<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    On 11/11/2011 02:23 PM, Jimmy wrote:
    <blockquote
cite="mid:CAG8E47RVGO-OtDFdXjAOtjqrsOtg0jgs4hq_t71maxbzwfAJzQ@mail.gmail.com"
      type="cite">I do have the AD SSL cert installed, but from how I
      read it, I need to install the cert from the FreeIPA DS into
      Windows AD certificate store. <br>
    </blockquote>
    Perhaps for something else, but for windows sync/passsync, you do
    not need to install the cert from the FreeIPA DS into Windows AD
    certificate store. <br>
    <blockquote
cite="mid:CAG8E47RVGO-OtDFdXjAOtjqrsOtg0jgs4hq_t71maxbzwfAJzQ@mail.gmail.com"
      type="cite"><br>
      <div class="gmail_quote">On Fri, Nov 11, 2011 at 3:33 PM, Rich
        Megginson <span dir="ltr"><<a moz-do-not-send="true"
            href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>></span>
        wrote:<br>
        <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
          0.8ex; border-left: 1px solid rgb(204, 204, 204);
          padding-left: 1ex;">
          <div bgcolor="#ffffff" text="#000000">
            <div>
              <div class="h5"> On 11/11/2011 01:11 PM, Jimmy wrote:
                <blockquote type="cite">I am trying to get FreeIPA
                  synchronizing with AD. The instructions I have found
                  on the web go through setting up SSL for passsync, but
                  they all reference installing the CA cert from the
                  Directory Server without specifying how to go about
                  getting the DS CA cert. I found a couple links on how
                  to export the CA cert but they didn't work as
                  described.
                  <div> <br>
                  </div>
                  <div>(step 'f' in this link)</div>
                  <div><a moz-do-not-send="true"
href="https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_Active_Directory.html#"
                      target="_blank">https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_Active_Directory.html#</a></div>
                </blockquote>
              </div>
            </div>
            Step f isn't necessary.  And it is usually not necessary to
            manually setup AD for SSL.  If you install the Microsoft
            Cert System in Enterprise Root CA mode, it will usually
            create and install the AD SSL cert automatically.<br>
            <br>
            This link <a moz-do-not-send="true"
href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Configuring_Windows_Sync-Install_the_Password_Sync_Service"
              target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Configuring_Windows_Sync-Install_the_Password_Sync_Service</a>
            explains a bit more about how to set up PassSync to use SSL
            to talk to IPA (i.e. how and where to install the IPA CA
            cert for use by PassSync).  Note that AD itself doesn't talk
            to IPA - it's only the PassSync "AD plugin" that talks to
            IPA, and only for the purpose of sending the clear text
            password changes from AD to IPA.<br>
            <blockquote type="cite">
              <pre><fieldset></fieldset>
_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
            </blockquote>
            <br>
          </div>
        </blockquote>
      </div>
      <br>
    </blockquote>
    <br>
  </body>
</html>