[Freeipa-users] Creating password sync

Rich Megginson rmeggins at redhat.com
Tue Feb 4 21:00:55 UTC 2014


On 02/04/2014 01:48 PM, Todd Maugh wrote:
> but what about the "cant contact LDAP server in the passsync log"

 >  LDAP bind error in connect
 >    81: Can't Contact LDAP Server

That means
1) ipa ldap server is down
2) some sort of network problem
3) incorrect host/port specified in passsync config
4) host specified in passsync config is not the FQDN, or the FQDN 
doesn't resolve both forward and reverse from the windows box
5) host specified in the passsync config does not match the ipa ldap 
server certificate subject dn
6) incorrect CA cert installed in passsync cert db

>
> and are you saying I should try to change one of the passwords in AD 
> for it to go to IDM, or vice versa?

In order for AD to send a password, you have to change a password in 
AD.  When I said "This is one of the (many) problems with passsync", I 
meant that passsync will not sync existing passwords from AD to IdM.  
Passsync requires an AD password change operation in order to sync a 
password.  If you were expecting that your existing AD passwords would 
just suddenly work in IdM, without having all of your AD users change 
their passwords, that's not how passsync works.  There is no way to do 
that.  This is but one of the reasons why the AD/IdM cross domain trust 
solution is preferred.

When I said "This is one of the (many) problems with passsync", I most 
certainly did not mean that "LDAP bind error in connect
 >    81: Can't Contact LDAP Server" is one of the many problems. It is 
almost always a configuration issue.

>
> thanks
>
>
> ------------------------------------------------------------------------
> *From:* Rich Megginson [rmeggins at redhat.com]
> *Sent:* Tuesday, February 04, 2014 12:45 PM
> *To:* Todd Maugh; dpal at redhat.com
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: Creating password sync
>
> On 02/04/2014 01:42 PM, Todd Maugh wrote:
>> I have not changed any passwords in AD yet.
>
> Then passsync will not have sent anything.
>
>>
>> and the users I have in IDM  from AD, their passwords are not working
>
> Right.  This is one of the (many) problems with the passsync approach 
> - there currently is no way to populate the initial passwords - that 
> is, passsync/IdM cannot copy your passwords over from AD to IdM.
>
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Rich Megginson [rmeggins at redhat.com]
>> *Sent:* Tuesday, February 04, 2014 12:40 PM
>> *To:* Todd Maugh; dpal at redhat.com
>> *Cc:* freeipa-users at redhat.com
>> *Subject:* Re: Creating password sync
>>
>> On 02/04/2014 01:20 PM, Todd Maugh wrote:
>>> my passhook.log file is empty
>>
>> Have you changed any passwords in AD?
>>
>>> ------------------------------------------------------------------------
>>> *From:* freeipa-users-bounces at redhat.com 
>>> [freeipa-users-bounces at redhat.com] on behalf of Todd Maugh 
>>> [tmaugh at boingo.com]
>>> *Sent:* Tuesday, February 04, 2014 11:56 AM
>>> *To:* Rich Megginson; dpal at redhat.com
>>> *Cc:* freeipa-users at redhat.com
>>> *Subject:* Re: [Freeipa-users] Creating password sync
>>>
>>> Im seeing these errors in the passsync.log
>>>
>>> 32: No such object
>>> 02/03/14 16:23:40: Ldap error in QueryUsername
>>> 32: No such object
>>> 02/03/14 16:57:48: Abandoning password change for scottb, backoff 
>>> expired
>>> 02/03/14 16:57:48: Ldap bind error in Connect
>>> 32: No such object
>>> 02/03/14 16:57:48: Ldap error in QueryUsername
>>> 32: No such object
>>> 02/03/14 18:06:04: Abandoning password change for scottb, backoff 
>>> expired
>>> 02/03/14 18:06:04: Ldap bind error in Connect
>>> 32: No such object
>>> 02/04/14 10:24:59: PassSync service initialized
>>> 02/04/14 10:24:59: PassSync service running
>>> 02/04/14 10:25:00: Ldap bind error in Connect
>>> 32: No such object
>>> 02/04/14 10:58:37: Ldap bind error in Connect
>>> 32: No such object
>>> 02/04/14 10:58:37: PassSync service stopped
>>> 02/04/14 10:58:38: PassSync service initialized
>>> 02/04/14 10:58:38: PassSync service running
>>> 02/04/14 10:58:39: Ldap bind error in Connect
>>> 32: No such object
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>> *Sent:* Tuesday, February 04, 2014 9:19 AM
>>> *To:* Todd Maugh; dpal at redhat.com
>>> *Cc:* freeipa-users at redhat.com
>>> *Subject:* Re: Creating password sync
>>>
>>> On 02/04/2014 10:17 AM, Todd Maugh wrote:
>>>> also I have verified the password synchronization service is 
>>>> started and running on the windows 2008 R2 server
>>>>
>>>>
>>>> but I cant tell if or what it is doing because iM not getting 
>>>> passwords to my IDM
>>> http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging
>>>
>>> You can also look at the 389 access log to see if you have 
>>> connections from the windows box.
>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* freeipa-users-bounces at redhat.com 
>>>> [freeipa-users-bounces at redhat.com] on behalf of Todd Maugh 
>>>> [tmaugh at boingo.com]
>>>> *Sent:* Tuesday, February 04, 2014 9:04 AM
>>>> *To:* Rich Megginson; dpal at redhat.com
>>>> *Cc:* freeipa-users at redhat.com
>>>> *Subject:* [Freeipa-users] Creating password sync
>>>>
>>>> Ok, So I have my replication agreement set up.
>>>>
>>>> and I see accounts coming in to my IDM server from AD
>>>>
>>>> I have followed this guide from redhat
>>>>
>>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html
>>>>
>>>> to set up my password sync.
>>>>
>>>> I get no errors
>>>>
>>>> but my passwords are not syncing!
>>>>
>>>> Help! the documentation tells o fno way to verify or trouble shoot
>>>>
>>>>
>>>> Thank You
>>>>
>>>> -Todd Maugh
>>>> tmaugh at boingo.com
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140204/f1c30b0a/attachment.htm>


More information about the Freeipa-users mailing list