[Freeipa-users] consulting?
Rich Megginson
rmeggins at redhat.com
Wed Jan 25 19:14:47 UTC 2012
On 01/25/2012 12:07 PM, Jimmy wrote:
> Found the reason for the ldap search not working- when I created the
> AD certificate role, I accidentally entered a new sub-domain so in
> stead of the FQDN in the cert being csp-ad.pdh.csp it came out
> csp-ad.cspad.pdh.csp. I updated DNS and now the ldap search seems to
> work-
>
> ldif output-- http://fpaste.org/xbOC/
> debug- http://fpaste.org/6g8q/
>
> I guess I need to redo the sync agreement to fix the server DNS name.
Yep. When using TLS/SSL you have to pay close attention to hostnames.
>
> I will be traveling for work for the next couple days but should still
> be working on this issue some. I'll take VM's of the servers on my
> laptop to be able to keep working.
> -Jimmy
>
> On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 01/19/2012 02:59 PM, Jimmy wrote:
>> ok. I started from scratch this week on this and I think I've got
>> the right doc and understand better where this is going. My
>> problem now is that when configuring SSL on the AD server (step c
>> in this url:
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service )
>>
>> I get this error:
>>
>> certreq -submit request.req certnew.cer
>> Active Directory Enrollment Policy
>> {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>> ldap:
>> RequestId: 3
>> RequestId: "3"
>> Certificate not issued (Denied) Denied by Policy Module
>> 0x80094801, The request does not contain a certificate template
>> extension or the CertificateTemplate request attribute.
>> The request contains no certificate template information.
>> 0x80094801 (-2146875391 <tel:%28-2146875391>)
>> Certificate Request Processor: The request contains no
>> certificate template information. 0x80094801 (-2146875391
>> <tel:%28-2146875391>)
>> Denied by Policy Module 0x80094801, The request does not contain
>> a certificate template extension or the CertificateTemplate
>> request attribute.
>>
>> The RH doc says to use the browser if an error occurs and IIS is
>> running but I'm not running IIS. I researched that error but
>> didn't find anything that helps with FreeIPA and passsync.
> Hmm - try installing Microsoft Certificate Authority in Enterprise
> Root CA mode - it will usually automatically create and install
> the AD server cert.
> http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>
>>
>> Jimmy
>>
>> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>
>> On 01/11/2012 11:22 AM, Jimmy wrote:
>>> We need to be able to replicate user/pass between Windows
>>> 2008 AD and FreeIPA.
>>
>> That's what IPA Windows Sync is supposed to do.
>>
>>
>>> I have followed many different documents and posted here
>>> about it and from what I've read and procedures I've
>>> followed we are unable to accomplish this.
>>
>> What have you tried, and what problems have you run into?
>>
>>> It doesn't need to be a full trust.
>>>
>>> Thanks
>>>
>>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
>>> <jzeleny at redhat.com <mailto:jzeleny at redhat.com>> wrote:
>>>
>>> > Just wondering if there was anyone listening on the
>>> list that might be
>>> > available for little work integrating FreeIPA with
>>> Active Directory
>>> > (preferrably in the south east US.) I hope this isn't
>>> against the list
>>> > rules, I just thought one of you guys could help or
>>> point me in the right
>>> > direction.
>>>
>>> If you want some help, it is certainly not against list
>>> rules ;-) But in that
>>> case, it would be much better if you asked what exactly
>>> do you need.
>>>
>>> I'm not an AD expert, but a couple tips: If you are
>>> looking for cross-domain
>>> (cross-realm) trust, then you might be a bit
>>> disappointed, it is still in
>>> development, so it probably won't be 100% functional at
>>> this moment.
>>>
>>> If you are looking for something else, could you be a
>>> little more specific what
>>> it is?
>>>
>>> I also recommend starting with reading some doc:
>>> http://freeipa.org/page/DocumentationPortal
>>>
>>> Thanks
>>> Jan
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120125/c545c9a7/attachment.htm>
More information about the Freeipa-users
mailing list