[Freeipa-users] consulting?

Fri Jan 20 20:28:29 UTC 2012

On 01/20/2012 01:08 PM, Jimmy wrote:
> That was it! I have passwords syncing, *BUT*(at the risk of sounding 
> stupid)-- is it not possible to also sync(add) the users from AD to DS?
Yes, it is.  Just configure IPA Windows Sync
> I created a new user in AD and it doesn't propogate to DS, just says:
>
> attempting to sync password for testuser3
> searching for (ntuserdomainid=testuser3)
> There are no entries that match: testuser3
> deferring password change for testuser3
>
> On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     On 01/20/2012 12:46 PM, Jimmy wrote:
>>     Getting close here... Now I see this message in the sync log file:
>>
>>     attempting to sync password for testuser
>>     searching for (ntuserdomainid=testuser)
>>     ldap error in queryusername
>>      32: no such object
>>     deferring password change for testuser
>     This usually means the search base is incorrect or not found.  You
>     can look at the 389 access log to see what it was using as the
>     search criteria.
>
>>
>>     On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson
>>     <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>
>>         On 01/20/2012 10:23 AM, Jimmy wrote:
>>>         You are correct. I had installed as an Enterprise root, but
>>>         the doc I was reading(original link) seemed to say that I
>>>         had to do the certreq manually, my bad. I think I'm getting
>>>         closer I can establish an openssl connection from DS to AD
>>>         but I get these errors:
>>>
>>>          openssl s_client -connect 192.168.201.150:636
>>>         <http://192.168.201.150:636> -showcerts -CAfile dsca.crt
>>>         CONNECTED(00000003)
>>>         depth=0 CN = csp-ad.cspad.pdh.csp
>>>         verify error:num=20:unable to get local issuer certificate
>>>         verify return:1
>>>         depth=0 CN = csp-ad.cspad.pdh.csp
>>>         verify error:num=27:certificate not trusted
>>>         verify return:1
>>>         depth=0 CN = csp-ad.cspad.pdh.csp
>>>         verify error:num=21:unable to verify the first certificate
>>>         verify return:1
>>>
>>>         I thought I had imported the cert from AD but it doesn't
>>>         seem so. I'm still researching but if you guys have a
>>>         suggestion let me know.
>>         Is dsca.crt the CA that issued the DS server cert?  If so,
>>         that won't work.  You need the CA cert from the CA that
>>         issued the AD server cert (i.e. the CA cert from the MS
>>         Enterprise Root CA).
>>
>>>         -J
>>>
>>>         On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson
>>>         <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>>
>>>             On 01/19/2012 02:59 PM, Jimmy wrote:
>>>>             ok. I started from scratch this week on this and I
>>>>             think I've got the right doc and understand better
>>>>             where this is going. My problem now is that when
>>>>             configuring SSL on the AD server (step c in this url:
>>>>             http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service )
>>>>
>>>>             I get this error:
>>>>
>>>>             certreq -submit request.req certnew.cer
>>>>             Active Directory Enrollment Policy
>>>>               {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>>>               ldap:
>>>>             RequestId: 3
>>>>             RequestId: "3"
>>>>             Certificate not issued (Denied) Denied by Policy Module
>>>>              0x80094801, The request does not contain a certificate
>>>>             template extension or the CertificateTemplate request
>>>>             attribute.
>>>>              The request contains no certificate template
>>>>             information. 0x80094801 (-2146875391 <tel:%28-2146875391>)
>>>>             Certificate Request Processor: The request contains no
>>>>             certificate template information. 0x80094801
>>>>             (-2146875391 <tel:%28-2146875391>)
>>>>             Denied by Policy Module  0x80094801, The request does
>>>>             not contain a certificate template extension or the
>>>>             CertificateTemplate request attribute.
>>>>
>>>>             The RH doc says to use the browser if an error occurs
>>>>             and IIS is running but I'm not running IIS. I
>>>>             researched that error but didn't find anything that
>>>>             helps with FreeIPA and passsync.
>>>             Hmm - try installing Microsoft Certificate Authority in
>>>             Enterprise Root CA mode - it will usually automatically
>>>             create and install the AD server cert.
>>>             http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>>>
>>>>
>>>>             Jimmy
>>>>
>>>>             On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
>>>>             <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>>>
>>>>                 On 01/11/2012 11:22 AM, Jimmy wrote:
>>>>>                 We need to be able to replicate user/pass between
>>>>>                 Windows 2008 AD and FreeIPA.
>>>>
>>>>                 That's what IPA Windows Sync is supposed to do.
>>>>
>>>>
>>>>>                 I have followed many different documents and
>>>>>                 posted here about it and from what I've read and
>>>>>                 procedures I've followed we are unable to
>>>>>                 accomplish this.
>>>>
>>>>                 What have you tried, and what problems have you run
>>>>                 into?
>>>>
>>>>>                 It doesn't need to be a full trust.
>>>>>
>>>>>                 Thanks
>>>>>
>>>>>                 On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
>>>>>                 <jzeleny at redhat.com <mailto:jzeleny at redhat.com>>
>>>>>                 wrote:
>>>>>
>>>>>                     > Just wondering if there was anyone listening
>>>>>                     on the list that might be
>>>>>                     > available for little work integrating
>>>>>                     FreeIPA with Active Directory
>>>>>                     > (preferrably in the south east US.) I hope
>>>>>                     this isn't against the list
>>>>>                     > rules, I just thought one of you guys could
>>>>>                     help or point me in the right
>>>>>                     > direction.
>>>>>
>>>>>                     If you want some help, it is certainly not
>>>>>                     against list rules ;-) But in that
>>>>>                     case, it would be much better if you asked
>>>>>                     what exactly do you need.
>>>>>
>>>>>                     I'm not an AD expert, but a couple tips: If
>>>>>                     you are looking for cross-domain
>>>>>                     (cross-realm) trust, then you might be a bit
>>>>>                     disappointed, it is still in
>>>>>                     development, so it probably won't be 100%
>>>>>                     functional at this moment.
>>>>>
>>>>>                     If you are looking for something else, could
>>>>>                     you be a little more specific what
>>>>>                     it is?
>>>>>
>>>>>                     I also recommend starting with reading some doc:
>>>>>                     http://freeipa.org/page/DocumentationPortal
>>>>>
>>>>>                     Thanks
>>>>>                     Jan
>>>>>
>>>>>
>>>>>
>>>>>                 _______________________________________________
>>>>>                 Freeipa-users mailing list
>>>>>                 Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>>>>>                 https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>
>>>
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120120/160b8608/attachment.htm>