I am using FreeIPA 1.2.2 and trying to synchronize with AD on Windows Server 2003.
Are password changes in FreeIPA supposed to be synced to Active Directory? I couldn't find any reference to this specific in the documentation, but on my test setup passwords are not being changed in AD (using the ipa-passwd command; I also tried the Windows XP password change dialog). Password changes in AD /are/ properly reflected in FreeIPA. When I the run command to add the sync (I'm using Administrator just for testing purposes): ipa-replica-manage add --winsync --binddn CN=Administrator,CN=Users,DC=prism,DC=internal --bindpw password --cacert /home/samh/prism_ad.cer prism_ad.prism.internal -v --passsync password I get this: INFO:root:Added CA certificate /home/samh/prism_ad.cer to certificate database for ipaserver.prism.internal INFO:root:Restarted directory server ipaserver.prism.internal INFO:root:Could not validate connection to remote server prism_ad.prism.internal:636 - continuing INFO:root:The error was: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"} indicating a certificate problem, and there are similar connection errors in the dirsrv error log. However, I was able to connect with the ldapsearch command after adding a line for that same file to my ".ldaprc" ("TLS_CACERT /home/samh/prism_ad.cer"): ldapsearch -x -D CN=Administrator,CN=Users,DC=prism,DC=internal -w password -H ldaps://prism_ad.prism.internal -b "dc=prism,dc=internal" I exported the certificate using the directions http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Prerequisites.html, and the file is readable by all users. This seems to be similar to Jeff Moody's problem earlier this year in the topic "IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10". I also created an "Enterprise root CA", but he didn't specify how he finally found the correct certificate, just that it wasn't easy! I've searched the computer, and the only ".crt" file is the one I used. In the "Certification Authority" tool, I see that there are two certificates in the chain, but if I export the other one, ipa-replica-manage says "could not add certificate to token or database: Error adding certificate to database." Does anyone have any idea what might be going wrong? Thank you, Sam Hartsfield _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users