[Freeipa-users] ad relation with winsync

Thu Feb 12 07:14:54 UTC 2015

On 02/12/2015 12:37 AM, Nicolas Zin wrote:
> That was that:
>
> in the logs (/var/log/dirsrv/slapd-HQ-EMIRATES-COM/errors) I got:
> slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success)
>
>
> And when i did "LDAPTLS_CACERTDIR=/etc/dirsrv/... ldapsearch ...", it began to be interesting:
> ldap_start_tls: Connect error (-11)
>       additionnal info: TLS: hostname does not match CN in peer certificate
>
> So I correct my problem: put the correct hostname in the ipa-replica-manage ( and not the ip). And it connects!
>
>
> Next step: having the replication working. The customer dont want to give to my sync user "Replicating directory changes", "Account Operator" and "Enterprise Read-Only Domain Controller" attributs and just want a  "oneway replication".
> For the one way replication, I followed the documentation
>
> But I don't see any imported users. Do you have an idea? Are some of the Windows attributs necessary even for a one way (windows to linux) synchronisation?
>
>
> Regards,
>
>
>
> Nicolas
>
> ----- Mail original -----
> De: "Rich Megginson" <rmeggins at redhat.com>
> À: freeipa-users at redhat.com
> Envoyé: Mercredi 11 Février 2015 18:57:43
> Objet: Re: [Freeipa-users] ad relation with winsync
>
> On 02/11/2015 04:18 AM, Nicolas Zin wrote:
>> I reply to myself.
>> This was certainly a Windows configurarion issue. I went further:
>> ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd <passwd> --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v
>> Directory Manager password: ********
>>
>> Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com
>> ipa: INFO: AD Suffix is: DC=company,DC=com
>> The user for Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com
>> ipa: INFO: Added new sync agreement, waiting for it to become ready. . .
>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0 end: 0
>> ipa: INFO: Agreement is ready, starting replication . . .
>> Starting replication, please wait until this has completed.
>>
>> [srv7idm2.ipa.company.com] reports: Update failed! Status: [-11  - LDAP error: Connect error]
>>
>>
>>
>> So apparently I manage to connect to AD but something went wrong after?
>> How can I debug it?
> You can test it like this:
>
> # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H
> ldap://fqdn.of.ad.host -s base -b "DC=company,DC=com" -D
> "cn=Administrator,cn=Users,dc=company,dc=com" -w "password"
>
>>
>>
>> Regards,
>>
>>
>>
>> Nicolas Zin
>>
>>
>>
>> ----- Mail original -----
>> De: "Nicolas Zin" <nicolas.zin at savoirfairelinux.com>
>> À: freeipa-users at redhat.com
>> Envoyé: Mercredi 11 Février 2015 12:06:47
>> Objet: [Freeipa-users] ad relation with winsync
>>
>> Hi,
>>
>> I now try to establish a winsync relation with a Windows 2008R2.
>> I installed IDM 3.3 on RHEL7.
>>
>> When I try to create the replication:
>> ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd <passwd> --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com
>> Directory Manager password: ********
>>
>> Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com
>> ipa: INFO: Failed to connect to AD srever dc.company.com
>> ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not found','desc': 'Connect error'}
>> Failed to setup winsync replication
>>
>>
>> Do you have an idea, what's wrong?
>> Also is it possible to point to port 636 instead?
>>
>>
>> Notes:
>> - On the windows side, ssl has been activated (with pain) and ldp.exe manage to connect via ssl on the 636 port correctly (so the certificate is in place). I don't know how to check it is working properly on port 389, i.e. START_TLS works
>> - I checked that the 2 box have the same time (ntp)
>> - I nearly manage to make it working once, but I got another error during replication

The is is treated as the ultimate source so adds should go only from AD 
to IPA but you need the modify to work both ways otherwise your account 
state will get out of sync.
Whatever is required by docs is the minimal privilege you need to have 
to sync users.

However did you consider trust?
It us a two way trust but it acts as a one way trust.

>>
>>
>>
>> Nicolas Zin
>> nicolas.zin at savoirfairelinux.com
>> Ligne directe: 514-276-5468 poste 135
>>
>> Fax : 514-276-5465
>> 7275 Saint Urbain
>> Bureau 200
>> Montréal, QC, H2R 2Y5
>>
>>
>>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.