[Freeipa-users] consulting?

Jimmy g17jimmy at gmail.com
Fri Jan 20 19:46:12 UTC 2012 

Getting close here... Now I see this message in the sync log file:

attempting to sync password for testuser
searching for (ntuserdomainid=testuser)
ldap error in queryusername
 32: no such object
deferring password change for testuser

On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson <rmeggins at redhat.com>wrote:

> **
> On 01/20/2012 10:23 AM, Jimmy wrote:
>
> You are correct. I had installed as an Enterprise root, but the doc I was
> reading(original link) seemed to say that I had to do the certreq manually,
> my bad. I think I'm getting closer I can establish an openssl connection
> from DS to AD but I get these errors:
>
>   openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile
> dsca.crt
> CONNECTED(00000003)
> depth=0 CN = csp-ad.cspad.pdh.csp
>  verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = csp-ad.cspad.pdh.csp
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 CN = csp-ad.cspad.pdh.csp
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
>  I thought I had imported the cert from AD but it doesn't seem so. I'm
> still researching but if you guys have a suggestion let me know.
>
> Is dsca.crt the CA that issued the DS server cert?  If so, that won't
> work.  You need the CA cert from the CA that issued the AD server cert
> (i.e. the CA cert from the MS Enterprise Root CA).
>
>  -J
>
>  On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>
>>  On 01/19/2012 02:59 PM, Jimmy wrote:
>>
>> ok. I started from scratch this week on this and I think I've got the
>> right doc and understand better where this is going. My problem now is that
>> when configuring SSL on the AD server (step c in this url:
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service )
>>
>> I get this error:
>>
>>  certreq -submit request.req certnew.cer
>> Active Directory Enrollment Policy
>>   {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>   ldap:
>> RequestId: 3
>> RequestId: "3"
>> Certificate not issued (Denied) Denied by Policy Module  0x80094801, The
>> request does not contain a certificate template extension or the
>> CertificateTemplate request attribute.
>>  The request contains no certificate template information. 0x80094801
>> (-2146875391)
>> Certificate Request Processor: The request contains no certificate
>> template information. 0x80094801 (-2146875391)
>>  Denied by Policy Module  0x80094801, The request does not contain a
>> certificate template extension or the CertificateTemplate request attribute.
>>
>>  The RH doc says to use the browser if an error occurs and IIS is
>> running but I'm not running IIS. I researched that error but didn't find
>> anything that helps with FreeIPA and passsync.
>>
>>  Hmm - try installing Microsoft Certificate Authority in Enterprise Root
>> CA mode - it will usually automatically create and install the AD server
>> cert.  http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>>
>>
>>  Jimmy
>>
>> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>
>>>  On 01/11/2012 11:22 AM, Jimmy wrote:
>>>
>>> We need to be able to replicate user/pass between Windows 2008 AD and
>>> FreeIPA.
>>>
>>>
>>>  That's what IPA Windows Sync is supposed to do.
>>>
>>>
>>> I have followed many different documents and posted here about it and
>>> from what I've read and procedures I've followed we are unable to
>>> accomplish this.
>>>
>>>
>>>  What have you tried, and what problems have you run into?
>>>
>>>  It doesn't need to be a full trust.
>>>
>>>  Thanks
>>>
>>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený <jzeleny at redhat.com> wrote:
>>>
>>>>  > Just wondering if there was anyone listening on the list that might
>>>> be
>>>> > available for little work integrating FreeIPA with Active Directory
>>>> > (preferrably in the south east US.) I hope this isn't against the list
>>>> > rules, I just thought one of you guys could help or point me in the
>>>> right
>>>> > direction.
>>>>
>>>>  If you want some help, it is certainly not against list rules ;-) But
>>>> in that
>>>> case, it would be much better if you asked what exactly do you need.
>>>>
>>>> I'm not an AD expert, but a couple tips: If you are looking for
>>>> cross-domain
>>>> (cross-realm) trust, then you might be a bit disappointed, it is still
>>>> in
>>>> development, so it probably won't be 100% functional at this moment.
>>>>
>>>> If you are looking for something else, could you be a little more
>>>> specific what
>>>> it is?
>>>>
>>>> I also recommend starting with reading some doc:
>>>> http://freeipa.org/page/DocumentationPortal
>>>>
>>>> Thanks
>>>> Jan
>>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120120/f7961366/attachment.htm>

More information about the Freeipa-users mailing list