[Freeipa-users] consulting?

Jimmy g17jimmy at gmail.com
Mon Jan 23 17:19:39 UTC 2012 

Here's what I found in the DS admin guide. Is this all that's needed to
create the sync agreement? Thanks.

add sync agreement:
ldapmodify -x -D "cn=Directory Manager" -W
Enter LDAP Password: *******
dn: cn=ExampleSyncAgreement,cn=sync
replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config
changetype: add
objectclass: top
objectclass: nsDSWindowsReplicationAgreement
cn: ExampleSyncAgreement
nsds7WindowsReplicaSubtree: cn=Users,dc=ad1
nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com
nsds7NewWinUserSyncEnabled: on
nsds7NewWinGroupSyncEnabled: on
nsds7WindowsDomain: ad1
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaHost: ad1.windows-server.com
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=sync user,cn=config
nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA==
nsDS5ReplicaTransportInfo: TLS
winSyncInterval: 1200

On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson <rmeggins at redhat.com> wrote:

> **
> On 01/20/2012 01:08 PM, Jimmy wrote:
>
> That was it! I have passwords syncing, *BUT*(at the risk of sounding
> stupid)-- is it not possible to also sync(add) the users from AD to DS?
>
> Yes, it is.  Just configure IPA Windows Sync
>
> I created a new user in AD and it doesn't propogate to DS, just says:
>
>  attempting to sync password for testuser3
> searching for (ntuserdomainid=testuser3)
> There are no entries that match: testuser3
> deferring password change for testuser3
>
> On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>
>>  On 01/20/2012 12:46 PM, Jimmy wrote:
>>
>> Getting close here... Now I see this message in the sync log file:
>>
>>  attempting to sync password for testuser
>> searching for (ntuserdomainid=testuser)
>> ldap error in queryusername
>>  32: no such object
>> deferring password change for testuser
>>
>>  This usually means the search base is incorrect or not found.  You can
>> look at the 389 access log to see what it was using as the search criteria.
>>
>>
>> On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>
>>>  On 01/20/2012 10:23 AM, Jimmy wrote:
>>>
>>> You are correct. I had installed as an Enterprise root, but the doc I
>>> was reading(original link) seemed to say that I had to do the certreq
>>> manually, my bad. I think I'm getting closer I can establish an openssl
>>> connection from DS to AD but I get these errors:
>>>
>>>   openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile
>>> dsca.crt
>>> CONNECTED(00000003)
>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>  verify error:num=20:unable to get local issuer certificate
>>> verify return:1
>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>> verify error:num=27:certificate not trusted
>>> verify return:1
>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>> verify error:num=21:unable to verify the first certificate
>>> verify return:1
>>>
>>>  I thought I had imported the cert from AD but it doesn't seem so. I'm
>>> still researching but if you guys have a suggestion let me know.
>>>
>>>  Is dsca.crt the CA that issued the DS server cert?  If so, that won't
>>> work.  You need the CA cert from the CA that issued the AD server cert
>>> (i.e. the CA cert from the MS Enterprise Root CA).
>>>
>>>  -J
>>>
>>>  On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>>
>>>>  On 01/19/2012 02:59 PM, Jimmy wrote:
>>>>
>>>> ok. I started from scratch this week on this and I think I've got the
>>>> right doc and understand better where this is going. My problem now is that
>>>> when configuring SSL on the AD server (step c in this url:
>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service )
>>>>
>>>> I get this error:
>>>>
>>>>  certreq -submit request.req certnew.cer
>>>> Active Directory Enrollment Policy
>>>>   {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>>>   ldap:
>>>> RequestId: 3
>>>> RequestId: "3"
>>>> Certificate not issued (Denied) Denied by Policy Module  0x80094801,
>>>> The request does not contain a certificate template extension or the
>>>> CertificateTemplate request attribute.
>>>>  The request contains no certificate template information. 0x80094801
>>>> (-2146875391)
>>>> Certificate Request Processor: The request contains no certificate
>>>> template information. 0x80094801 (-2146875391)
>>>>  Denied by Policy Module  0x80094801, The request does not contain a
>>>> certificate template extension or the CertificateTemplate request attribute.
>>>>
>>>>  The RH doc says to use the browser if an error occurs and IIS is
>>>> running but I'm not running IIS. I researched that error but didn't find
>>>> anything that helps with FreeIPA and passsync.
>>>>
>>>>  Hmm - try installing Microsoft Certificate Authority in Enterprise
>>>> Root CA mode - it will usually automatically create and install the AD
>>>> server cert.  http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>>>>
>>>>
>>>>  Jimmy
>>>>
>>>> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>>>
>>>>>  On 01/11/2012 11:22 AM, Jimmy wrote:
>>>>>
>>>>> We need to be able to replicate user/pass between Windows 2008 AD and
>>>>> FreeIPA.
>>>>>
>>>>>
>>>>>  That's what IPA Windows Sync is supposed to do.
>>>>>
>>>>>
>>>>> I have followed many different documents and posted here about it and
>>>>> from what I've read and procedures I've followed we are unable to
>>>>> accomplish this.
>>>>>
>>>>>
>>>>>  What have you tried, and what problems have you run into?
>>>>>
>>>>>  It doesn't need to be a full trust.
>>>>>
>>>>>  Thanks
>>>>>
>>>>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený <jzeleny at redhat.com>wrote:
>>>>>
>>>>>>  > Just wondering if there was anyone listening on the list that
>>>>>> might be
>>>>>> > available for little work integrating FreeIPA with Active Directory
>>>>>> > (preferrably in the south east US.) I hope this isn't against the
>>>>>> list
>>>>>> > rules, I just thought one of you guys could help or point me in the
>>>>>> right
>>>>>> > direction.
>>>>>>
>>>>>>  If you want some help, it is certainly not against list rules ;-)
>>>>>> But in that
>>>>>> case, it would be much better if you asked what exactly do you need.
>>>>>>
>>>>>> I'm not an AD expert, but a couple tips: If you are looking for
>>>>>> cross-domain
>>>>>> (cross-realm) trust, then you might be a bit disappointed, it is
>>>>>> still in
>>>>>> development, so it probably won't be 100% functional at this moment.
>>>>>>
>>>>>> If you are looking for something else, could you be a little more
>>>>>> specific what
>>>>>> it is?
>>>>>>
>>>>>> I also recommend starting with reading some doc:
>>>>>> http://freeipa.org/page/DocumentationPortal
>>>>>>
>>>>>> Thanks
>>>>>> Jan
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120123/a2a3187e/attachment.htm>

More information about the Freeipa-users mailing list