Rob Crittenden wrote:
Jeff Moody wrote:
I’m trying to set up password/identity sync to the FreeIPA server from a Windows 2003R2 SP2 server to a Fedora 10 VM.


I have installed the FreeIPA software and can load its configuration page on the IPA server – so the service appears to be running.

I have our Windows DC running the Windows 2003 Enterprise Certificate Authority service and have exported its root certificate and SCP’ed that to the IPA server.

Following the instructions from TFM, I run the following command:



[r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw WindowsAccountPassword --cacert /root/dc1-base64-x509.cer dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync



This is the output from that command:



Directory Manager password:

INFO:root:Shutting down dirsrv:

EVSCORPORATION-COM... [ OK ]



INFO:root:

INFO:root:

INFO:root:

INFO:root:Starting dirsrv:

EVSCORPORATION-COM... [ OK ]



INFO:root:

INFO:root:Added CA certificate /root/dc1-base64-x509.cer to certificate database for ipamem1.evscorporation.com

INFO:root:Restarted directory server ipamem1.evscorporation.com

INFO:root:Could not validate connection to remote server dc1.evscorporation.com:636 - continuing

INFO:root:The error was: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"}

The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com

Windows PassSync entry exists, not resetting password

INFO:root:Added new sync agreement, waiting for it to become ready . . .

INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP error: Can't contact LDAP server: start: 0: end: 0

INFO:root:Agreement is ready, starting replication . . .

Starting replication, please wait until this has completed.

[ipamem1.evscorporation.com] reports: Update failed! Status: [81 - LDAP error: Can't contact LDAP server]

INFO:root:Added agreement for other host dc1.evscorporation.com



Additionally, in the /var/lib/dirsrv/ errors log, I have the following error:



[25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's Certificate issuer is not recognized.) 11 (Resource temporarily unavailable)



On the Windows server, the Passsync service is running and as far as I know I installed the right certificate on the Passsync side by following the instructions at (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) and the only message in the Passsync log on the Windows side is:



07/25/09 14:32:15: PassSync service started



I’m sure that I’m just missing some simple, stupid little thing…but I have no earthly idea as to what that could be. Any help/suggestions/troubleshooting anyone can help me with, I would greatly appreciate it.


Hmm, clearly an SSL trust issue.

Lets start by making sure that DS has the CA you provided loaded and trusted:

# certutil -L -d /etc/dirsrv/slapd-INSTANCE

It should include your CA and have a trust like CT,,C

I found that I needed to reboot my AD server when installing the CA service and getting PassSync installed. Have you rebooted recently?
These instructions are much more comprehensive and include that a reboot of the AD machine is required.
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html
Jenny

rob

------------------------------------------------------------------------

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


--
Jenny Galipeau <jgali...@redhat.com>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to