[Freeipa-users] consulting?
Rich Megginson
rmeggins at redhat.com
Mon Jan 23 18:06:14 UTC 2012
On 01/23/2012 10:52 AM, Jimmy wrote:
> That's what I was thinking, and what I did, but it still doesn't
> replicate new users. This is the command I used:
>
> ipa-replica-manage connect --passsync --binddn
> cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp --bindpw=******** --cacert
> /home/winsync/AD-server-cert.cer 192.168.201.150 -v
Did you create the user cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp? And
does this user have the rights to perform sync? (e.g. has to have
replicator rights, or be some sort of admin) - see
http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx - the
AD user must have replication rights and write rights.
In addition, since this process uses SSL, you cannot use an IP address,
you must use a hostname, or the SSL cert hostname checking (for MITM)
will fail.
>
> On Mon, Jan 23, 2012 at 12:30 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 01/23/2012 10:19 AM, Jimmy wrote:
>> Here's what I found in the DS admin guide. Is this all that's
>> needed to create the sync agreement?
> Not with ipa - you should use the ipa-replica-manage command instead
>
>> Thanks.
>>
>> add sync agreement:
>> ldapmodify -x -D "cn=Directory Manager" -W
>> Enter LDAP Password: *******
>> dn: cn=ExampleSyncAgreement,cn=sync
>> replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config
> it should be cn=replica, not cn=sync replica - does it use the
> latter in the Admin Guide?
>
>> changetype: add
>> objectclass: top
>> objectclass: nsDSWindowsReplicationAgreement
>> cn: ExampleSyncAgreement
>> nsds7WindowsReplicaSubtree: cn=Users,dc=ad1
>> nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com
>> nsds7NewWinUserSyncEnabled: on
>> nsds7NewWinGroupSyncEnabled: on
>> nsds7WindowsDomain: ad1
>> nsDS5ReplicaRoot: dc=example,dc=com
>> nsDS5ReplicaHost: ad1.windows-server.com
>> <http://ad1.windows-server.com>
>> nsDS5ReplicaPort: 389
>> nsDS5ReplicaBindDN: cn=sync user,cn=config
>> nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA==
>> nsDS5ReplicaTransportInfo: TLS
>> winSyncInterval: 1200
>>
>> On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson
>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>
>> On 01/20/2012 01:08 PM, Jimmy wrote:
>>> That was it! I have passwords syncing, *BUT*(at the risk of
>>> sounding stupid)-- is it not possible to also sync(add) the
>>> users from AD to DS?
>> Yes, it is. Just configure IPA Windows Sync
>>
>>> I created a new user in AD and it doesn't propogate to DS,
>>> just says:
>>>
>>> attempting to sync password for testuser3
>>> searching for (ntuserdomainid=testuser3)
>>> There are no entries that match: testuser3
>>> deferring password change for testuser3
>>>
>>> On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson
>>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>>
>>> On 01/20/2012 12:46 PM, Jimmy wrote:
>>>> Getting close here... Now I see this message in the
>>>> sync log file:
>>>>
>>>> attempting to sync password for testuser
>>>> searching for (ntuserdomainid=testuser)
>>>> ldap error in queryusername
>>>> 32: no such object
>>>> deferring password change for testuser
>>> This usually means the search base is incorrect or not
>>> found. You can look at the 389 access log to see what
>>> it was using as the search criteria.
>>>
>>>>
>>>> On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson
>>>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>>>
>>>> On 01/20/2012 10:23 AM, Jimmy wrote:
>>>>> You are correct. I had installed as an Enterprise
>>>>> root, but the doc I was reading(original link)
>>>>> seemed to say that I had to do the certreq
>>>>> manually, my bad. I think I'm getting closer I can
>>>>> establish an openssl connection from DS to AD but
>>>>> I get these errors:
>>>>>
>>>>> openssl s_client -connect 192.168.201.150:636
>>>>> <http://192.168.201.150:636> -showcerts -CAfile
>>>>> dsca.crt
>>>>> CONNECTED(00000003)
>>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>>> verify error:num=20:unable to get local issuer
>>>>> certificate
>>>>> verify return:1
>>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>>> verify error:num=27:certificate not trusted
>>>>> verify return:1
>>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>>> verify error:num=21:unable to verify the first
>>>>> certificate
>>>>> verify return:1
>>>>>
>>>>> I thought I had imported the cert from AD but it
>>>>> doesn't seem so. I'm still researching but if you
>>>>> guys have a suggestion let me know.
>>>> Is dsca.crt the CA that issued the DS server cert?
>>>> If so, that won't work. You need the CA cert from
>>>> the CA that issued the AD server cert (i.e. the CA
>>>> cert from the MS Enterprise Root CA).
>>>>
>>>>> -J
>>>>>
>>>>> On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson
>>>>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
>>>>> wrote:
>>>>>
>>>>> On 01/19/2012 02:59 PM, Jimmy wrote:
>>>>>> ok. I started from scratch this week on this
>>>>>> and I think I've got the right doc and
>>>>>> understand better where this is going. My
>>>>>> problem now is that when configuring SSL on
>>>>>> the AD server (step c in this url:
>>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service )
>>>>>>
>>>>>> I get this error:
>>>>>>
>>>>>> certreq -submit request.req certnew.cer
>>>>>> Active Directory Enrollment Policy
>>>>>> {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>>>>> ldap:
>>>>>> RequestId: 3
>>>>>> RequestId: "3"
>>>>>> Certificate not issued (Denied) Denied by
>>>>>> Policy Module 0x80094801, The request does
>>>>>> not contain a certificate template extension
>>>>>> or the CertificateTemplate request attribute.
>>>>>> The request contains no certificate template
>>>>>> information. 0x80094801 (-2146875391
>>>>>> <tel:%28-2146875391>)
>>>>>> Certificate Request Processor: The request
>>>>>> contains no certificate template information.
>>>>>> 0x80094801 (-2146875391 <tel:%28-2146875391>)
>>>>>> Denied by Policy Module 0x80094801, The
>>>>>> request does not contain a certificate
>>>>>> template extension or the CertificateTemplate
>>>>>> request attribute.
>>>>>>
>>>>>> The RH doc says to use the browser if an
>>>>>> error occurs and IIS is running but I'm not
>>>>>> running IIS. I researched that error but
>>>>>> didn't find anything that helps with FreeIPA
>>>>>> and passsync.
>>>>> Hmm - try installing Microsoft Certificate
>>>>> Authority in Enterprise Root CA mode - it will
>>>>> usually automatically create and install the
>>>>> AD server cert.
>>>>> http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>>>>>
>>>>>
>>>>>>
>>>>>> Jimmy
>>>>>>
>>>>>> On Wed, Jan 11, 2012 at 3:32 PM, Rich
>>>>>> Megginson <rmeggins at redhat.com
>>>>>> <mailto:rmeggins at redhat.com>> wrote:
>>>>>>
>>>>>> On 01/11/2012 11:22 AM, Jimmy wrote:
>>>>>>> We need to be able to replicate
>>>>>>> user/pass between Windows 2008 AD and
>>>>>>> FreeIPA.
>>>>>>
>>>>>> That's what IPA Windows Sync is supposed
>>>>>> to do.
>>>>>>
>>>>>>
>>>>>>> I have followed many different documents
>>>>>>> and posted here about it and from what
>>>>>>> I've read and procedures I've followed
>>>>>>> we are unable to accomplish this.
>>>>>>
>>>>>> What have you tried, and what problems
>>>>>> have you run into?
>>>>>>
>>>>>>> It doesn't need to be a full trust.
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> On Tue, Jan 10, 2012 at 3:03 AM, Jan
>>>>>>> Zelený <jzeleny at redhat.com
>>>>>>> <mailto:jzeleny at redhat.com>> wrote:
>>>>>>>
>>>>>>> > Just wondering if there was anyone
>>>>>>> listening on the list that might be
>>>>>>> > available for little work
>>>>>>> integrating FreeIPA with Active
>>>>>>> Directory
>>>>>>> > (preferrably in the south east
>>>>>>> US.) I hope this isn't against the list
>>>>>>> > rules, I just thought one of you
>>>>>>> guys could help or point me in the right
>>>>>>> > direction.
>>>>>>>
>>>>>>> If you want some help, it is
>>>>>>> certainly not against list rules ;-)
>>>>>>> But in that
>>>>>>> case, it would be much better if you
>>>>>>> asked what exactly do you need.
>>>>>>>
>>>>>>> I'm not an AD expert, but a couple
>>>>>>> tips: If you are looking for
>>>>>>> cross-domain
>>>>>>> (cross-realm) trust, then you might
>>>>>>> be a bit disappointed, it is still in
>>>>>>> development, so it probably won't be
>>>>>>> 100% functional at this moment.
>>>>>>>
>>>>>>> If you are looking for something
>>>>>>> else, could you be a little more
>>>>>>> specific what
>>>>>>> it is?
>>>>>>>
>>>>>>> I also recommend starting with
>>>>>>> reading some doc:
>>>>>>> http://freeipa.org/page/DocumentationPortal
>>>>>>>
>>>>>>> Thanks
>>>>>>> Jan
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Freeipa-users mailing list
>>>>>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120123/156bd5e0/attachment.htm>
More information about the Freeipa-users
mailing list