I am using FreeIPA 1.2.2 and trying to synchronize with AD on Windows
Server 2003.

Are password changes in FreeIPA supposed to be synced to Active
Directory? I couldn't find any reference to this specific in the
documentation, but on my test setup passwords are not being changed in
AD (using the ipa-passwd command; I also tried the Windows XP password
change dialog). Password changes in AD /are/ properly reflected in

When I the run command to add the sync (I'm using Administrator just
for testing purposes):

ipa-replica-manage add --winsync --binddn
CN=Administrator,CN=Users,DC=prism,DC=internal --bindpw password
--cacert /home/samh/prism_ad.cer prism_ad.prism.internal -v --passsync

I get this:

INFO:root:Added CA certificate /home/samh/prism_ad.cer to certificate
database for ipaserver.prism.internal
INFO:root:Restarted directory server ipaserver.prism.internal
INFO:root:Could not validate connection to remote server
prism_ad.prism.internal:636 - continuing
INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed',
'desc': "Can't contact LDAP server"}

indicating a certificate problem, and there are similar connection
errors in the dirsrv error log. However, I was able to connect with
the ldapsearch command after adding a line for that same file to my
".ldaprc" ("TLS_CACERT /home/samh/prism_ad.cer"):

ldapsearch -x -D CN=Administrator,CN=Users,DC=prism,DC=internal -w
password -H ldaps://prism_ad.prism.internal -b "dc=prism,dc=internal"

I exported the certificate using the directions
and the file is readable by all users.

This seems to be similar to Jeff Moody's problem earlier this year in
the topic "IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10". I
also created an "Enterprise root CA", but he didn't specify how he
finally found the correct certificate, just that it wasn't easy! I've
searched the computer, and the only ".crt" file is the one I used. In
the "Certification Authority" tool, I see that there are two
certificates in the chain, but if I export the other one,
ipa-replica-manage says "could not add certificate to token or
database: Error adding certificate to database."

Does anyone have any idea what might be going wrong?

Thank you,
Sam Hartsfield

Freeipa-users mailing list

Reply via email to