[Freeipa-users] Creating password sync
Steven Jones
Steven.Jones at vuw.ac.nz
Tue Feb 4 22:18:03 UTC 2014
notes just sent
regards
Steven
________________________________
From: Todd Maugh <tmaugh at boingo.com>
Sent: Wednesday, 5 February 2014 11:15 a.m.
To: Steven Jones; Rich Megginson; dpal at redhat.com
Cc: freeipa-users at redhat.com
Subject: RE: Creating password sync
I would be so grateful for your notes as it looks like im most likely having a cert issue as well
I'm so damn close to having this thing working, (doesn't help to have your boss come by every 10 minutes)
I understand the changes concept now, if I can just get it to work
________________________________
From: Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Tuesday, February 04, 2014 2:11 PM
To: Todd Maugh; Rich Megginson; dpal at redhat.com
Cc: freeipa-users at redhat.com
Subject: RE: Creating password sync
I am just doing this now and works fine for me.
The password has to be changed as there is no way to de-crypt the password in AD and send that. So the .msi you install on each AD server intercepts the password change while its in "plain text" and sends it over to IPA, hence only changes.
I did have issues with certs, they were a pain in the ass to get right/trusted, looks like you might have a similar issue.
I had to work through Redhat support to get it right.
On a brighter note I did it on RHEL6.4 and upgraded the IPA servers to RHEL6.5 and winsync and passync still work fine.
I'll send you my notes.
You could use trusts but frankly trusting AD with all its swiss cheese security seems a bit too risky.
regards
Steven
________________________________
From: freeipa-users-bounces at redhat.com <freeipa-users-bounces at redhat.com> on behalf of Todd Maugh <tmaugh at boingo.com>
Sent: Wednesday, 5 February 2014 9:57 a.m.
To: Rich Megginson; dpal at redhat.com
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Creating password sync
I tested a ssl connection from my ldap server to AD
this is the output
openssl s_client -connect qatestdc2.boingoqa.local:636
CONNECTED(00000003)
depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=27:certificate not trusted
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:
i:/DC=local/DC=boingoqa/CN=SKYWARPCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGpzCCBI+gAwIBAgIKYTm2iQAAAAAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK
CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG
A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow
ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7
q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T
RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX
PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5
4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT
j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l
wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF
oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF
AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD
AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG
CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj
gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE
MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy
LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl
UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q
b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D
Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/
Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo
b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i
b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3
Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB
ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI
TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7
mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY
TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz
eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8
Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP
lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N
B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb
nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6
1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9
-----END CERTIFICATE-----
subject=
issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA
---
Acceptable client certificate CA names
/DC=local/DC=boingoqa/CN=SKYWARPCA
/CN=QATESTDC2.boingoqa.local
/DC=local/DC=boingoqa/CN=boingoqaca
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/O=BOINGO.COM/CN=Certificate Authority
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
---
SSL handshake has read 3480 bytes and written 601 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 333C0000854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A
Session-ID-ctx:
Master-Key: 63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1391547347
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Todd Maugh [tmaugh at boingo.com]
Sent: Tuesday, February 04, 2014 12:53 PM
To: Rich Megginson; dpal at redhat.com
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Creating password sync
I tried changing the password for a user in AD
this is what the passsync log shows:
02/04/14 12:29:14: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:34: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:34: Ldap error in QueryUsername
81: Can't contact LDAP server
02/04/14 12:49:36: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:36: Ldap error in QueryUsername
81: Can't contact LDAP server
and you say this is one of many issues with passsync. do you recommend another option?
________________________________
From: Todd Maugh
Sent: Tuesday, February 04, 2014 12:48 PM
To: Rich Megginson; dpal at redhat.com
Cc: freeipa-users at redhat.com
Subject: RE: Creating password sync
but what about the "cant contact LDAP server in the passsync log"
and are you saying I should try to change one of the passwords in AD for it to go to IDM, or vice versa?
thanks
________________________________
From: Rich Megginson [rmeggins at redhat.com]
Sent: Tuesday, February 04, 2014 12:45 PM
To: Todd Maugh; dpal at redhat.com
Cc: freeipa-users at redhat.com
Subject: Re: Creating password sync
On 02/04/2014 01:42 PM, Todd Maugh wrote:
I have not changed any passwords in AD yet.
Then passsync will not have sent anything.
and the users I have in IDM from AD, their passwords are not working
Right. This is one of the (many) problems with the passsync approach - there currently is no way to populate the initial passwords - that is, passsync/IdM cannot copy your passwords over from AD to IdM.
________________________________
From: Rich Megginson [rmeggins at redhat.com<mailto:rmeggins at redhat.com>]
Sent: Tuesday, February 04, 2014 12:40 PM
To: Todd Maugh; dpal at redhat.com<mailto:dpal at redhat.com>
Cc: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: Creating password sync
On 02/04/2014 01:20 PM, Todd Maugh wrote:
my passhook.log file is empty
Have you changed any passwords in AD?
________________________________
From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>] on behalf of Todd Maugh [tmaugh at boingo.com<mailto:tmaugh at boingo.com>]
Sent: Tuesday, February 04, 2014 11:56 AM
To: Rich Megginson; dpal at redhat.com<mailto:dpal at redhat.com>
Cc: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Creating password sync
Im seeing these errors in the passsync.log
32: No such object
02/03/14 16:23:40: Ldap error in QueryUsername
32: No such object
02/03/14 16:57:48: Abandoning password change for scottb, backoff expired
02/03/14 16:57:48: Ldap bind error in Connect
32: No such object
02/03/14 16:57:48: Ldap error in QueryUsername
32: No such object
02/03/14 18:06:04: Abandoning password change for scottb, backoff expired
02/03/14 18:06:04: Ldap bind error in Connect
32: No such object
02/04/14 10:24:59: PassSync service initialized
02/04/14 10:24:59: PassSync service running
02/04/14 10:25:00: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: PassSync service stopped
02/04/14 10:58:38: PassSync service initialized
02/04/14 10:58:38: PassSync service running
02/04/14 10:58:39: Ldap bind error in Connect
32: No such object
________________________________
From: Rich Megginson [rmeggins at redhat.com<mailto:rmeggins at redhat.com>]
Sent: Tuesday, February 04, 2014 9:19 AM
To: Todd Maugh; dpal at redhat.com<mailto:dpal at redhat.com>
Cc: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: Creating password sync
On 02/04/2014 10:17 AM, Todd Maugh wrote:
also I have verified the password synchronization service is started and running on the windows 2008 R2 server
but I cant tell if or what it is doing because iM not getting passwords to my IDM
http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging
You can also look at the 389 access log to see if you have connections from the windows box.
________________________________
From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>] on behalf of Todd Maugh [tmaugh at boingo.com<mailto:tmaugh at boingo.com>]
Sent: Tuesday, February 04, 2014 9:04 AM
To: Rich Megginson; dpal at redhat.com<mailto:dpal at redhat.com>
Cc: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: [Freeipa-users] Creating password sync
Ok, So I have my replication agreement set up.
and I see accounts coming in to my IDM server from AD
I have followed this guide from redhat
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html
to set up my password sync.
I get no errors
but my passwords are not syncing!
Help! the documentation tells o fno way to verify or trouble shoot
Thank You
-Todd Maugh
tmaugh at boingo.com<mailto:tmaugh at boingo.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140204/b4d834b9/attachment.htm>
More information about the Freeipa-users
mailing list