[Freeipa-users] IPA+AD sync error

Shan Kumaraswamy shan.sysadm at gmail.com
Mon Aug 16 14:46:59 UTC 2010 

Rich,

While installing IPA its creates its won CA cert right? (cacert.p12), and
also I done the setep of export this CA file as dsca.crt. Please let me
know steps to generate the IPA CA and server cert?




On Mon, Aug 16, 2010 at 5:41 PM, Rich Megginson <rmeggins at redhat.com> wrote:

>  Shan Kumaraswamy wrote:
>
>>
>> Hi,
>>
>> I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I want to sync with Active
>> Directory (windows 2008 R2). Can please anyone have step-by-step
>> configuration doc and share to me? Previously I have done the same exercise,
>> but now that is not working for me and I am facing lot of challenges to make
>> this happen.
>>
>> Please find the steps what exactly I done so for:
>>
>> 1.       Installed RHDS 8.1 and FreeIPA 1.2.1 and configured properly and
>> tested its working fine
>>
>> 2.       In AD side, installed Active Directory certificate Server as a
>> Enterprise Root
>>
>> 3.       Copy the “cacert.p12” file and imported under Certificates
>> –Service (Active Directory Domain service) on Local Computer using MMC.
>>
>> 4.       Installed PasSync.msi file and given all the required information
>>
>> 5.       Run the command “certutil -d . -L -n "CA certificate" -a >
>> dsca.crt” from IPA server and copied the .crt file in to AD server and ran
>> this command from “cd "C:\Program Files\Red Hat Directory Password
>> Synchronization"
>>
>> 6.       certutil.exe -d . -N
>>
>> 7.       certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i
>> \path\to\dsca.crt
>>
>> 8.       certutil.exe -d . -L -n "DS CA cert" and rebooted the AD server.
>>
>> After this steps, when try to create sync agreement from IPA server I am
>> getting  this error:
>>
>>
>> ldap_simple_bind: Can't contact LDAP server
>>
>>        SSL error -8179 (Peer's Certificate issuer is not recognized.)
>>
>> Please share the steps to configure AD Sync with IPA server.
>>
>>
> http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html
>
> But it looks as though there is a step missing.  If you use MS AD CA to
> generate the AD cert, and use IPA to generate the IPA CA and server cert,
> then you have to import the MS AD CA cert into IPA.
>
>>
>>
>>
>>
>> --
>> Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>


-- 
Thanks & Regards
Shan Kumaraswamy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100816/6da3efa2/attachment.htm>

More information about the Freeipa-users mailing list