[Freeipa-users] ping: Fwd: Passsync fails to connect to LDAP

Noriko Hosoi nhosoi at redhat.com
Wed Feb 18 19:19:02 UTC 2015 

Hello Hugh,

Could you tell us the version of 389-ds-base the PassSync is trying to 
access?  If the directory server is not new enough 
(389-ds-base-*1.3.2.26 
<http://www.port389.org/docs/389ds/releases/release-1-3-2-26.html> *or 
389-ds-base-<http://www.port389.org/docs/389ds/releases/release-1-3-3-8.html>*1.3.3.8 
<http://www.port389.org/docs/389ds/releases/release-1-3-3-8.html>*), 
could you please try setting the following environment variable on the 
Windows machine on which PassSync is running?*
<http://www.port389.org/docs/389ds/releases/release-1-3-3-8.html>*

    http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html

    PassSync 1.1.6 supports TLS version 1.1 and newer SSL versions
    supported by NSS. SSLv3 is disabled, by default. To force to enable
    SSLv3.0, an environment variable LDAPSSL_ALLOW_OLD_SSL_VERSION has
    to be set with some non NULL value.

    In Computer | Properties | Advanced system settings | Environment
    Variables | System variables, add variable:
    LDAPSSL_ALLOW_OLD_SSL_VERSION, value: 1

Thanks,
--noriko
> -------- Forwarded Message --------
> Subject: 	[Freeipa-users] Passsync fails to connect to LDAP
> Date: 	Tue, 17 Feb 2015 13:55:52 -0600
> From: 	Hugh <api at psychopig.com>
> To: 	freeipa-users at redhat.com
>
>
>
> All,
> After my education on what IPA/AD trusts can and can't do, I decided 
> to give the IPA-AD sync option a try. After finally finding what I 
> think is the proper software to install on the AD DC 
> (389-PassSync-1.1.6-x86_64.exe from the Fedora site), I believe I have 
> the settings correct, but the Password Synchronization software 
> refuses to connect. After changing the Log Level option to 1, I get 
> the below in the log file, which doesn't really tell me much of anything.
> 02/17/15 13:18:20: Backoff time expired.  Attempting sync
> 02/17/15 13:18:20: Password list has 1 entries
> 02/17/15 13:18:20: Ldap bind error in Connect
>  81: Can't contact LDAP server
> 02/17/15 13:18:20: Attempting to sync password for ADSERVER$
> 02/17/15 13:18:20: Searching for (ntuserdomainid=ADSERVER$)
> 02/17/15 13:18:20: Ldap error in QueryUsername
>  81: Can't contact LDAP server
> 02/17/15 13:18:20: Deferring password change for ADSERVER$
> 02/17/15 13:18:20: Backing off for 256000ms
> The credentials are definitely correct and IPA is set up to do LDAPS 
> as, on the same AD server,  I can connect and bind using ldp.exe with 
> the same settings/credentials and I'm able to browse the LDAP tree. 
> I've done a wireshark capture and it looks like it's failing in the 
> TLS negotiation. I can see this entry in the capture:
> TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
> Content Type: Alert (21)
> Version: TLS 1.2 (0x0303)
> Length: 2
> Alert Message
> Level: Fatal (2)
> Description: Protocol Version (70)
> I added the IPA CA cert to the cert files in the 389 passsynch 
> directory and I can confirm that as below.
> C:\Program Files\389 Directory Password Synchronization>certutil -d . -L
> Certificate Nickname                                         Trust 
> Attributes
> SSL,S/MIME,JAR/XPI
> IPA CA cert                                                  CT,,
> When I list that specific certificate, I can see the below in the output.
>     Certificate Trust Flags:
>         SSL Flags:
>             Valid CA
>             Trusted CA
>             Trusted Client CA
>         Email Flags:
>         Object Signing Flags:
> Any pointers/ideas?
> Thanks in advance,
> Hugh
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150218/07e1a64e/attachment.htm>

More information about the Freeipa-users mailing list