[Freeipa-users] Managing AD Users in IPA

Denis Müller d.mueller2 at rto.de
Mon Jan 16 09:15:58 UTC 2017 

Hi FreeIpa Community,

i'm actually new to the software and have some basic questions. We have linux users in in active directory.

To be more flexible, we would like to install freeipa, import all users from ad and manage all the stuff like ssh, sudo etc. from ipa.

1. Do i need establish a trust first like mentioned here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html#trust-one-two-way

2. Or can we just create a sync to import all "linux-users" from ad into ipa and manage them just like ipa-users:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/managing-sync-agmt.html

3. ipa-replica-manage connect --winsync --binddn  cn=administrator,cn=users,dc=example,dc=com  --bindpw "***" --passsync "***" --cacert /root/dc1.crt dc1.example.com -v

getting an error:

Traceback (most recent call last):
  File "/usr/sbin/ipa-replica-manage", line 1607, in <module>
    main(options, args)
  File "/usr/sbin/ipa-replica-manage", line 1566, in main
    add_link(realm, replica1, replica2, dirman_passwd, options)
  File "/usr/sbin/ipa-replica-manage", line 1118, in add_link
    if not ds.add_ca_cert(options.cacert):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1018, in add_ca_cert
    certdb.load_cacert(cacert_fname, 'C,,')
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 261, in load_cacert
    (rdn, subject_dn) = get_cert_nickname(cert)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 67, in get_cert_nickname
    return (str(dn[0]), dn)
  File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1170, in __getitem__
    return self._get_rdn(self.rdns[key])
IndexError: list index out of range
Unexpected error: list index out of range

[root at ipa01<mailto:root at ipa01> ~]# uname -r
3.10.0-327.el7.x86_64
[root at ipa01<mailto:root at ipa01> ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

We would appreciate any help,

greets,
Denis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170116/8509fd69/attachment.htm>

More information about the Freeipa-users mailing list