[Freeipa-users] consulting?
Rich Megginson
rmeggins at redhat.com
Fri Jan 20 19:46:33 UTC 2012
On 01/20/2012 12:46 PM, Jimmy wrote:
> Getting close here... Now I see this message in the sync log file:
>
> attempting to sync password for testuser
> searching for (ntuserdomainid=testuser)
> ldap error in queryusername
> 32: no such object
> deferring password change for testuser
This usually means the search base is incorrect or not found. You can
look at the 389 access log to see what it was using as the search criteria.
>
> On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 01/20/2012 10:23 AM, Jimmy wrote:
>> You are correct. I had installed as an Enterprise root, but the
>> doc I was reading(original link) seemed to say that I had to do
>> the certreq manually, my bad. I think I'm getting closer I can
>> establish an openssl connection from DS to AD but I get these
>> errors:
>>
>> openssl s_client -connect 192.168.201.150:636
>> <http://192.168.201.150:636> -showcerts -CAfile dsca.crt
>> CONNECTED(00000003)
>> depth=0 CN = csp-ad.cspad.pdh.csp
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 CN = csp-ad.cspad.pdh.csp
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 CN = csp-ad.cspad.pdh.csp
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>>
>> I thought I had imported the cert from AD but it doesn't seem so.
>> I'm still researching but if you guys have a suggestion let me know.
> Is dsca.crt the CA that issued the DS server cert? If so, that
> won't work. You need the CA cert from the CA that issued the AD
> server cert (i.e. the CA cert from the MS Enterprise Root CA).
>
>> -J
>>
>> On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson
>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>
>> On 01/19/2012 02:59 PM, Jimmy wrote:
>>> ok. I started from scratch this week on this and I think
>>> I've got the right doc and understand better where this is
>>> going. My problem now is that when configuring SSL on the AD
>>> server (step c in this url:
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service )
>>>
>>> I get this error:
>>>
>>> certreq -submit request.req certnew.cer
>>> Active Directory Enrollment Policy
>>> {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>> ldap:
>>> RequestId: 3
>>> RequestId: "3"
>>> Certificate not issued (Denied) Denied by Policy Module
>>> 0x80094801, The request does not contain a certificate
>>> template extension or the CertificateTemplate request attribute.
>>> The request contains no certificate template information.
>>> 0x80094801 (-2146875391 <tel:%28-2146875391>)
>>> Certificate Request Processor: The request contains no
>>> certificate template information. 0x80094801 (-2146875391
>>> <tel:%28-2146875391>)
>>> Denied by Policy Module 0x80094801, The request does not
>>> contain a certificate template extension or the
>>> CertificateTemplate request attribute.
>>>
>>> The RH doc says to use the browser if an error occurs and
>>> IIS is running but I'm not running IIS. I researched that
>>> error but didn't find anything that helps with FreeIPA and
>>> passsync.
>> Hmm - try installing Microsoft Certificate Authority in
>> Enterprise Root CA mode - it will usually automatically
>> create and install the AD server cert.
>> http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>>
>>>
>>> Jimmy
>>>
>>> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
>>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>>
>>> On 01/11/2012 11:22 AM, Jimmy wrote:
>>>> We need to be able to replicate user/pass between
>>>> Windows 2008 AD and FreeIPA.
>>>
>>> That's what IPA Windows Sync is supposed to do.
>>>
>>>
>>>> I have followed many different documents and posted
>>>> here about it and from what I've read and procedures
>>>> I've followed we are unable to accomplish this.
>>>
>>> What have you tried, and what problems have you run into?
>>>
>>>> It doesn't need to be a full trust.
>>>>
>>>> Thanks
>>>>
>>>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
>>>> <jzeleny at redhat.com <mailto:jzeleny at redhat.com>> wrote:
>>>>
>>>> > Just wondering if there was anyone listening on
>>>> the list that might be
>>>> > available for little work integrating FreeIPA
>>>> with Active Directory
>>>> > (preferrably in the south east US.) I hope this
>>>> isn't against the list
>>>> > rules, I just thought one of you guys could help
>>>> or point me in the right
>>>> > direction.
>>>>
>>>> If you want some help, it is certainly not against
>>>> list rules ;-) But in that
>>>> case, it would be much better if you asked what
>>>> exactly do you need.
>>>>
>>>> I'm not an AD expert, but a couple tips: If you are
>>>> looking for cross-domain
>>>> (cross-realm) trust, then you might be a bit
>>>> disappointed, it is still in
>>>> development, so it probably won't be 100%
>>>> functional at this moment.
>>>>
>>>> If you are looking for something else, could you be
>>>> a little more specific what
>>>> it is?
>>>>
>>>> I also recommend starting with reading some doc:
>>>> http://freeipa.org/page/DocumentationPortal
>>>>
>>>> Thanks
>>>> Jan
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120120/246a57eb/attachment.htm>
More information about the Freeipa-users
mailing list