<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/17/2015 12:55 PM, Hugh wrote:<br>
</div>
<blockquote
cite="mid:CAOc28g76i1agptCViCH6PoaUkrZCEUwUiqbtc4vUGkRP4f3Mmw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>All,</div>
<div> </div>
<div>After my education on what IPA/AD trusts can and can't do,
I decided to give the IPA-AD sync option a try. After finally
finding what I think is the proper software to install on the
AD DC (389-PassSync-1.1.6-x86_64.exe from the Fedora site), I
believe I have the settings correct, but the Password
Synchronization software refuses to connect. After changing
the Log Level option to 1, I get the below in the log file,
which doesn't really tell me much of anything.</div>
</div>
</blockquote>
<br>
<blockquote
cite="mid:CAOc28g76i1agptCViCH6PoaUkrZCEUwUiqbtc4vUGkRP4f3Mmw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div> </div>
<div>02/17/15 13:18:20: Backoff time expired. Attempting sync<br>
02/17/15 13:18:20: Password list has 1 entries<br>
02/17/15 13:18:20: Ldap bind error in Connect<br>
81: Can't contact LDAP server<br>
02/17/15 13:18:20: Attempting to sync password for ADSERVER$<br>
02/17/15 13:18:20: Searching for (ntuserdomainid=ADSERVER$)<br>
02/17/15 13:18:20: Ldap error in QueryUsername<br>
81: Can't contact LDAP server<br>
02/17/15 13:18:20: Deferring password change for ADSERVER$<br>
02/17/15 13:18:20: Backing off for 256000ms<br>
</div>
<div>The credentials are definitely correct and IPA is set up to
do LDAPS as, on the same AD server, I can connect and bind
using ldp.exe with the same settings/credentials and I'm able
to browse the LDAP tree. I've done a wireshark capture and it
looks like it's failing in the TLS negotiation. I can see this
entry in the capture:</div>
<div> </div>
<div>TLSv1 Record Layer: Alert (Level: Fatal, Description:
Protocol Version)</div>
<div>Content Type: Alert (21)</div>
<div>Version: TLS 1.2 (0x0303)</div>
<div>Length: 2</div>
<div>Alert Message</div>
<div>Level: Fatal (2)</div>
<div>Description: Protocol Version (70)</div>
</div>
</blockquote>
<br>
What version of 389-ds-base are you using?<br>
<br>
# rpm -q 389-ds-base<br>
<br>
<br>
<blockquote
cite="mid:CAOc28g76i1agptCViCH6PoaUkrZCEUwUiqbtc4vUGkRP4f3Mmw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div> </div>
<div>I added the IPA CA cert to the cert files in the 389
passsynch directory and I can confirm that as below. </div>
<div> </div>
<div>C:\Program Files\389 Directory Password
Synchronization>certutil -d . -L</div>
<div>Certificate
Nickname Trust
Attributes<br>
SSL,S/MIME,JAR/XPI</div>
<div>IPA CA
cert CT,,</div>
<div> </div>
<div> </div>
<div>When I list that specific certificate, I can see the below
in the output. </div>
<div> </div>
<div> Certificate Trust Flags:<br>
SSL Flags:<br>
Valid CA<br>
Trusted CA<br>
Trusted Client CA<br>
Email Flags:<br>
Object Signing Flags:</div>
<div> </div>
<div> </div>
<div> </div>
<div>Any pointers/ideas?</div>
<div> </div>
<div>Thanks in advance,</div>
<div> </div>
<div>Hugh</div>
<div> </div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>