[Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
nathan at nathanpeters.com
nathan at nathanpeters.com
Fri May 15 20:44:07 UTC 2015
> On 05/14/2015 11:33 PM, nathan at nathanpeters.com wrote:
>>>> [root at ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn
>>>> "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw
>>>> supersecretpassword --passsync supersecretpassword --cacert
>>>> /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v
>>>> Directory Manager password:
>>>>
>>>> Added CA certificate /etc/openldap/cacerts/addc2-test.cer to
>>>> certificate
>>>> database for ipadc1.ipadomain.net
>>>> ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net
>>>> The user for the Windows PassSync service is
>>>> uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net
>>>> Windows PassSync system account exists, not resetting password
>>>> ipa: INFO: Added new sync agreement, waiting for it to become ready .
>>>> .
>>>> .
>>>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP
>>>> error: Connect error: start: 0: end: 0
>>>> ipa: INFO: Agreement is ready, starting replication . . .
>>>> Starting replication, please wait until this has completed.
>>>>
>>>> [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP
>>>> error:
>>>> Connect error]
>>> Have you tried using ldapsearch to verify the connection?
>>>
>>> # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ
>>> -h
>>> addc2.test.mycompany.net -D "cn=ad
>>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
>>> "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
>>> "objectclass=*"
>>>
>>> and/or
>>>
>>> # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL
>>> -ZZ -h addc2.test.mycompany.net -D "cn=ad
>>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
>>> "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
>>> "objectclass=*"
>>>
>> Both commands give the same successful result. I don't think it's a
>> problem with the credentials because I was able to generate different
>> error messages during the attempted sync setup if I intentionally gave a
>> bad password or username.
>
> Ok. Have you tried enabling the replication log level?
>
> http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
>
After doing that and poking around in
/var/log/dirsrv/slapd-IPADOMAIN-NET/errors I found this :
[15/May/2015:20:27:17 +0000] slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect error) errno 0 (Success)
[15/May/2015:20:27:17 +0000] NSMMReplicationPlugin - windows sync -
agmt="cn=meToaddc2.test.mycompany.net" (addc2:389): Replication bind with
SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8179:Peer's
Certificate issuer is not recognized.)
So it's complaining that it doesn't recognize the certificate that was
signed by my AD certificate authority as suggested in here :
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html#ad-ca-req
I copied the certificate to my server though and created the hashes just
like the manual said.
The only issue I had was the directions here :
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/managing-sync-agmt.html
tell you to go to my network places but that didn't exist on my server. I
did it through start menu -> administrative tools -> certification
authority. The rest of double clicking on the cert and going to the
details tab and copy to file was the same though.
So how do I get FreeIPA to not choke up on the self signed cert?
More information about the Freeipa-users
mailing list