I'm trying to set up password/identity sync to the FreeIPA server from a 
Windows 2003R2 SP2 server to a Fedora 10 VM.
I have installed the FreeIPA software and can load its configuration page on 
the IPA server - so the service appears to be running.
I have our Windows DC running the Windows 2003 Enterprise Certificate Authority 
service and have exported its root certificate and SCP'ed that to the IPA 
Following the instructions from TFM, I run the following command:

[r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn 
CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw WindowsAccountPassword 
--cacert /root/dc1-base64-x509.cer dc1.evscorporation.com -v --passsync 

This is the output from that command:

Directory Manager password:
INFO:root:Shutting down dirsrv:
    EVSCORPORATION-COM...                                  [  OK  ]

INFO:root:Starting dirsrv:
    EVSCORPORATION-COM...                                  [  OK  ]

INFO:root:Added CA certificate /root/dc1-base64-x509.cer to certificate 
database for ipamem1.evscorporation.com
INFO:root:Restarted directory server ipamem1.evscorporation.com
INFO:root:Could not validate connection to remote server 
dc1.evscorporation.com:636 - continuing
INFO:root:The error was: {'info': 'error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't 
contact LDAP server"}
The user for the Windows PassSync service is 
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 81  - LDAP error: 
Can't contact LDAP server: start: 0: end: 0
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[ipamem1.evscorporation.com] reports: Update failed! Status: [81  - LDAP error: 
Can't contact LDAP server]
INFO:root:Added agreement for other host dc1.evscorporation.com

Additionally, in the /var/lib/dirsrv/ errors log, I have the following error:

[25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send bind 
request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] mech [SIMPLE]: 
error 81 (Can't contact LDAP server) -8179 (Peer's Certificate issuer is not 
recognized.) 11 (Resource temporarily unavailable)

On the Windows server, the Passsync service is running and as far as I know I 
installed the right certificate on the Passsync side by following the 
instructions at 
 and the only message in the Passsync log on the Windows side is:

07/25/09 14:32:15: PassSync service started

I'm sure that I'm just missing some simple, stupid little thing...but I have no 
earthly idea as to what that could be. Any help/suggestions/troubleshooting 
anyone can help me with, I would greatly appreciate it.



Jeff Moody
Senior Systems Engineer

EVS Corporation
5050 Poplar Avenue ,Suite 1600
Memphis, Tennessee 38157
(901) 259-2387 - 24x7 Helpdesk

(901) 881-0919 - Office
(901) 497-1444 - Cell

Freeipa-users mailing list

Reply via email to