Following the instructions on http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html I am running into an error generating the certificate for the DC. The specific error I am getting is: Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.
I apologize that I am so ignorant on SSL, but what type of certificate template should I put on the request? Domain Controller? Root CA? Thanks a ton for the help on this. ---- Jeff Moody Senior Systems Engineer EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.mo...@evscorporation.com -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jeff Moody Sent: Monday, July 27, 2009 10:49 AM To: Jenny Galipeau; Rob Crittenden Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 I've been communicating some with Rob off-list and have rebooted the Windows server after installing the Passsync software, but not after installing the certificate for the IPA server in the passsync directory. ---- Jeff Moody Senior Systems Engineer EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.mo...@evscorporation.com -----Original Message----- From: Jenny Galipeau [mailto:jgali...@redhat.com] Sent: Monday, July 27, 2009 10:41 AM To: Rob Crittenden Cc: Jeff Moody; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 Rob Crittenden wrote: > Jeff Moody wrote: >> I'm trying to set up password/identity sync to the FreeIPA server >> from a Windows 2003R2 SP2 server to a Fedora 10 VM. >> >> I have installed the FreeIPA software and can load its configuration >> page on the IPA server - so the service appears to be running. >> >> I have our Windows DC running the Windows 2003 Enterprise Certificate >> Authority service and have exported its root certificate and SCP'ed >> that to the IPA server. >> >> Following the instructions from TFM, I run the following command: >> >> >> >> [r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn >> CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw >> WindowsAccountPassword --cacert /root/dc1-base64-x509.cer >> dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync >> >> >> >> This is the output from that command: >> >> >> >> Directory Manager password: >> >> INFO:root:Shutting down dirsrv: >> >> EVSCORPORATION-COM... [ OK ] >> >> >> >> INFO:root: >> >> INFO:root: >> >> INFO:root: >> >> INFO:root:Starting dirsrv: >> >> EVSCORPORATION-COM... [ OK ] >> >> >> >> INFO:root: >> >> INFO:root:Added CA certificate /root/dc1-base64-x509.cer to >> certificate database for ipamem1.evscorporation.com >> >> INFO:root:Restarted directory server ipamem1.evscorporation.com >> >> INFO:root:Could not validate connection to remote server >> dc1.evscorporation.com:636 - continuing >> >> INFO:root:The error was: {'info': 'error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', >> 'desc': "Can't contact LDAP server"} >> >> The user for the Windows PassSync service is >> uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com >> >> Windows PassSync entry exists, not resetting password >> >> INFO:root:Added new sync agreement, waiting for it to become ready . . . >> >> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP >> error: Can't contact LDAP server: start: 0: end: 0 >> >> INFO:root:Agreement is ready, starting replication . . . >> >> Starting replication, please wait until this has completed. >> >> [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - >> LDAP error: Can't contact LDAP server] >> >> INFO:root:Added agreement for other host dc1.evscorporation.com >> >> >> >> Additionally, in the /var/lib/dirsrv/ errors log, I have the >> following error: >> >> >> >> [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send >> bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] >> mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's >> Certificate issuer is not recognized.) 11 (Resource temporarily >> unavailable) >> >> >> >> On the Windows server, the Passsync service is running and as far as >> I know I installed the right certificate on the Passsync side by >> following the instructions at >> (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) >> >> and the only message in the Passsync log on the Windows side is: >> >> >> >> 07/25/09 14:32:15: PassSync service started >> >> >> >> I'm sure that I'm just missing some simple, stupid little thing.but I >> have no earthly idea as to what that could be. Any >> help/suggestions/troubleshooting anyone can help me with, I would >> greatly appreciate it. >> > > Hmm, clearly an SSL trust issue. > > Lets start by making sure that DS has the CA you provided loaded and > trusted: > > # certutil -L -d /etc/dirsrv/slapd-INSTANCE > > It should include your CA and have a trust like CT,,C > > I found that I needed to reboot my AD server when installing the CA > service and getting PassSync installed. Have you rebooted recently? These instructions are much more comprehensive and include that a reboot of the AD machine is required. http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html Jenny > > rob > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Jenny Galipeau <jgali...@redhat.com> Principal Software QA Engineer Red Hat, Inc. Security Engineering _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users