[Freeipa-users] consulting?
Rich Megginson
rmeggins at redhat.com
Thu Jan 19 22:04:11 UTC 2012
On 01/19/2012 02:59 PM, Jimmy wrote:
> ok. I started from scratch this week on this and I think I've got the
> right doc and understand better where this is going. My problem now is
> that when configuring SSL on the AD server (step c in this url:
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service )
>
> I get this error:
>
> certreq -submit request.req certnew.cer
> Active Directory Enrollment Policy
> {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
> ldap:
> RequestId: 3
> RequestId: "3"
> Certificate not issued (Denied) Denied by Policy Module 0x80094801,
> The request does not contain a certificate template extension or the
> CertificateTemplate request attribute.
> The request contains no certificate template information. 0x80094801
> (-2146875391 <tel:%28-2146875391>)
> Certificate Request Processor: The request contains no certificate
> template information. 0x80094801 (-2146875391 <tel:%28-2146875391>)
> Denied by Policy Module 0x80094801, The request does not contain a
> certificate template extension or the CertificateTemplate request
> attribute.
>
> The RH doc says to use the browser if an error occurs and IIS is
> running but I'm not running IIS. I researched that error but didn't
> find anything that helps with FreeIPA and passsync.
Hmm - try installing Microsoft Certificate Authority in Enterprise Root
CA mode - it will usually automatically create and install the AD server
cert. http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>
> Jimmy
>
> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 01/11/2012 11:22 AM, Jimmy wrote:
>> We need to be able to replicate user/pass between Windows 2008 AD
>> and FreeIPA.
>
> That's what IPA Windows Sync is supposed to do.
>
>
>> I have followed many different documents and posted here about it
>> and from what I've read and procedures I've followed we are
>> unable to accomplish this.
>
> What have you tried, and what problems have you run into?
>
>> It doesn't need to be a full trust.
>>
>> Thanks
>>
>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený <jzeleny at redhat.com
>> <mailto:jzeleny at redhat.com>> wrote:
>>
>> > Just wondering if there was anyone listening on the list
>> that might be
>> > available for little work integrating FreeIPA with Active
>> Directory
>> > (preferrably in the south east US.) I hope this isn't
>> against the list
>> > rules, I just thought one of you guys could help or point
>> me in the right
>> > direction.
>>
>> If you want some help, it is certainly not against list rules
>> ;-) But in that
>> case, it would be much better if you asked what exactly do
>> you need.
>>
>> I'm not an AD expert, but a couple tips: If you are looking
>> for cross-domain
>> (cross-realm) trust, then you might be a bit disappointed, it
>> is still in
>> development, so it probably won't be 100% functional at this
>> moment.
>>
>> If you are looking for something else, could you be a little
>> more specific what
>> it is?
>>
>> I also recommend starting with reading some doc:
>> http://freeipa.org/page/DocumentationPortal
>>
>> Thanks
>> Jan
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120119/1b84acb9/attachment.htm>
More information about the Freeipa-users
mailing list