Rob Crittenden wrote:
Jeff Moody wrote:
I’m trying to set up password/identity sync to the FreeIPA server from a Windows 2003R2 SP2 server to a Fedora 10 VM.

I have installed the FreeIPA software and can load its configuration page on the IPA server – so the service appears to be running.

I have our Windows DC running the Windows 2003 Enterprise Certificate Authority service and have exported its root certificate and SCP’ed that to the IPA server.

Following the instructions from TFM, I run the following command:

[r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw WindowsAccountPassword --cacert /root/dc1-base64-x509.cer -v --passsync PasswordEnteredIntoPassSync

This is the output from that command:

Directory Manager password:

INFO:root:Shutting down dirsrv:





INFO:root:Starting dirsrv:



INFO:root:Added CA certificate /root/dc1-base64-x509.cer to certificate database for

INFO:root:Restarted directory server

INFO:root:Could not validate connection to remote server - continuing

INFO:root:The error was: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"}

The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com

Windows PassSync entry exists, not resetting password

INFO:root:Added new sync agreement, waiting for it to become ready . . .

INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP error: Can't contact LDAP server: start: 0: end: 0

INFO:root:Agreement is ready, starting replication . . .

Starting replication, please wait until this has completed.

[] reports: Update failed! Status: [81 - LDAP error: Can't contact LDAP server]

INFO:root:Added agreement for other host

Additionally, in the /var/lib/dirsrv/ errors log, I have the following error:

[25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's Certificate issuer is not recognized.) 11 (Resource temporarily unavailable)

On the Windows server, the Passsync service is running and as far as I know I installed the right certificate on the Passsync side by following the instructions at ( and the only message in the Passsync log on the Windows side is:

07/25/09 14:32:15: PassSync service started

I’m sure that I’m just missing some simple, stupid little thing…but I have no earthly idea as to what that could be. Any help/suggestions/troubleshooting anyone can help me with, I would greatly appreciate it.

Hmm, clearly an SSL trust issue.

Lets start by making sure that DS has the CA you provided loaded and trusted:

# certutil -L -d /etc/dirsrv/slapd-INSTANCE

It should include your CA and have a trust like CT,,C

I found that I needed to reboot my AD server when installing the CA service and getting PassSync installed. Have you rebooted recently?
These instructions are much more comprehensive and include that a reboot of the AD machine is required.



Freeipa-users mailing list

Jenny Galipeau <>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering

Freeipa-users mailing list

Reply via email to