[Freeipa-users] working on an expanded/updated guide for freeipa and passsync

Nate Marks npmarks at gmail.com
Sun Dec 23 17:38:30 UTC 2012 

I apologize if this is just too much text, but I've had some struggles and
I'm hoping to make things better for myself and others at the same time.
I'd love to have some feedback here.  I've gotten passsync  to work once in
a lab and never in production.



Introduction
This guide starts at the point where your freeipa server is correctly
replicating accounts from a windows active directory server.  The following
steps are intended to help you roll out the passync software to all of your
domain controllers.  Detailed descriptions of how the software works are
available from people far more competent than myself.  I’m just covering
some installation tips.


Before you begin
One thing I think is missing are adequate tools for testing SSL on the
windows side.  It’s just as likely that I simply don’t know what tools are
available.  In fact the article below seems to suggest that there’s a way
to run openssl.exe s_client on a windows machine.  Not sure where that
executable would come from.
http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Enabling_SSL_with_Active_Directory

The thing I think is really missing is the ability to do ldapsearch with
-zz  using the certificate database in c:\program files\389 directory
password synchronization\ directory.   I suspect that would be the best
test.  I think that’s where I fall on my face the most.

I hope someone can help me figure that part out a little better.


Getting started:

It’s theoretically possible to get the passsync to work on the first
attempt.  I’ve just never  done it.  In order for that to work, you have to
have exactly the right values  ready  to go when you run the passsync
installer. The installer has input fields for the following items:

verifying the hostname, username password and search base values
hostname: <FQDN of the freeipa server>
port: 636
username: uid=passsync,cn=sysaccounts,cn=etc,dc=<xxx>,dc=<xxx>
password: <password>
cert token :  tried it with and without the
/etc/dirsrv/slapd-instance/pwdfile.txt contents
serach base=cn=users,cn=accounts,dc=inframax,dc=ncare


First I’ll talk about verifying the easy stuff (hostname, username,
password, search base).  run notepad on the windows server and put in the
values you’re going to use before running the passsync installer.  Then run
ldp.exe and use the values from notepad  and the steps below to verify the
hostname, username, password and search base.  this connection is a non-SSL
connection but it’s a start.

ldp.exe
connection > connect
enter the freeipa server hostname in the server field
enter port 389 (non-ssl port) int he port field
uncheck the SSL box
click OK


connection > bind
select the 'simple bind' radio button
enter the DN for the passsync account on the freeipa server in the
userfield.  this is
"uid=passsync,cn=sysaccounts,cn=etc,dc=<domain>,dc=<domaintld>"  by default
enter the password for the passsync account in the password field
click ok

select view > tree and make sure you can browse the tree  in the ipa
server. browse to the subtree that you're going to use for search base and
make sure you
see your replicated accounts in that container.
if you can, then the values  you used for the hostname, username, password
and search base are all correct

Moving on: assuming you’ve verified all four values you stashed in notepad.
 I’ll talk through the remaining values:
1) the first four values are useless by themselves.  passsync won’t work
without SSL and if it did, it probably shouldn’t  (someone correct this if
I’m wrong please)
2) port  or ldaps (ldap over SSL) is 636 by default.  unless you have some
good reason to change that port, just use it.
3) cert token:  I think the only valid value for this field comes from the
file on the freeipa server (/etc/dirsrv/slapd-instance/pwdfile.txt). what I
don’t know is if  I can break passsync by entering it when it’s not needed.
 The docs say to leave it empty to begin.  I also don’t know if I can
change that value just by entering it into the registry and restarting the
passsync service.  Honestly, I’m not even sure  how to figure out if I need
it. Hopefully someone will enlighten me.

Installing Passsync:
Now we’ve done a bunch fo work to  check our values, but we haven’t
accomplished anything.  So go ahead and run the passsync msi installer and
enter  your values into the appropriate fields.

The installer will create filed, directories and registry stuff, but we’re
not  nearly done.

Step 5 in the link below looks like the correct next step but this is where
my confidence starts to collapse.  I’ve gotten passsync to work exactly
once and have had at least one case where I appear to have and SSL  problem
that I just can’t figure out.

https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html

this other link seems to have more detailed instructions for the same
import step, but I can’t say they helped me either:
http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Enabling_SSL_with_Active_Directory

One mroe thing before rebooting, use regedit to change the value of
HKLM->Software->PasswordSync  “Log Level” from 0 to 1. If everything works
and you don’t need it, great!

If the stars line up, you’ve put good values into the passsync installer,
imported the freeipa servers certificate into the cert DB that passsync
uses and the installer registered a new  dll to capture password change
events.  You need to reboot the server to get the dll registration to take
effect.
After it restarts,  change the password on an account that’s being
replicated to free ipa.  use notepad to open the file c:\program files\389
directory password synchronization\ passsync.txt
if the passhook.dll is working correctly, you’ll see an entry like:
‘1 new entries loaded from data file’


If ssl is working correctly, you’ll be able to log into the freeipa server
with the test account  and newly changed password.

It seems more common that I end up with:
ldp bind error in connet
81: can’t contact ldap server
Can not connect to ldap server in Syncpasswords.


This takes me to the point where I’d love more tools to troubleshoot the
problem.

Other things I’ve tried:
1) UAC.  I disable it, but I’d love some feedback on whether or not that’s
required on win 2k8R2.
2) some of my DCs have certificate services installed and some don’t.  I
don’t think any of that matters  or passsync, but I’d love feedback there
too.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121223/0af60fa4/attachment.htm>

More information about the Freeipa-users mailing list