[Freeipa-users] IPA+AD sync error

Shan Kumaraswamy shan.sysadm at gmail.com
Tue Aug 17 11:02:58 UTC 2010 

Hi Rich,
After I did all the steps, I am getting this error:


INFO:root:Added CA certificate /etc/dirsrv/slapd-XXXX-COM/adcert.cer to
certificate database for tesipa001.test.com
INFO:root:Restarted directory server tesipa001.test.com
INFO:root:Could not validate connection to remote server
windows.test.ad:636- continuing
INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
"Can't contact LDAP server"}
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 81  - LDAP error:
Can't contact LDAP server: start: 0: end: 0
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[saprhds001.bmibank.com] reports: Update failed! Status: [81  - LDAP error:
Can't contact LDAP server]
INFO:root:Added agreement for other host windows.test.ad

Please help me to fix this issue.

The syntex I used: ipa-replica-manage add --winsync --binddn
CN=Administrator,CN=Users,DC=test,DC=com --bindpw "password" --cacert
/etc/dirsrv/slapd-TEST-COM/adcert.cer windows.test.ad -v --passsync
"password"



On Mon, Aug 16, 2010 at 6:06 PM, Rich Megginson <rmeggins at redhat.com> wrote:

> Shan Kumaraswamy wrote:
>
>> Rich,
>>  While installing IPA its creates its won CA cert right? (cacert.p12),
>>
> Right.
>
> and also I done the setep of export this CA file as dsca.crt.
>>
> Right.  You have to do that so that AD can be an SSL client to the IPA SSL
> server.
>
> Please let me know steps to generate the IPA CA and server cert?
>>
> The other part is that you have to install the AD CA cert in IPA so that
> IPA can be the SSL client to the AD SSL server.
>
>
>>
>>  On Mon, Aug 16, 2010 at 5:41 PM, Rich Megginson <rmeggins at redhat.com<mailto:
>> rmeggins at redhat.com>> wrote:
>>
>>    Shan Kumaraswamy wrote:
>>
>>
>>        Hi,
>>
>>        I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I want to sync
>>        with Active Directory (windows 2008 R2). Can please anyone
>>        have step-by-step configuration doc and share to me?
>>        Previously I have done the same exercise, but now that is not
>>        working for me and I am facing lot of challenges to make this
>>        happen.
>>
>>        Please find the steps what exactly I done so for:
>>
>>        1.       Installed RHDS 8.1 and FreeIPA 1.2.1 and configured
>>        properly and tested its working fine
>>
>>        2.       In AD side, installed Active Directory certificate
>>        Server as a Enterprise Root
>>
>>        3.       Copy the “cacert.p12” file and imported under
>>        Certificates –Service (Active Directory Domain service) on
>>        Local Computer using MMC.
>>
>>        4.       Installed PasSync.msi file and given all the required
>>        information
>>
>>        5.       Run the command “certutil -d . -L -n "CA certificate"
>>        -a > dsca.crt” from IPA server and copied the .crt file in to
>>        AD server and ran this command from “cd "C:\Program Files\Red
>>        Hat Directory Password Synchronization"
>>
>>        6.       certutil.exe -d . -N
>>
>>        7.       certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i
>>        \path\to\dsca.crt
>>
>>        8.       certutil.exe -d . -L -n "DS CA cert" and rebooted the
>>        AD server.
>>
>>        After this steps, when try to create sync agreement from IPA
>>        server I am getting  this error:
>>
>>                 ldap_simple_bind: Can't contact LDAP server
>>
>>               SSL error -8179 (Peer's Certificate issuer is not
>>        recognized.)
>>
>>        Please share the steps to configure AD Sync with IPA server.
>>
>>
>> http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html
>>
>>    But it looks as though there is a step missing.  If you use MS AD
>>    CA to generate the AD cert, and use IPA to generate the IPA CA and
>>    server cert, then you have to import the MS AD CA cert into IPA.
>>
>>
>>
>>        --         Thanks & Regards
>>        Shan Kumaraswamy
>>
>>
>>
>>
>>
>> --
>> Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>


-- 
Thanks & Regards
Shan Kumaraswamy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100817/02f46c7a/attachment.htm>

More information about the Freeipa-users mailing list