[Freeipa-users] IPA to AD sync, certificate verify failed

Rich Megginson rmeggins at redhat.com
Thu Nov 12 20:38:23 UTC 2009 

Sam Hartsfield wrote:
> I am using FreeIPA 1.2.2 and trying to synchronize with AD on Windows
> Server 2003.
>
> Are password changes in FreeIPA supposed to be synced to Active
> Directory?
Yes.
> I couldn't find any reference to this specific in the
> documentation, but on my test setup passwords are not being changed in
> AD (using the ipa-passwd command; I also tried the Windows XP password
> change dialog). Password changes in AD /are/ properly reflected in
> FreeIPA.
>   
You could try using the replication error log level to debug winsync 
problems - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
> When I the run command to add the sync (I'm using Administrator just
> for testing purposes):
>
> ipa-replica-manage add --winsync --binddn
> CN=Administrator,CN=Users,DC=prism,DC=internal --bindpw password
> --cacert /home/samh/prism_ad.cer prism_ad.prism.internal -v --passsync
> password
>
> I get this:
>
> INFO:root:Added CA certificate /home/samh/prism_ad.cer to certificate
> database for ipaserver.prism.internal
> INFO:root:Restarted directory server ipaserver.prism.internal
> INFO:root:Could not validate connection to remote server
> prism_ad.prism.internal:636 - continuing
> INFO:root:The error was: {'info': 'error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed',
> 'desc': "Can't contact LDAP server"}
>
> indicating a certificate problem,
This just means the script could not open and verify the connection.  
This is due to a "bug" in python-ldap or openldap, in that if you have 
already specified a CA cert, it will not let you specify another one.  
This is usually ok and can be ignored.
> and there are similar connection
> errors in the dirsrv error log.
That's not so good.  That usually means the CA cert from AD was not 
properly installed in the directory server cert db.

What errors do you see?
> However, I was able to connect with
> the ldapsearch command after adding a line for that same file to my
> ".ldaprc" ("TLS_CACERT /home/samh/prism_ad.cer"):
>   

> ldapsearch -x -D CN=Administrator,CN=Users,DC=prism,DC=internal -w
> password -H ldaps://prism_ad.prism.internal -b "dc=prism,dc=internal"
>   
Ok.  Try this:
certutil -d /etc/dirsrv/slapd-YOUR-INSTANCE-HERE -L
you should see an entry for your MS CA - if you do, then try this
/usr/lib/mozldap/ldapsearch -h adhostname -p 636 -Z -P 
/etc/dirsrv/slapd-YOUR-INSTANCE-HERE/cert8.db -D 
"CN=Administrator,CN=Users,DC=prism,DC=internal" -w password -s base -b ""
>   
> I exported the certificate using the directions
> http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Prerequisites.html,
> and the file is readable by all users.
>
>
> This seems to be similar to Jeff Moody's problem earlier this year in
> the topic "IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10". I
> also created an "Enterprise root CA", but he didn't specify how he
> finally found the correct certificate, just that it wasn't easy! I've
> searched the computer, and the only ".crt" file is the one I used. In
> the "Certification Authority" tool, I see that there are two
> certificates in the chain, but if I export the other one,
> ipa-replica-manage says "could not add certificate to token or
> database: Error adding certificate to database."
>
> Does anyone have any idea what might be going wrong?
>   
If you are able to successfully use openldap ldapsearch with that ca 
cert, then either it's not a problem with the CA cert, or you have no 
TLS/SSL checking whatsoever in your ldap configuration.
> Thank you,
> Sam Hartsfield
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20091112/33c5c1e0/attachment.bin>

More information about the Freeipa-users mailing list