[Freeipa-users] solved: here are some additional passsync notes
Rich Megginson
rmeggins at redhat.com
Fri Dec 28 20:40:45 UTC 2012
On 12/24/2012 09:13 AM, Nate Marks wrote:
> I'd love some feedback on these. They seemed to work for me.Thanks!
>
>
> Introduction
> This guide starts at the point where your freeipa server is correctly
> replicating accounts from a windows active directory server. The
> following steps are intended to help you roll out the passync software
> to all of your domain controllers. Detailed descriptions of how the
> software works are available from people far more competent than
> myself. I'm just covering some installation tips. One thing that
> really screwed me up is that there are great passsync docs for 389
> directory server and great passsync docs for freeipa server. They are
> similar. They are NOT interchangeable. When using freeipa server
> stick with freeipa docs . I know this seems obvious, but when
> passsync doesn't work the first time, my instinct is to cast about on
> google for things that seem to be related. When you find the 389
> server docs under those circumstances and try to apply them to
> freeipa, you find a rathole.
Fixed - see below.
>
> Getting started:
>
> It's theoretically possible to get the passsync to work on the first
> attempt. I've just never done it. In order for that to work, you
> have to have exactly the right values ready to go when you run the
> passsync installer. The installer has input fields for the following
> items:
>
> verifying the hostname, username password and search base values
> hostname: <FQDN of the freeipa server>
> port: 636
> username: uid=passsync,cn=sysaccounts,cn=etc,dc=<xxx>,dc=<xxx>
> password: <password>
> cert token : tried it with and without the
> /etc/dirsrv/slapd-instance/pwdfile.txt contents
Right - not needed
> serach base=cn=users,cn=accounts,dc=inframax,dc=ncare
>
> The best tool I found in windows for checking the passsync
> installation settings is ldp.
> First I'll talk about verifying the easy stuff (hostname, username,
> password, search base). run notepad on the windows server and put in
> the values you're going to use before running the passsync installer.
> Then run ldp.exe and use the values from notepad and the steps below
> to verify the hostname, username, password and search base.
>
> ldp.exe
> connection > connect
> enter the freeipa server hostname in the server field
> enter port 636 (non-ssl port) in the port field
636 is the SSL port
Does ldp have an option for StartTLS?
> check the SSL box
> click OK
>
>
> connection > bind
> select the 'simple bind' radio button
> enter the DN for the passsync account on the freeipa server in the
> userfield. this is
> "uid=passsync,cn=sysaccounts,cn=etc,dc=<domain>,dc=<domaintld>" by
> default
> enter the password for the passsync account in the password field
> click ok
>
> select view > tree and make sure you can browse the tree in the ipa
> server. browse to the subtree that you're going to use for search base
> and make sure you
> see your replicated accounts in that container.
> if you can, then the values you used for the hostname, username,
> password and search base are all correct. It also means that the
> ca.crt file you imported for ldap account syunchronization is working
> correctly.
>
> NOTE: I left cert token empty. it seems to be used for encrypting
> the certificate db in c:\program files\389 directory password
> synchronization. That can be done after you get password
> synchronization working.
Right - it is not needed
>
> Installing Passsync:
> Now we've done a bunch of work to check our values, but we haven't
> accomplished anything. So go ahead and run the passsync msi installer
> and enter your values into the appropriate fields.
>
> The installer will create files, directories and registry stuff, but
> we're not nearly done.
>
> Step 5 in the link below seems to have the correct steps. Be sure to
> import the same certificate that you imported in the account
> synchronization process. I got mine with wget
> http://<iapserver>/ipa/config/ca.crt.
>
> https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html
>
>
>
> One mroe thing before rebooting, use regedit to change the value of
> HKLM->Software->PasswordSync "Log Level" from 0 to 1. If everything
> works and you don't need it, great!
>
> If the stars line up, you've put good values into the passsync
> installer, imported the freeipa servers certificate into the cert DB
> that passsync uses and the installer registered a new dll to capture
> password change events. You need to reboot the server to get the dll
> registration to take effect.
> After it restarts, change the password on an account that's being
> replicated to free ipa. use notepad to open the file c:\program
> files\389 directory password synchronization\ passsync.txt
> if the passhook.dll is working correctly, you'll see an entry like:
> '1 new entries loaded from data file'
>
>
> If ssl is working correctly, you'll be able to log into the freeipa
> server with the test account and newly changed password.
>
> Ifit doesn't work, verify your cert and your values with ldp.exe. I
> just don't have anything better that that yet.
>
>
> This takes me to the point where I'd love more tools to troubleshoot
> the problem.
>
> Other things I've tried:
> 1) UAC. I disable it, but I'd love some feedback on whether or not
> that's required on win 2k8R2.
> 2) some of my DCs have certificate services installed and some don't.
> I don't think any of that matters or passsync, but I'd love feedback
> there too.
It doesn't matter, as long as the Active Directory is using TLS/SSL
somehow, and you have access to the CA cert of the CA that issued the
Active Directory Server cert.
> 3) Here are the details on the 389 directory server steps that
> screwed me up.:
>
> I found these steps for exporting cert from the linux that apparently
> apply to 389 and not to
> freeipa(http://directory.fedoraproject.org/wiki/Howto:WindowsSync) and
> they really screwed me up with freeipa:
> ***DO NOT USE THIS METHOD TO GET A PASSSYNC CERT***
> cd /usr/lib/dirsrv/slapd-instance_name
> certutil -d . -L -n "CA certificate" -a > dsca.crt
> # NOTE - it might not be called CA certificate - use certutil -d . -L
> to list your certs
> ***DO NOT USE THIS METHOD TO GET A PASSSYNC CERT***
I think the problem is that it tells you to use
/usr/lib/dirsrv/slapd-INST which is bogus - it should be
/etc/dirsrv/slapd-INST - I've fixed the wiki page
>
> instead, just use the process that worked for the account replication
> setup.
> just use the ca.crt from http://<ipaserver>/ipa/config/ac.crt
> <http://ipaserver/ipa/config/ac.crt>.
this is probably simpler and will work from the windows machine as well
>
> The steps don't throw any errors, but that certificate didn't work for
> me. It may be a little obvious, but it only worked if I imported
> the same cert file used in the replication process. I got that file
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121228/c6f19c73/attachment.htm>
More information about the Freeipa-users
mailing list