[Freeipa-users] consulting?
Rich Megginson
rmeggins at redhat.com
Mon Jan 23 18:33:50 UTC 2012
On 01/23/2012 11:34 AM, Jimmy wrote:
> I did create the winsync user and it is an admin.
>
> I will fix the ip address(change to hostname,) I only did it that was
> because this is currently a test system so I can figure out how to get
> it all working.
ok - once you do that, you can check the 389 errors log at
/var/log/dirsrv/slapd-INST/errors to see if winsync is logging any errors
>
> On Mon, Jan 23, 2012 at 1:06 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 01/23/2012 10:52 AM, Jimmy wrote:
>> That's what I was thinking, and what I did, but it still doesn't
>> replicate new users. This is the command I used:
>>
>> ipa-replica-manage connect --passsync --binddn
>> cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp --bindpw=********
>> --cacert /home/winsync/AD-server-cert.cer 192.168.201.150 -v
>
> Did you create the user
> cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp? And does this user
> have the rights to perform sync? (e.g. has to have replicator
> rights, or be some sort of admin) - see
> http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx -
> the AD user must have replication rights and write rights.
>
> In addition, since this process uses SSL, you cannot use an IP
> address, you must use a hostname, or the SSL cert hostname
> checking (for MITM) will fail.
>
>>
>> On Mon, Jan 23, 2012 at 12:30 PM, Rich Megginson
>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>
>> On 01/23/2012 10:19 AM, Jimmy wrote:
>>> Here's what I found in the DS admin guide. Is this all
>>> that's needed to create the sync agreement?
>> Not with ipa - you should use the ipa-replica-manage command
>> instead
>>
>>> Thanks.
>>>
>>> add sync agreement:
>>> ldapmodify -x -D "cn=Directory Manager" -W
>>> Enter LDAP Password: *******
>>> dn: cn=ExampleSyncAgreement,cn=sync
>>> replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config
>> it should be cn=replica, not cn=sync replica - does it use
>> the latter in the Admin Guide?
>>
>>> changetype: add
>>> objectclass: top
>>> objectclass: nsDSWindowsReplicationAgreement
>>> cn: ExampleSyncAgreement
>>> nsds7WindowsReplicaSubtree: cn=Users,dc=ad1
>>> nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com
>>> nsds7NewWinUserSyncEnabled: on
>>> nsds7NewWinGroupSyncEnabled: on
>>> nsds7WindowsDomain: ad1
>>> nsDS5ReplicaRoot: dc=example,dc=com
>>> nsDS5ReplicaHost: ad1.windows-server.com
>>> <http://ad1.windows-server.com>
>>> nsDS5ReplicaPort: 389
>>> nsDS5ReplicaBindDN: cn=sync user,cn=config
>>> nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA==
>>> nsDS5ReplicaTransportInfo: TLS
>>> winSyncInterval: 1200
>>>
>>> On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson
>>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>>
>>> On 01/20/2012 01:08 PM, Jimmy wrote:
>>>> That was it! I have passwords syncing, *BUT*(at the
>>>> risk of sounding stupid)-- is it not possible to also
>>>> sync(add) the users from AD to DS?
>>> Yes, it is. Just configure IPA Windows Sync
>>>
>>>> I created a new user in AD and it doesn't propogate to
>>>> DS, just says:
>>>>
>>>> attempting to sync password for testuser3
>>>> searching for (ntuserdomainid=testuser3)
>>>> There are no entries that match: testuser3
>>>> deferring password change for testuser3
>>>>
>>>> On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson
>>>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>>>
>>>> On 01/20/2012 12:46 PM, Jimmy wrote:
>>>>> Getting close here... Now I see this message in
>>>>> the sync log file:
>>>>>
>>>>> attempting to sync password for testuser
>>>>> searching for (ntuserdomainid=testuser)
>>>>> ldap error in queryusername
>>>>> 32: no such object
>>>>> deferring password change for testuser
>>>> This usually means the search base is incorrect or
>>>> not found. You can look at the 389 access log to
>>>> see what it was using as the search criteria.
>>>>
>>>>>
>>>>> On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson
>>>>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
>>>>> wrote:
>>>>>
>>>>> On 01/20/2012 10:23 AM, Jimmy wrote:
>>>>>> You are correct. I had installed as an
>>>>>> Enterprise root, but the doc I was
>>>>>> reading(original link) seemed to say that I
>>>>>> had to do the certreq manually, my bad. I
>>>>>> think I'm getting closer I can establish an
>>>>>> openssl connection from DS to AD but I get
>>>>>> these errors:
>>>>>>
>>>>>> openssl s_client -connect
>>>>>> 192.168.201.150:636
>>>>>> <http://192.168.201.150:636> -showcerts
>>>>>> -CAfile dsca.crt
>>>>>> CONNECTED(00000003)
>>>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>>>> verify error:num=20:unable to get local
>>>>>> issuer certificate
>>>>>> verify return:1
>>>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>>>> verify error:num=27:certificate not trusted
>>>>>> verify return:1
>>>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>>>> verify error:num=21:unable to verify the
>>>>>> first certificate
>>>>>> verify return:1
>>>>>>
>>>>>> I thought I had imported the cert from AD but
>>>>>> it doesn't seem so. I'm still researching but
>>>>>> if you guys have a suggestion let me know.
>>>>> Is dsca.crt the CA that issued the DS server
>>>>> cert? If so, that won't work. You need the
>>>>> CA cert from the CA that issued the AD server
>>>>> cert (i.e. the CA cert from the MS Enterprise
>>>>> Root CA).
>>>>>
>>>>>> -J
>>>>>>
>>>>>> On Thu, Jan 19, 2012 at 5:04 PM, Rich
>>>>>> Megginson <rmeggins at redhat.com
>>>>>> <mailto:rmeggins at redhat.com>> wrote:
>>>>>>
>>>>>> On 01/19/2012 02:59 PM, Jimmy wrote:
>>>>>>> ok. I started from scratch this week on
>>>>>>> this and I think I've got the right doc
>>>>>>> and understand better where this is
>>>>>>> going. My problem now is that when
>>>>>>> configuring SSL on the AD server (step c
>>>>>>> in this url:
>>>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service )
>>>>>>>
>>>>>>> I get this error:
>>>>>>>
>>>>>>> certreq -submit request.req certnew.cer
>>>>>>> Active Directory Enrollment Policy
>>>>>>> {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>>>>>> ldap:
>>>>>>> RequestId: 3
>>>>>>> RequestId: "3"
>>>>>>> Certificate not issued (Denied) Denied
>>>>>>> by Policy Module 0x80094801, The
>>>>>>> request does not contain a certificate
>>>>>>> template extension or the
>>>>>>> CertificateTemplate request attribute.
>>>>>>> The request contains no certificate
>>>>>>> template information. 0x80094801
>>>>>>> (-2146875391 <tel:%28-2146875391>)
>>>>>>> Certificate Request Processor: The
>>>>>>> request contains no certificate template
>>>>>>> information. 0x80094801 (-2146875391
>>>>>>> <tel:%28-2146875391>)
>>>>>>> Denied by Policy Module 0x80094801, The
>>>>>>> request does not contain a certificate
>>>>>>> template extension or the
>>>>>>> CertificateTemplate request attribute.
>>>>>>>
>>>>>>> The RH doc says to use the browser if an
>>>>>>> error occurs and IIS is running but I'm
>>>>>>> not running IIS. I researched that error
>>>>>>> but didn't find anything that helps with
>>>>>>> FreeIPA and passsync.
>>>>>> Hmm - try installing Microsoft
>>>>>> Certificate Authority in Enterprise Root
>>>>>> CA mode - it will usually automatically
>>>>>> create and install the AD server cert.
>>>>>> http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Jimmy
>>>>>>>
>>>>>>> On Wed, Jan 11, 2012 at 3:32 PM, Rich
>>>>>>> Megginson <rmeggins at redhat.com
>>>>>>> <mailto:rmeggins at redhat.com>> wrote:
>>>>>>>
>>>>>>> On 01/11/2012 11:22 AM, Jimmy wrote:
>>>>>>>> We need to be able to replicate
>>>>>>>> user/pass between Windows 2008 AD
>>>>>>>> and FreeIPA.
>>>>>>>
>>>>>>> That's what IPA Windows Sync is
>>>>>>> supposed to do.
>>>>>>>
>>>>>>>
>>>>>>>> I have followed many different
>>>>>>>> documents and posted here about it
>>>>>>>> and from what I've read and
>>>>>>>> procedures I've followed we are
>>>>>>>> unable to accomplish this.
>>>>>>>
>>>>>>> What have you tried, and what
>>>>>>> problems have you run into?
>>>>>>>
>>>>>>>> It doesn't need to be a full trust.
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> On Tue, Jan 10, 2012 at 3:03 AM,
>>>>>>>> Jan Zelený <jzeleny at redhat.com
>>>>>>>> <mailto:jzeleny at redhat.com>> wrote:
>>>>>>>>
>>>>>>>> > Just wondering if there was
>>>>>>>> anyone listening on the list
>>>>>>>> that might be
>>>>>>>> > available for little work
>>>>>>>> integrating FreeIPA with Active
>>>>>>>> Directory
>>>>>>>> > (preferrably in the south
>>>>>>>> east US.) I hope this isn't
>>>>>>>> against the list
>>>>>>>> > rules, I just thought one of
>>>>>>>> you guys could help or point me
>>>>>>>> in the right
>>>>>>>> > direction.
>>>>>>>>
>>>>>>>> If you want some help, it is
>>>>>>>> certainly not against list
>>>>>>>> rules ;-) But in that
>>>>>>>> case, it would be much better
>>>>>>>> if you asked what exactly do
>>>>>>>> you need.
>>>>>>>>
>>>>>>>> I'm not an AD expert, but a
>>>>>>>> couple tips: If you are looking
>>>>>>>> for cross-domain
>>>>>>>> (cross-realm) trust, then you
>>>>>>>> might be a bit disappointed, it
>>>>>>>> is still in
>>>>>>>> development, so it probably
>>>>>>>> won't be 100% functional at
>>>>>>>> this moment.
>>>>>>>>
>>>>>>>> If you are looking for
>>>>>>>> something else, could you be a
>>>>>>>> little more specific what
>>>>>>>> it is?
>>>>>>>>
>>>>>>>> I also recommend starting with
>>>>>>>> reading some doc:
>>>>>>>> http://freeipa.org/page/DocumentationPortal
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> Jan
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Freeipa-users mailing list
>>>>>>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120123/48facc4c/attachment.htm>
More information about the Freeipa-users
mailing list