[Freeipa-users] consulting?

Rich Megginson rmeggins at redhat.com
Wed Jan 25 19:14:47 UTC 2012 

On 01/25/2012 12:07 PM, Jimmy wrote:
> Found the reason for the ldap search not working- when I created the 
> AD certificate role, I accidentally entered a new sub-domain so in 
> stead of the FQDN in the cert being csp-ad.pdh.csp it came out 
> csp-ad.cspad.pdh.csp. I updated DNS and now the ldap search seems to 
> work-
>
> ldif output-- http://fpaste.org/xbOC/
> debug- http://fpaste.org/6g8q/
>
> I guess I need to redo the sync agreement to fix the server DNS name.
Yep.  When using TLS/SSL you have to pay close attention to hostnames.
>
> I will be traveling for work for the next couple days but should still 
> be working on this issue some. I'll take VM's of the servers on my 
> laptop to be able to keep working.
> -Jimmy
>
> On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     On 01/19/2012 02:59 PM, Jimmy wrote:
>>     ok. I started from scratch this week on this and I think I've got
>>     the right doc and understand better where this is going. My
>>     problem now is that when configuring SSL on the AD server (step c
>>     in this url:
>>     http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service )
>>
>>     I get this error:
>>
>>     certreq -submit request.req certnew.cer
>>     Active Directory Enrollment Policy
>>       {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>       ldap:
>>     RequestId: 3
>>     RequestId: "3"
>>     Certificate not issued (Denied) Denied by Policy Module
>>      0x80094801, The request does not contain a certificate template
>>     extension or the CertificateTemplate request attribute.
>>      The request contains no certificate template information.
>>     0x80094801 (-2146875391 <tel:%28-2146875391>)
>>     Certificate Request Processor: The request contains no
>>     certificate template information. 0x80094801 (-2146875391
>>     <tel:%28-2146875391>)
>>     Denied by Policy Module  0x80094801, The request does not contain
>>     a certificate template extension or the CertificateTemplate
>>     request attribute.
>>
>>     The RH doc says to use the browser if an error occurs and IIS is
>>     running but I'm not running IIS. I researched that error but
>>     didn't find anything that helps with FreeIPA and passsync.
>     Hmm - try installing Microsoft Certificate Authority in Enterprise
>     Root CA mode - it will usually automatically create and install
>     the AD server cert.
>     http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>
>>
>>     Jimmy
>>
>>     On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
>>     <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>
>>         On 01/11/2012 11:22 AM, Jimmy wrote:
>>>         We need to be able to replicate user/pass between Windows
>>>         2008 AD and FreeIPA.
>>
>>         That's what IPA Windows Sync is supposed to do.
>>
>>
>>>         I have followed many different documents and posted here
>>>         about it and from what I've read and procedures I've
>>>         followed we are unable to accomplish this.
>>
>>         What have you tried, and what problems have you run into?
>>
>>>         It doesn't need to be a full trust.
>>>
>>>         Thanks
>>>
>>>         On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
>>>         <jzeleny at redhat.com <mailto:jzeleny at redhat.com>> wrote:
>>>
>>>             > Just wondering if there was anyone listening on the
>>>             list that might be
>>>             > available for little work integrating FreeIPA with
>>>             Active Directory
>>>             > (preferrably in the south east US.) I hope this isn't
>>>             against the list
>>>             > rules, I just thought one of you guys could help or
>>>             point me in the right
>>>             > direction.
>>>
>>>             If you want some help, it is certainly not against list
>>>             rules ;-) But in that
>>>             case, it would be much better if you asked what exactly
>>>             do you need.
>>>
>>>             I'm not an AD expert, but a couple tips: If you are
>>>             looking for cross-domain
>>>             (cross-realm) trust, then you might be a bit
>>>             disappointed, it is still in
>>>             development, so it probably won't be 100% functional at
>>>             this moment.
>>>
>>>             If you are looking for something else, could you be a
>>>             little more specific what
>>>             it is?
>>>
>>>             I also recommend starting with reading some doc:
>>>             http://freeipa.org/page/DocumentationPortal
>>>
>>>             Thanks
>>>             Jan
>>>
>>>
>>>
>>>         _______________________________________________
>>>         Freeipa-users mailing list
>>>         Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>>>         https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120125/c545c9a7/attachment.htm>

More information about the Freeipa-users mailing list