You are correct. I had installed as an Enterprise root, but the doc I was reading(original link) seemed to say that I had to do the certreq manually, my bad. I think I'm getting closer I can establish an openssl connection from DS to AD but I get these errors:<div> <br></div><div><div> openssl s_client -connect <a href="http://192.168.201.150:636">192.168.201.150:636</a> -showcerts -CAfile dsca.crt</div><div>CONNECTED(00000003)</div><div>depth=0 CN = csp-ad.cspad.pdh.csp</div><div> verify error:num=20:unable to get local issuer certificate</div> <div>verify return:1</div><div>depth=0 CN = csp-ad.cspad.pdh.csp</div><div>verify error:num=27:certificate not trusted</div><div>verify return:1</div><div>depth=0 CN = csp-ad.cspad.pdh.csp</div><div>verify error:num=21:unable to verify the first certificate</div> <div>verify return:1</div><div><br></div><div>I thought I had imported the cert from AD but it doesn't seem so. I'm still researching but if you guys have a suggestion let me know.</div><div>-J</div><br><div class="gmail_quote"> On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <u></u> <div bgcolor="#ffffff" text="#000000"><div class="im"> On 01/19/2012 02:59 PM, Jimmy wrote: <blockquote type="cite">ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service" target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service</a> ) <div> I get this error: </div> <div><br> </div> <div> <div>certreq -submit request.req certnew.cer</div> <div>Active Directory Enrollment Policy</div> <div> {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}</div> <div> ldap:</div> <div>RequestId: 3</div> <div>RequestId: "3"</div> <div>Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.</div> <div> The request contains no certificate template information. 0x80094801 <a href="tel:%28-2146875391" value="+12146875391" target="_blank">(-2146875391</a>)</div> <div>Certificate Request Processor: The request contains no certificate template information. 0x80094801 <a href="tel:%28-2146875391" value="+12146875391" target="_blank">(-2146875391</a>)</div> <div> Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.</div> <div><br> </div> <div>The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything that helps with FreeIPA and passsync.</div> </div> </blockquote></div> Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA mode - it will usually automatically create and install the AD server cert. <a href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync" target="_blank">http://directory.fedoraproject.org/wiki/Howto:WindowsSync</a><div><div class="h5"><br> <blockquote type="cite"> <div> <div><br> </div> <div>Jimmy</div> <div><br> <div class="gmail_quote">On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div bgcolor="#ffffff" text="#000000"> <div> On 01/11/2012 11:22 AM, Jimmy wrote: <blockquote type="cite">We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA.</blockquote> <br> </div> That's what IPA Windows Sync is supposed to do. <div><br> <br> <blockquote type="cite">I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are unable to accomplish this.</blockquote> <br> </div> What have you tried, and what problems have you run into?<br> <br> <blockquote type="cite"> <div>It doesn't need to be a full trust. <div> <br> </div> <div>Thanks<br> <br> <div class="gmail_quote">On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelenı <span dir="ltr"><<a href="mailto:jzeleny@redhat.com" target="_blank">jzeleny@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div> <div>> Just wondering if there was anyone listening on the list that might be<br> > available for little work integrating FreeIPA with Active Directory<br> > (preferrably in the south east US.) I hope this isn't against the list<br> > rules, I just thought one of you guys could help or point me in the right<br> > direction.<br> <br> </div> </div> If you want some help, it is certainly not against list rules ;-) But in that<br> case, it would be much better if you asked what exactly do you need.<br> <br> I'm not an AD expert, but a couple tips: If you are looking for cross-domain<br> (cross-realm) trust, then you might be a bit disappointed, it is still in<br> development, so it probably won't be 100% functional at this moment.<br> <br> If you are looking for something else, could you be a little more specific what<br> it is?<br> <br> I also recommend starting with reading some doc:<br> <a href="http://freeipa.org/page/DocumentationPortal" target="_blank">http://freeipa.org/page/DocumentationPortal</a><br> <br> Thanks<br> <span><font color="#888888">Jan<br> </font></span></blockquote> </div> <br> </div> </div> <pre><fieldset></fieldset> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> </div> </blockquote> </div> <br> </div> </div> </blockquote> <br> </div></div></div> </blockquote></div><br></div>