<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 01/25/2012 12:07 PM, Jimmy wrote:
<blockquote
cite="mid:CAG8E47S9atEzdrXgSOCdVH-7F6neCfbQuDh7iXugcTvUpcN83Q@mail.gmail.com"
type="cite">Found the reason for the ldap search not working- when
I created the AD certificate role, I accidentally entered a new
sub-domain so in stead of the FQDN in the cert being
csp-ad.pdh.csp it came out csp-ad.cspad.pdh.csp. I updated DNS and
now the ldap search seems to work-
<div>
<br>
</div>
<div>ldif output-- <a moz-do-not-send="true"
href="http://fpaste.org/xbOC/">http://fpaste.org/xbOC/</a> </div>
<div>debug-
<a moz-do-not-send="true" href="http://fpaste.org/6g8q/">http://fpaste.org/6g8q/</a> </div>
<div><br>
</div>
<div>I guess I need to redo the sync agreement to fix the server
DNS name.</div>
</blockquote>
Yep. When using TLS/SSL you have to pay close attention to
hostnames.<br>
<blockquote
cite="mid:CAG8E47S9atEzdrXgSOCdVH-7F6neCfbQuDh7iXugcTvUpcN83Q@mail.gmail.com"
type="cite">
<div><br>
</div>
<div>I will be traveling for work for the next couple days but
should still be working on this issue some. I'll take VM's of
the servers on my laptop to be able to keep working.</div>
<div>-Jimmy</div>
<div><br>
<div class="gmail_quote">On Thu, Jan 19, 2012 at 5:04 PM, Rich
Megginson <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div class="im"> On 01/19/2012 02:59 PM, Jimmy wrote:
<blockquote type="cite">ok. I started from scratch this
week on this and I think I've got the right doc and
understand better where this is going. My problem now
is that when configuring SSL on the AD server (step c
in this url: <a moz-do-not-send="true"
href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service"
target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service</a> )
<div> I get this error: </div>
<div><br>
</div>
<div>
<div>certreq -submit request.req certnew.cer</div>
<div>Active Directory Enrollment Policy</div>
<div> {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}</div>
<div> ldap:</div>
<div>RequestId: 3</div>
<div>RequestId: "3"</div>
<div>Certificate not issued (Denied) Denied by
Policy Module 0x80094801, The request does not
contain a certificate template extension or the
CertificateTemplate request attribute.</div>
<div> The request contains no certificate template
information. 0x80094801 <a moz-do-not-send="true"
href="tel:%28-2146875391" value="+12146875391"
target="_blank">(-2146875391</a>)</div>
<div>Certificate Request Processor: The request
contains no certificate template information.
0x80094801 <a moz-do-not-send="true"
href="tel:%28-2146875391" value="+12146875391"
target="_blank">(-2146875391</a>)</div>
<div> Denied by Policy Module 0x80094801, The
request does not contain a certificate template
extension or the CertificateTemplate request
attribute.</div>
<div><br>
</div>
<div>The RH doc says to use the browser if an error
occurs and IIS is running but I'm not running IIS.
I researched that error but didn't find anything
that helps with FreeIPA and passsync.</div>
</div>
</blockquote>
</div>
Hmm - try installing Microsoft Certificate Authority in
Enterprise Root CA mode - it will usually automatically
create and install the AD server cert. <a
moz-do-not-send="true"
href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync"
target="_blank">http://directory.fedoraproject.org/wiki/Howto:WindowsSync</a>
<div>
<div class="h5"><br>
<blockquote type="cite">
<div>
<div><br>
</div>
<div>Jimmy</div>
<div><br>
<div class="gmail_quote">On Wed, Jan 11, 2012 at
3:32 PM, Rich Megginson <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:
0pt 0pt 0pt 0.8ex; border-left: 1px solid
rgb(204, 204, 204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div> On 01/11/2012 11:22 AM, Jimmy wrote:
<blockquote type="cite">We need to be
able to replicate user/pass between
Windows 2008 AD and FreeIPA.</blockquote>
<br>
</div>
That's what IPA Windows Sync is supposed
to do.
<div><br>
<br>
<blockquote type="cite">I have followed
many different documents and posted
here about it and from what I've read
and procedures I've followed we are
unable to accomplish this.</blockquote>
<br>
</div>
What have you tried, and what problems
have you run into?<br>
<br>
<blockquote type="cite">
<div>It doesn't need to be a full
trust.
<div> <br>
</div>
<div>Thanks<br>
<br>
<div class="gmail_quote">On Tue, Jan
10, 2012 at 3:03 AM, Jan Zelený <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:jzeleny@redhat.com"
target="_blank">jzeleny@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid
rgb(204, 204, 204);
padding-left: 1ex;">
<div>
<div>> Just wondering if
there was anyone listening
on the list that might be<br>
> available for little
work integrating FreeIPA
with Active Directory<br>
> (preferrably in the
south east US.) I hope this
isn't against the list<br>
> rules, I just thought
one of you guys could help
or point me in the right<br>
> direction.<br>
<br>
</div>
</div>
If you want some help, it is
certainly not against list rules
;-) But in that<br>
case, it would be much better if
you asked what exactly do you
need.<br>
<br>
I'm not an AD expert, but a
couple tips: If you are looking
for cross-domain<br>
(cross-realm) trust, then you
might be a bit disappointed, it
is still in<br>
development, so it probably
won't be 100% functional at this
moment.<br>
<br>
If you are looking for something
else, could you be a little more
specific what<br>
it is?<br>
<br>
I also recommend starting with
reading some doc:<br>
<a moz-do-not-send="true"
href="http://freeipa.org/page/DocumentationPortal"
target="_blank">http://freeipa.org/page/DocumentationPortal</a><br>
<br>
Thanks<br>
<span><font color="#888888">Jan<br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>