[Freeipa-users] ad relation with winsync

Rich Megginson rmeggins at redhat.com
Wed Feb 18 14:46:40 UTC 2015 

On 02/18/2015 01:13 AM, Nicolas Zin wrote:
> Hi everyone,
>
> I'm back with my winsync replication.
> The replication process works fine, but whenI specify "OU=Linux,DC=mycompany,DC=com" where 2 users have been created, nothing is replicated.
> btw this is a big AD (90k objects). is it a problem? (idrange for example)

Not sure.  You can enable the replication logging level in 389 to see 
what the problem is.
http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting

>
> If I replicate "cn=Users,DC=company,DC=com" I have users replicated. but I'm not sure that all are replicated.
>
> ----- Mail original -----
> De: "Nicolas Zin" <nicolas.zin at savoirfairelinux.com>
> À: "Rich Megginson" <rmeggins at redhat.com>
> Cc: freeipa-users at redhat.com
> Envoyé: Jeudi 12 Février 2015 09:37:26
> Objet: Re: [Freeipa-users] ad relation with winsync
>
> Next step: having the replication working. The customer dont want to give to my sync user "Replicating directory changes", "Account Operator" and "Enterprise Read-Only Domain Controller" attributs and just want a  "oneway replication".
> For the one way replication, I followed the documentation
>
> But I don't see any imported users. Do you have an idea? Are some of the Windows attributs necessary even for a one way (windows to linux) synchronisation?
>
>
> Regards,
>
>
>
> Nicolas
>
> ----- Mail original -----
> De: "Rich Megginson" <rmeggins at redhat.com>
> À: freeipa-users at redhat.com
> Envoyé: Mercredi 11 Février 2015 18:57:43
> Objet: Re: [Freeipa-users] ad relation with winsync
>
> On 02/11/2015 04:18 AM, Nicolas Zin wrote:
>> I reply to myself.
>> This was certainly a Windows configurarion issue. I went further:
>> ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd <passwd> --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v
>> Directory Manager password: ********
>>
>> Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com
>> ipa: INFO: AD Suffix is: DC=company,DC=com
>> The user for Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com
>> ipa: INFO: Added new sync agreement, waiting for it to become ready. . .
>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0 end: 0
>> ipa: INFO: Agreement is ready, starting replication . . .
>> Starting replication, please wait until this has completed.
>>
>> [srv7idm2.ipa.company.com] reports: Update failed! Status: [-11  - LDAP error: Connect error]
>>
>>
>>
>> So apparently I manage to connect to AD but something went wrong after?
>> How can I debug it?
> You can test it like this:
>
> # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H
> ldap://fqdn.of.ad.host -s base -b "DC=company,DC=com" -D
> "cn=Administrator,cn=Users,dc=company,dc=com" -w "password"
>
>>
>>
>> Regards,
>>
>>
>>
>> Nicolas Zin
>>
>>
>>
>> ----- Mail original -----
>> De: "Nicolas Zin" <nicolas.zin at savoirfairelinux.com>
>> À: freeipa-users at redhat.com
>> Envoyé: Mercredi 11 Février 2015 12:06:47
>> Objet: [Freeipa-users] ad relation with winsync
>>
>> Hi,
>>
>> I now try to establish a winsync relation with a Windows 2008R2.
>> I installed IDM 3.3 on RHEL7.
>>
>> When I try to create the replication:
>> ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd <passwd> --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com
>> Directory Manager password: ********
>>
>> Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com
>> ipa: INFO: Failed to connect to AD srever dc.company.com
>> ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not found','desc': 'Connect error'}
>> Failed to setup winsync replication
>>
>>
>> Do you have an idea, what's wrong?
>> Also is it possible to point to port 636 instead?
>>
>>
>> Notes:
>> - On the windows side, ssl has been activated (with pain) and ldp.exe manage to connect via ssl on the 636 port correctly (so the certificate is in place). I don't know how to check it is working properly on port 389, i.e. START_TLS works
>> - I checked that the 2 box have the same time (ntp)
>> - I nearly manage to make it working once, but I got another error during replication
>>
>>
>>
>> Nicolas Zin
>> nicolas.zin at savoirfairelinux.com
>> Ligne directe: 514-276-5468 poste 135
>>
>> Fax : 514-276-5465
>> 7275 Saint Urbain
>> Bureau 200
>> Montréal, QC, H2R 2Y5
>>
>>
>>

More information about the Freeipa-users mailing list