[Freeipa-users] IPA+AD sync error
Shan Kumaraswamy
shan.sysadm at gmail.com
Tue Aug 17 11:02:58 UTC 2010
Hi Rich,
After I did all the steps, I am getting this error:
INFO:root:Added CA certificate /etc/dirsrv/slapd-XXXX-COM/adcert.cer to
certificate database for tesipa001.test.com
INFO:root:Restarted directory server tesipa001.test.com
INFO:root:Could not validate connection to remote server
windows.test.ad:636- continuing
INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
"Can't contact LDAP server"}
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP error:
Can't contact LDAP server: start: 0: end: 0
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[saprhds001.bmibank.com] reports: Update failed! Status: [81 - LDAP error:
Can't contact LDAP server]
INFO:root:Added agreement for other host windows.test.ad
Please help me to fix this issue.
The syntex I used: ipa-replica-manage add --winsync --binddn
CN=Administrator,CN=Users,DC=test,DC=com --bindpw "password" --cacert
/etc/dirsrv/slapd-TEST-COM/adcert.cer windows.test.ad -v --passsync
"password"
On Mon, Aug 16, 2010 at 6:06 PM, Rich Megginson <rmeggins at redhat.com> wrote:
> Shan Kumaraswamy wrote:
>
>> Rich,
>> While installing IPA its creates its won CA cert right? (cacert.p12),
>>
> Right.
>
> and also I done the setep of export this CA file as dsca.crt.
>>
> Right. You have to do that so that AD can be an SSL client to the IPA SSL
> server.
>
> Please let me know steps to generate the IPA CA and server cert?
>>
> The other part is that you have to install the AD CA cert in IPA so that
> IPA can be the SSL client to the AD SSL server.
>
>
>>
>> On Mon, Aug 16, 2010 at 5:41 PM, Rich Megginson <rmeggins at redhat.com<mailto:
>> rmeggins at redhat.com>> wrote:
>>
>> Shan Kumaraswamy wrote:
>>
>>
>> Hi,
>>
>> I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I want to sync
>> with Active Directory (windows 2008 R2). Can please anyone
>> have step-by-step configuration doc and share to me?
>> Previously I have done the same exercise, but now that is not
>> working for me and I am facing lot of challenges to make this
>> happen.
>>
>> Please find the steps what exactly I done so for:
>>
>> 1. Installed RHDS 8.1 and FreeIPA 1.2.1 and configured
>> properly and tested its working fine
>>
>> 2. In AD side, installed Active Directory certificate
>> Server as a Enterprise Root
>>
>> 3. Copy the “cacert.p12” file and imported under
>> Certificates –Service (Active Directory Domain service) on
>> Local Computer using MMC.
>>
>> 4. Installed PasSync.msi file and given all the required
>> information
>>
>> 5. Run the command “certutil -d . -L -n "CA certificate"
>> -a > dsca.crt” from IPA server and copied the .crt file in to
>> AD server and ran this command from “cd "C:\Program Files\Red
>> Hat Directory Password Synchronization"
>>
>> 6. certutil.exe -d . -N
>>
>> 7. certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i
>> \path\to\dsca.crt
>>
>> 8. certutil.exe -d . -L -n "DS CA cert" and rebooted the
>> AD server.
>>
>> After this steps, when try to create sync agreement from IPA
>> server I am getting this error:
>>
>> ldap_simple_bind: Can't contact LDAP server
>>
>> SSL error -8179 (Peer's Certificate issuer is not
>> recognized.)
>>
>> Please share the steps to configure AD Sync with IPA server.
>>
>>
>> http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html
>>
>> But it looks as though there is a step missing. If you use MS AD
>> CA to generate the AD cert, and use IPA to generate the IPA CA and
>> server cert, then you have to import the MS AD CA cert into IPA.
>>
>>
>>
>> -- Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>>
>>
>>
>> --
>> Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>
--
Thanks & Regards
Shan Kumaraswamy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100817/02f46c7a/attachment.htm>
More information about the Freeipa-users
mailing list