<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello Hugh,<br>
<br>
Could you tell us the version of 389-ds-base the PassSync is trying
to access? If the directory server is not new enough (389-ds-base-<strong><a
href="http://www.port389.org/docs/389ds/releases/release-1-3-2-26.html"><span
class="caps">1.3.2.26</span></a> </strong>or 389-ds-base-<a
href="http://www.port389.org/docs/389ds/releases/release-1-3-3-8.html"><span
class="caps"></span></a><strong><a
href="http://www.port389.org/docs/389ds/releases/release-1-3-3-8.html"><span
class="caps">1.3.3.8</span></a></strong>), could you please
try setting the following environment variable on the Windows
machine on which PassSync is running?<strong><br>
<a
href="http://www.port389.org/docs/389ds/releases/release-1-3-3-8.html"><span
class="caps"></span></a></strong>
<blockquote><a class="moz-txt-link-freetext" href="http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html">http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html</a><br>
<p>PassSync <span class="caps">1.1.6</span> supports <span
class="caps">TLS</span> version <span class="caps">1.1</span>
and newer <span class="caps">SSL</span> versions supported by <span
class="caps">NSS.</span> SSLv3 is disabled, by default. To
force to enable SSLv<span class="caps">3.0</span>, an
environment variable
LDAPSSL_ALLOW_OLD_SSL_<span class="caps">VERSION</span> has to
be set with some non <span class="caps">NULL</span> value.</p>
<p>In Computer | Properties | Advanced system settings |
Environment Variables | System variables,
add variable: LDAPSSL_ALLOW_OLD_SSL_<span class="caps">VERSION</span>,
value: 1</p>
</blockquote>
Thanks,<br>
--noriko<br>
<blockquote cite="mid:54E4E34A.1070300@redhat.com" type="cite">
<div class="moz-forward-container"> -------- Forwarded Message
--------
<table class="moz-email-headers-table" border="0"
cellpadding="0" cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Subject:
</th>
<td>[Freeipa-users] Passsync fails to connect to LDAP</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Date:
</th>
<td>Tue, 17 Feb 2015 13:55:52 -0600</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">From:
</th>
<td>Hugh <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:api@psychopig.com"><api@psychopig.com></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">To: </th>
<td><a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a></td>
</tr>
</tbody>
</table>
<br>
<br>
<div dir="ltr">
<div>All,</div>
<div> </div>
<div>After my education on what IPA/AD trusts can and can't
do, I decided to give the IPA-AD sync option a try. After
finally finding what I think is the proper software to
install on the AD DC (389-PassSync-1.1.6-x86_64.exe from
the Fedora site), I believe I have the settings correct, but
the Password Synchronization software refuses to connect.
After changing the Log Level option to 1, I get the below in
the log file, which doesn't really tell me much of anything.</div>
<div> </div>
<div>02/17/15 13:18:20: Backoff time expired. Attempting sync<br>
02/17/15 13:18:20: Password list has 1 entries<br>
02/17/15 13:18:20: Ldap bind error in Connect<br>
81: Can't contact LDAP server<br>
02/17/15 13:18:20: Attempting to sync password for ADSERVER$<br>
02/17/15 13:18:20: Searching for (ntuserdomainid=ADSERVER$)<br>
02/17/15 13:18:20: Ldap error in QueryUsername<br>
81: Can't contact LDAP server<br>
02/17/15 13:18:20: Deferring password change for ADSERVER$<br>
02/17/15 13:18:20: Backing off for 256000ms<br>
</div>
<div>The credentials are definitely correct and IPA is set up
to do LDAPS as, on the same AD server, I can connect and
bind using ldp.exe with the same settings/credentials and
I'm able to browse the LDAP tree. I've done a wireshark
capture and it looks like it's failing in the TLS
negotiation. I can see this entry in the capture:</div>
<div> </div>
<div>TLSv1 Record Layer: Alert (Level: Fatal, Description:
Protocol Version)</div>
<div>Content Type: Alert (21)</div>
<div>Version: TLS 1.2 (0x0303)</div>
<div>Length: 2</div>
<div>Alert Message</div>
<div>Level: Fatal (2)</div>
<div>Description: Protocol Version (70)</div>
<div> </div>
<div>I added the IPA CA cert to the cert files in the 389
passsynch directory and I can confirm that as below. </div>
<div> </div>
<div>C:\Program Files\389 Directory Password
Synchronization>certutil -d . -L</div>
<div>Certificate
Nickname Trust
Attributes<br>
SSL,S/MIME,JAR/XPI</div>
<div>IPA CA
cert CT,,</div>
<div> </div>
<div> </div>
<div>When I list that specific certificate, I can see the
below in the output. </div>
<div> </div>
<div> Certificate Trust Flags:<br>
SSL Flags:<br>
Valid CA<br>
Trusted CA<br>
Trusted Client CA<br>
Email Flags:<br>
Object Signing Flags:</div>
<div> </div>
<div> </div>
<div> </div>
<div>Any pointers/ideas?</div>
<div> </div>
<div>Thanks in advance,</div>
<div> </div>
<div>Hugh</div>
<div> </div>
</div>
<br>
</div>
<br>
</blockquote>
<br>
</body>
</html>