[Freeipa-users] consulting?
Rich Megginson
rmeggins at redhat.com
Mon Jan 23 17:30:59 UTC 2012
On 01/23/2012 10:19 AM, Jimmy wrote:
> Here's what I found in the DS admin guide. Is this all that's needed
> to create the sync agreement?
Not with ipa - you should use the ipa-replica-manage command instead
> Thanks.
>
> add sync agreement:
> ldapmodify -x -D "cn=Directory Manager" -W
> Enter LDAP Password: *******
> dn: cn=ExampleSyncAgreement,cn=sync
> replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config
it should be cn=replica, not cn=sync replica - does it use the latter in
the Admin Guide?
> changetype: add
> objectclass: top
> objectclass: nsDSWindowsReplicationAgreement
> cn: ExampleSyncAgreement
> nsds7WindowsReplicaSubtree: cn=Users,dc=ad1
> nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com
> nsds7NewWinUserSyncEnabled: on
> nsds7NewWinGroupSyncEnabled: on
> nsds7WindowsDomain: ad1
> nsDS5ReplicaRoot: dc=example,dc=com
> nsDS5ReplicaHost: ad1.windows-server.com <http://ad1.windows-server.com>
> nsDS5ReplicaPort: 389
> nsDS5ReplicaBindDN: cn=sync user,cn=config
> nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA==
> nsDS5ReplicaTransportInfo: TLS
> winSyncInterval: 1200
>
> On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 01/20/2012 01:08 PM, Jimmy wrote:
>> That was it! I have passwords syncing, *BUT*(at the risk of
>> sounding stupid)-- is it not possible to also sync(add) the users
>> from AD to DS?
> Yes, it is. Just configure IPA Windows Sync
>
>> I created a new user in AD and it doesn't propogate to DS, just
>> says:
>>
>> attempting to sync password for testuser3
>> searching for (ntuserdomainid=testuser3)
>> There are no entries that match: testuser3
>> deferring password change for testuser3
>>
>> On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson
>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>
>> On 01/20/2012 12:46 PM, Jimmy wrote:
>>> Getting close here... Now I see this message in the sync log
>>> file:
>>>
>>> attempting to sync password for testuser
>>> searching for (ntuserdomainid=testuser)
>>> ldap error in queryusername
>>> 32: no such object
>>> deferring password change for testuser
>> This usually means the search base is incorrect or not
>> found. You can look at the 389 access log to see what it was
>> using as the search criteria.
>>
>>>
>>> On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson
>>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>>
>>> On 01/20/2012 10:23 AM, Jimmy wrote:
>>>> You are correct. I had installed as an Enterprise root,
>>>> but the doc I was reading(original link) seemed to say
>>>> that I had to do the certreq manually, my bad. I think
>>>> I'm getting closer I can establish an openssl
>>>> connection from DS to AD but I get these errors:
>>>>
>>>> openssl s_client -connect 192.168.201.150:636
>>>> <http://192.168.201.150:636> -showcerts -CAfile dsca.crt
>>>> CONNECTED(00000003)
>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>> verify error:num=20:unable to get local issuer certificate
>>>> verify return:1
>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>> verify error:num=27:certificate not trusted
>>>> verify return:1
>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>> verify error:num=21:unable to verify the first certificate
>>>> verify return:1
>>>>
>>>> I thought I had imported the cert from AD but it
>>>> doesn't seem so. I'm still researching but if you guys
>>>> have a suggestion let me know.
>>> Is dsca.crt the CA that issued the DS server cert? If
>>> so, that won't work. You need the CA cert from the CA
>>> that issued the AD server cert (i.e. the CA cert from
>>> the MS Enterprise Root CA).
>>>
>>>> -J
>>>>
>>>> On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson
>>>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>>>
>>>> On 01/19/2012 02:59 PM, Jimmy wrote:
>>>>> ok. I started from scratch this week on this and I
>>>>> think I've got the right doc and understand better
>>>>> where this is going. My problem now is that when
>>>>> configuring SSL on the AD server (step c in this
>>>>> url:
>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service )
>>>>>
>>>>> I get this error:
>>>>>
>>>>> certreq -submit request.req certnew.cer
>>>>> Active Directory Enrollment Policy
>>>>> {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>>>> ldap:
>>>>> RequestId: 3
>>>>> RequestId: "3"
>>>>> Certificate not issued (Denied) Denied by Policy
>>>>> Module 0x80094801, The request does not contain a
>>>>> certificate template extension or the
>>>>> CertificateTemplate request attribute.
>>>>> The request contains no certificate template
>>>>> information. 0x80094801 (-2146875391
>>>>> <tel:%28-2146875391>)
>>>>> Certificate Request Processor: The request
>>>>> contains no certificate template information.
>>>>> 0x80094801 (-2146875391 <tel:%28-2146875391>)
>>>>> Denied by Policy Module 0x80094801, The request
>>>>> does not contain a certificate template extension
>>>>> or the CertificateTemplate request attribute.
>>>>>
>>>>> The RH doc says to use the browser if an error
>>>>> occurs and IIS is running but I'm not running IIS.
>>>>> I researched that error but didn't find anything
>>>>> that helps with FreeIPA and passsync.
>>>> Hmm - try installing Microsoft Certificate
>>>> Authority in Enterprise Root CA mode - it will
>>>> usually automatically create and install the AD
>>>> server cert.
>>>> http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>>>>
>>>>
>>>>>
>>>>> Jimmy
>>>>>
>>>>> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
>>>>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
>>>>> wrote:
>>>>>
>>>>> On 01/11/2012 11:22 AM, Jimmy wrote:
>>>>>> We need to be able to replicate user/pass
>>>>>> between Windows 2008 AD and FreeIPA.
>>>>>
>>>>> That's what IPA Windows Sync is supposed to do.
>>>>>
>>>>>
>>>>>> I have followed many different documents and
>>>>>> posted here about it and from what I've read
>>>>>> and procedures I've followed we are unable to
>>>>>> accomplish this.
>>>>>
>>>>> What have you tried, and what problems have
>>>>> you run into?
>>>>>
>>>>>> It doesn't need to be a full trust.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
>>>>>> <jzeleny at redhat.com
>>>>>> <mailto:jzeleny at redhat.com>> wrote:
>>>>>>
>>>>>> > Just wondering if there was anyone
>>>>>> listening on the list that might be
>>>>>> > available for little work integrating
>>>>>> FreeIPA with Active Directory
>>>>>> > (preferrably in the south east US.) I
>>>>>> hope this isn't against the list
>>>>>> > rules, I just thought one of you guys
>>>>>> could help or point me in the right
>>>>>> > direction.
>>>>>>
>>>>>> If you want some help, it is certainly
>>>>>> not against list rules ;-) But in that
>>>>>> case, it would be much better if you
>>>>>> asked what exactly do you need.
>>>>>>
>>>>>> I'm not an AD expert, but a couple tips:
>>>>>> If you are looking for cross-domain
>>>>>> (cross-realm) trust, then you might be a
>>>>>> bit disappointed, it is still in
>>>>>> development, so it probably won't be 100%
>>>>>> functional at this moment.
>>>>>>
>>>>>> If you are looking for something else,
>>>>>> could you be a little more specific what
>>>>>> it is?
>>>>>>
>>>>>> I also recommend starting with reading
>>>>>> some doc:
>>>>>> http://freeipa.org/page/DocumentationPortal
>>>>>>
>>>>>> Thanks
>>>>>> Jan
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120123/f20e2cbf/attachment.htm>
More information about the Freeipa-users
mailing list