[Freeipa-users] Synchronization Agreements between FreeIPA and AD
Rich Megginson
rmeggins at redhat.com
Thu Oct 23 17:04:21 UTC 2014
On 10/23/2014 10:26 AM, Dmitri Pal wrote:
> On 10/23/2014 08:19 AM, Сапегин Валерий wrote:
>> Hello!
>>
>> I tryed to configure synchronization between FreeIPA and Windows AD
>> 2012. In the thirst time accounts from AD synchronization properly
>> but next schedule after 5 min is not work and in error log I see the
>> following errors:
>>
>> # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors
>> [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin -
>> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
>> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): Replica
>> has no update vector. It has never been initialized.
>> [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin -
>> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
>> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): Replica
>> has no update vector. It has never been initialized.
>> [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin -
>> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
>> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): Replica
>> has no update vector. It has never been initialized.
>>
>> Thirst synchronization out
>>
>> Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to
>> certificate database for ipa.test-csbi-its.ru
>> <http://ipa.test-csbi-its.ru>
>> ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru
>> The user for the Windows PassSync service is
>> uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru
>> Windows PassSync entry exists, not resetting password
>> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
>> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica
>> acquired successfully: Incremental update started: start: 0: end: 0
>> ipa: INFO: Agreement is ready, starting replication . . .
>> Starting replication, please wait until this has completed.
>> Update in progress, 13 seconds elapsed
>> [ipa.test-csbi-its.ru <http://ipa.test-csbi-its.ru>] reports: Update
>> failed! Status: [-1 Total update abortedLDAP error: Can't contact
>> LDAP server]
>
> Can you connect from this replica to AD using ldapsearch?
specifically
$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -ZZ
-h fqdn.of.windows.machine -D
"cn=administrator,cn=users,dc=csbigroup,dc=ru" -w "windows admin
password" -s base -b "cn=users,dc=csbigroup,dc=ru"
>
>>
>> Failed to start replication
>>
>>
>>
>> FreeIPA server version 3.3.3
>> OS version Centos 7
>> AD Domain 2012
>>
>> Can you help me to resolve this problem?
>>
>> Best regards, Valeriy
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141023/4ac7979b/attachment.htm>
More information about the Freeipa-users
mailing list