<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 01/19/2012 02:59 PM, Jimmy wrote:
<blockquote
cite="mid:CAG8E47Q7WjSh1U-H7M+xaMsskAjA2p0MJ5amNG7zqHkCgJxrZw@mail.gmail.com"
type="cite">ok. I started from scratch this week on this and I
think I've got the right doc and understand better where this is
going. My problem now is that when configuring SSL on the AD
server (step c in this url:
<a moz-do-not-send="true"
href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service"
target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service</a> )
<div>
I get this error: </div>
<div><br>
</div>
<div>
<div>certreq -submit request.req certnew.cer</div>
<div>Active Directory Enrollment Policy</div>
<div> {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}</div>
<div> ldap:</div>
<div>RequestId: 3</div>
<div>RequestId: "3"</div>
<div>Certificate not issued (Denied) Denied by Policy Module
0x80094801, The request does not contain a certificate
template extension or the CertificateTemplate request
attribute.</div>
<div> The request contains no certificate template information.
0x80094801 <a moz-do-not-send="true"
href="tel:%28-2146875391" value="+12146875391"
target="_blank">(-2146875391</a>)</div>
<div>Certificate Request Processor: The request contains no
certificate template information. 0x80094801 <a
moz-do-not-send="true" href="tel:%28-2146875391"
value="+12146875391" target="_blank">(-2146875391</a>)</div>
<div>
Denied by Policy Module 0x80094801, The request does not
contain a certificate template extension or the
CertificateTemplate request attribute.</div>
<div><br>
</div>
<div>The RH doc says to use the browser if an error occurs and
IIS is running but I'm not running IIS. I researched that
error but didn't find anything that helps with FreeIPA and
passsync.</div>
</div>
</blockquote>
Hmm - try installing Microsoft Certificate Authority in Enterprise
Root CA mode - it will usually automatically create and install the
AD server cert.
<a class="moz-txt-link-freetext" href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync">http://directory.fedoraproject.org/wiki/Howto:WindowsSync</a><br>
<blockquote
cite="mid:CAG8E47Q7WjSh1U-H7M+xaMsskAjA2p0MJ5amNG7zqHkCgJxrZw@mail.gmail.com"
type="cite">
<div>
<div><br>
</div>
<div>Jimmy</div>
<div><br>
<div class="gmail_quote">On Wed, Jan 11, 2012 at 3:32 PM, Rich
Megginson <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div> On 01/11/2012 11:22 AM, Jimmy wrote:
<blockquote type="cite">We need to be able to
replicate user/pass between Windows 2008 AD and
FreeIPA.</blockquote>
<br>
</div>
That's what IPA Windows Sync is supposed to do.
<div><br>
<br>
<blockquote type="cite">I have followed many different
documents and posted here about it and from what
I've read and procedures I've followed we are unable
to accomplish this.</blockquote>
<br>
</div>
What have you tried, and what problems have you run
into?<br>
<br>
<blockquote type="cite">
<div>It doesn't need to be a full trust.
<div> <br>
</div>
<div>Thanks<br>
<br>
<div class="gmail_quote">On Tue, Jan 10, 2012 at
3:03 AM, Jan Zelený <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:jzeleny@redhat.com"
target="_blank">jzeleny@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:
0pt 0pt 0pt 0.8ex; border-left: 1px solid
rgb(204, 204, 204); padding-left: 1ex;">
<div>
<div>> Just wondering if there was anyone
listening on the list that might be<br>
> available for little work integrating
FreeIPA with Active Directory<br>
> (preferrably in the south east US.) I
hope this isn't against the list<br>
> rules, I just thought one of you guys
could help or point me in the right<br>
> direction.<br>
<br>
</div>
</div>
If you want some help, it is certainly not
against list rules ;-) But in that<br>
case, it would be much better if you asked
what exactly do you need.<br>
<br>
I'm not an AD expert, but a couple tips: If
you are looking for cross-domain<br>
(cross-realm) trust, then you might be a bit
disappointed, it is still in<br>
development, so it probably won't be 100%
functional at this moment.<br>
<br>
If you are looking for something else, could
you be a little more specific what<br>
it is?<br>
<br>
I also recommend starting with reading some
doc:<br>
<a moz-do-not-send="true"
href="http://freeipa.org/page/DocumentationPortal"
target="_blank">http://freeipa.org/page/DocumentationPortal</a><br>
<br>
Thanks<br>
<span><font color="#888888">Jan<br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>