[Freeipa-users] Passsync fails to connect to LDAP
Rich Megginson
rmeggins at redhat.com
Tue Feb 17 20:16:28 UTC 2015
On 02/17/2015 12:55 PM, Hugh wrote:
> All,
> After my education on what IPA/AD trusts can and can't do, I decided
> to give the IPA-AD sync option a try. After finally finding what I
> think is the proper software to install on the AD DC
> (389-PassSync-1.1.6-x86_64.exe from the Fedora site), I believe I have
> the settings correct, but the Password Synchronization software
> refuses to connect. After changing the Log Level option to 1, I get
> the below in the log file, which doesn't really tell me much of anything.
> 02/17/15 13:18:20: Backoff time expired. Attempting sync
> 02/17/15 13:18:20: Password list has 1 entries
> 02/17/15 13:18:20: Ldap bind error in Connect
> 81: Can't contact LDAP server
> 02/17/15 13:18:20: Attempting to sync password for ADSERVER$
> 02/17/15 13:18:20: Searching for (ntuserdomainid=ADSERVER$)
> 02/17/15 13:18:20: Ldap error in QueryUsername
> 81: Can't contact LDAP server
> 02/17/15 13:18:20: Deferring password change for ADSERVER$
> 02/17/15 13:18:20: Backing off for 256000ms
> The credentials are definitely correct and IPA is set up to do LDAPS
> as, on the same AD server, I can connect and bind using ldp.exe with
> the same settings/credentials and I'm able to browse the LDAP tree.
> I've done a wireshark capture and it looks like it's failing in the
> TLS negotiation. I can see this entry in the capture:
> TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
> Content Type: Alert (21)
> Version: TLS 1.2 (0x0303)
> Length: 2
> Alert Message
> Level: Fatal (2)
> Description: Protocol Version (70)
What version of 389-ds-base are you using?
# rpm -q 389-ds-base
> I added the IPA CA cert to the cert files in the 389 passsynch
> directory and I can confirm that as below.
> C:\Program Files\389 Directory Password Synchronization>certutil -d . -L
> Certificate Nickname Trust
> Attributes
> SSL,S/MIME,JAR/XPI
> IPA CA cert CT,,
> When I list that specific certificate, I can see the below in the output.
> Certificate Trust Flags:
> SSL Flags:
> Valid CA
> Trusted CA
> Trusted Client CA
> Email Flags:
> Object Signing Flags:
> Any pointers/ideas?
> Thanks in advance,
> Hugh
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150217/f5afa76a/attachment.htm>
More information about the Freeipa-users
mailing list