[Freeipa-users] IPA+AD sync error

Kambiz Aghaiepour kambiz at mcnc.org
Mon Aug 16 13:51:56 UTC 2010 

Do you have the correct version of the passsync.msi installed?  The
version I've installed that works with windows 2008 R2 installs the
service under:

 C:\Program Files\389 Directory Password Synchronization\

The download for version 1.1.4 is located here:

http://directory.fedoraproject.org/wiki/Download

Also, since you are using the Certificate Server, you probably need to
install the CA Cert from your AD server on the FreeIPA servers as well,
so that they will trust the SSL certs on your AD servers.

Kambiz

Shan Kumaraswamy wrote:
> Hi,
> 
> I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I want to sync with Active
> Directory (windows 2008 R2). Can please anyone have step-by-step
> configuration doc and share to me? Previously I have done the same exercise,
> but now that is not working for me and I am facing lot of challenges to make
> this happen.
> 
> Please find the steps what exactly I done so for:
> 
> 1.       Installed RHDS 8.1 and FreeIPA 1.2.1 and configured properly and
> tested its working fine
> 
> 2.       In AD side, installed Active Directory certificate Server as a
> Enterprise Root
> 
> 3.       Copy the “cacert.p12” file and imported under Certificates –Service
> (Active Directory Domain service) on Local Computer using MMC.
> 
> 4.       Installed PasSync.msi file and given all the required information
> 
> 5.       Run the command “certutil -d . -L -n "CA certificate" -a >
> dsca.crt” from IPA server and copied the .crt file in to AD server and ran
> this command from “cd "C:\Program Files\Red Hat Directory Password
> Synchronization"
> 
> 6.       certutil.exe -d . -N
> 
> 7.       certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i
> \path\to\dsca.crt
> 
> 8.       certutil.exe -d . -L -n "DS CA cert" and rebooted the AD server.
> 
> After this steps, when try to create sync agreement from IPA server I am
> getting  this error:
> 
> 
> 
> ldap_simple_bind: Can't contact LDAP server
> 
>         SSL error -8179 (Peer's Certificate issuer is not recognized.)
> 
> Please share the steps to configure AD Sync with IPA server.
> 
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
"All tyranny needs to gain a foothold is for people of
good conscience to remain silent."  --Thomas Jefferson

More information about the Freeipa-users mailing list