in to my IDM server from AD<br> <br> I have followed this guide from redhat <br> <br> <a class="moz-txt-link-freetext" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html</a><br> <br> to set up my password sync. <br> <br> I get no errors<br> <br> but my passwords are not syncing!<br> <br> Help! the documentation tells o fno way to verify or trouble shoot<br> <br> <br> Thank You<br> <br> -Todd Maugh<br> <a class="moz-txt-link-abbreviated" href="mailto:tmaugh@boingo.com" target="_blank">tmaugh@boingo.com</a><br> </div> </div> </div> </div> </blockquote> <br> </div> </div> </div> </div> </div> </div> </blockquote> <br> </div> </div> </div> </blockquote> <br> </div> </div> </div> </div> </div> </div> </div> </div> </div> </blockquote> <br> </div> </div> </div> </body> </html>