[Freeipa-users] solved: here are some additional passsync notes

Nate Marks npmarks at gmail.com
Mon Dec 24 16:13:10 UTC 2012 

I'd love some feedback on these. They seemed to work for me.Thanks!


Introduction
This guide starts at the point where your freeipa server is correctly
replicating accounts from a windows active directory server.  The following
steps are intended to help you roll out the passync software to all of your
domain controllers.  Detailed descriptions of how the software works are
available from people far more competent than myself.  I’m just covering
some installation tips.  One thing that really screwed me up is that there
are great passsync docs for 389 directory server and great passsync docs
for freeipa server.  They are similar.  They are NOT interchangeable.  When
using freeipa server stick with freeipa docs .  I know this seems obvious,
but when passsync doesn’t work the first time, my instinct is to cast about
on google for things that seem to be related.  When you find the 389 server
docs under those circumstances and try to apply them  to freeipa, you find
a rathole.

Getting started:

It’s theoretically possible to get the passsync to work on the first
attempt.  I’ve just never  done it.  In order for that to work, you have to
have exactly the right values  ready  to go when you run the passsync
installer. The installer has input fields for the following items:

verifying the hostname, username password and search base values
hostname: <FQDN of the freeipa server>
port: 636
username: uid=passsync,cn=sysaccounts,cn=etc,dc=<xxx>,dc=<xxx>
password: <password>
cert token :  tried it with and without the
/etc/dirsrv/slapd-instance/pwdfile.txt contents
serach base=cn=users,cn=accounts,dc=inframax,dc=ncare

The best tool I found in windows for checking the passsync installation
settings is ldp.
First I’ll talk about verifying the easy stuff (hostname, username,
password, search base).  run notepad on the windows server and put in the
values you’re going to use before running the passsync installer.  Then run
ldp.exe and use the values from notepad  and the steps below to verify the
hostname, username, password and search base.

ldp.exe
connection > connect
enter the freeipa server hostname in the server field
enter port 636 (non-ssl port) in the port field
check the SSL box
click OK


connection > bind
select the 'simple bind' radio button
enter the DN for the passsync account on the freeipa server in the
userfield.  this is
"uid=passsync,cn=sysaccounts,cn=etc,dc=<domain>,dc=<domaintld>"  by default
enter the password for the passsync account in the password field
click ok

select view > tree and make sure you can browse the tree  in the ipa
server. browse to the subtree that you're going to use for search base and
make sure you
see your replicated accounts in that container.
if you can, then the values  you used for the hostname, username, password
and search base are all correct.  It also means that the ca.crt file you
imported for ldap account syunchronization is working correctly.

NOTE:  I left cert token empty.  it seems to be used for encrypting the
certificate db in c:\program files\389 directory password synchronization.
 That can be done after you get password synchronization working.

Installing Passsync:
Now we’ve done a bunch of work to  check our values, but we haven’t
accomplished anything.  So go ahead and run the passsync msi installer and
enter  your values into the appropriate fields.

The installer will create files, directories and registry stuff, but we’re
not  nearly done.

Step 5 in the link below seems to have the correct steps.   Be sure to
import the same certificate that you imported in the account
synchronization process.  I got mine  with wget
http://<iapserver>/ipa/config/ca.crt.


https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html



One mroe thing before rebooting, use regedit to change the value of
HKLM->Software->PasswordSync  “Log Level” from 0 to 1. If everything works
and you don’t need it, great!

If the stars line up, you’ve put good values into the passsync installer,
imported the freeipa servers certificate into the cert DB that passsync
uses and the installer registered a new  dll to capture password change
events.  You need to reboot the server to get the dll registration to take
effect.
After it restarts,  change the password on an account that’s being
replicated to free ipa.  use notepad to open the file c:\program files\389
directory password synchronization\ passsync.txt
if the passhook.dll is working correctly, you’ll see an entry like:
‘1 new entries loaded from data file’


If ssl is working correctly, you’ll be able to log into the freeipa server
with the test account  and newly changed password.

Ifit doesn’t work, verify your cert and your values with ldp.exe.  I just
don’t have anything better that that yet.


This takes me to the point where I’d love more tools to troubleshoot the
problem.

Other things I’ve tried:
1) UAC.  I disable it, but I’d love some feedback on whether or not that’s
required on win 2k8R2.
2) some of my DCs have certificate services installed and some don’t.  I
don’t think any of that matters  or passsync, but I’d love feedback there
too.
3)  Here are the details on the 389 directory server steps that screwed me
up.:

I found these steps for exporting cert from the linux  that apparently
apply to 389 and not to freeipa(
http://directory.fedoraproject.org/wiki/Howto:WindowsSync) and they really
screwed me up with freeipa:
***DO NOT USE THIS METHOD TO GET A PASSSYNC CERT***
cd /usr/lib/dirsrv/slapd-instance_name
certutil -d . -L -n "CA certificate" -a > dsca.crt
# NOTE - it might not be called CA certificate - use certutil -d . -L to
list your certs
***DO NOT USE THIS METHOD TO GET A PASSSYNC CERT***

instead, just use the process that worked for the account replication setup.
just use the ca.crt from
http://<ipaserver>/ipa/config/ac.crt<http://ipaserver/ipa/config/ac.crt>
.

The steps don’t throw any errors, but that certificate didn’t work for me.
  It may be a little obvious, but it only worked if I  imported the same
cert file used in the replication process.  I got that file
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121224/9cc7ad0f/attachment.htm>

More information about the Freeipa-users mailing list