<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 02/10/2015 12:14 PM, Prady Dash
wrote:<br>
</div>
<blockquote
cite="mid:AMSPR01MB150B5EFB2D11B5DBEF74158DF240@AMSPR01MB150.eurprd01.prod.exchangelabs.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Use Case :<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">We have a user
group for VPN, So in a case of DR no one else would able to
use VPN as AD is the SPOF, So what am trying to achieve if
FreeIPA can help to hold the user data for this group might
be temporary so that users could use VPN during AD failure.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Is this
possible ?</span></p>
</div>
</blockquote>
<br>
This would be possible but would require reconfiguration of the VPN
in case of problems with AD.<br>
It would also require for you to do a winsync of the user passwords
keep passwords in sync.<br>
<br>
I am all for you using FreeIPA for this but seems like a much more
work for you than to add another AD instance or use Samba 4 as a
secondary DC.<br>
<br>
<blockquote
cite="mid:AMSPR01MB150B5EFB2D11B5DBEF74158DF240@AMSPR01MB150.eurprd01.prod.exchangelabs.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">/Prady<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:EN-GB"
lang="EN-US">From:</span></b><span
style="color:windowtext;mso-fareast-language:EN-GB"
lang="EN-US"> Dmitri Pal [<a class="moz-txt-link-freetext" href="mailto:dpal@redhat.com">mailto:dpal@redhat.com</a>]
<br>
<b>Sent:</b> 10 February 2015 17:09<br>
<b>To:</b> Prady Dash; <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] LDAP Connection
error while Integrating AD with FreeIPA<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 02/10/2015 11:21 AM, Prady Dash wrote:<span
style="font-size:12.0pt;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D">Hi,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">I am using
the below version :</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">ipa-server-3.0.0-42.el6.x86_64</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">What I want
is to integrate AD with FreeIPA so in case of AD failure
FreeIPA should able to handle the requests( might be
temporary such as cache or something like that ).</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:EN-GB"><br>
This is not the use case that would be easy to make work.<br>
So are you planning to configure SSSD on clients to use AD
and IPA domains in parallel?<br>
<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">/Prady</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:EN-GB"
lang="EN-US">From:</span></b><span
style="color:windowtext;mso-fareast-language:EN-GB"
lang="EN-US">
<a moz-do-not-send="true"
href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
[<a moz-do-not-send="true"
href="mailto:freeipa-users-bounces@redhat.com">mailto:freeipa-users-bounces@redhat.com</a>]
<b>On Behalf Of </b>Dmitri Pal<br>
<b>Sent:</b> 10 February 2015 16:07<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] LDAP Connection
error while Integrating AD with FreeIPA</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 02/10/2015 10:59 AM, Prady Dash
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I am trying to integrate AD with
FreeIPA. I was following the below document.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><a moz-do-not-send="true"
href="https://www.freeipa.org/images/2/2b/Installation_and_Deployment_Guide.pdf">https://www.freeipa.org/images/2/2b/Installation_and_Deployment_Guide.pdf</a><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">While configuring am facing the below
error.<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;color:#C00000">[root@appserver2
~]# ipa-replica-manage connect --winsync --binddn
cn=Administrator,cn=users,dc=abc,dc=local --bindpw
XXXXXXX --passsync XXXXXX --passsync XXXXXXX --cacert
/etc/openldap/certs/abc.cer ad.abc.local -v</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;color:#C00000">Directory
Manager password:</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;color:#C00000"> </span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;color:#C00000">Added CA
certificate /etc/openldap/certs/ abc.cer to
certificate database for appserver2.qinec.com</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;color:#C00000">ipa: INFO: AD
Suffix is: DC=abc,DC=local</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;color:#C00000">The user for
the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=xyz,dc=com</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;color:#C00000">Windows
PassSync entry exists, not resetting password</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;color:#C00000">ipa: INFO:
Added new sync agreement, waiting for it to become
ready . . .</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;color:#C00000">ipa: INFO:
Replication Update in progress: FALSE: status: -11 -
LDAP error: Connect error: start: 0: end: 0</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;color:#C00000">ipa: INFO:
Agreement is ready, starting replication . . .</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;color:#C00000">Starting
replication, please wait until this has completed.</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;color:#C00000">[appserver2.abc.com]
reports: Update failed! Status: [-11 - LDAP error:
Connect error]</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;color:#C00000">Failed to start
replication</span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span
style="font-size:10.0pt;color:#C00000"> </span></i><o:p></o:p></p>
<p class="MsoNormal">Please suggest.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">/Prady<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><br>
<br>
<br>
</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt">This is a
very old documentation.<br>
Please use the latest documentation on the Red Hat portal.<br>
What IPA version and platform are you using?<br>
Do you really want to sync users? Have you considered a
trust? Are you aware of that option which is preferred
now?<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Thank you,<o:p></o:p></pre>
<pre>Dmitri Pal<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>Sr. Engineering Manager IdM portfolio<o:p></o:p></pre>
<pre>Red Hat, Inc.<o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:EN-GB"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre>Thank you,<o:p></o:p></pre>
<pre>Dmitri Pal<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Sr. Engineering Manager IdM portfolio<o:p></o:p></pre>
<pre>Red Hat, Inc.<o:p></o:p></pre>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>