Sam Hartsfield wrote:
I am using FreeIPA 1.2.2 and trying to synchronize with AD on Windows
Server 2003.

Are password changes in FreeIPA supposed to be synced to Active
Directory?
Yes.
I couldn't find any reference to this specific in the
documentation, but on my test setup passwords are not being changed in
AD (using the ipa-passwd command; I also tried the Windows XP password
change dialog). Password changes in AD /are/ properly reflected in
FreeIPA.
You could try using the replication error log level to debug winsync problems - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
When I the run command to add the sync (I'm using Administrator just
for testing purposes):

ipa-replica-manage add --winsync --binddn
CN=Administrator,CN=Users,DC=prism,DC=internal --bindpw password
--cacert /home/samh/prism_ad.cer prism_ad.prism.internal -v --passsync
password

I get this:

INFO:root:Added CA certificate /home/samh/prism_ad.cer to certificate
database for ipaserver.prism.internal
INFO:root:Restarted directory server ipaserver.prism.internal
INFO:root:Could not validate connection to remote server
prism_ad.prism.internal:636 - continuing
INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed',
'desc': "Can't contact LDAP server"}

indicating a certificate problem,
This just means the script could not open and verify the connection. This is due to a "bug" in python-ldap or openldap, in that if you have already specified a CA cert, it will not let you specify another one. This is usually ok and can be ignored.
and there are similar connection
errors in the dirsrv error log.
That's not so good. That usually means the CA cert from AD was not properly installed in the directory server cert db.

What errors do you see?
However, I was able to connect with
the ldapsearch command after adding a line for that same file to my
".ldaprc" ("TLS_CACERT /home/samh/prism_ad.cer"):

ldapsearch -x -D CN=Administrator,CN=Users,DC=prism,DC=internal -w
password -H ldaps://prism_ad.prism.internal -b "dc=prism,dc=internal"
Ok.  Try this:
certutil -d /etc/dirsrv/slapd-YOUR-INSTANCE-HERE -L
you should see an entry for your MS CA - if you do, then try this
/usr/lib/mozldap/ldapsearch -h adhostname -p 636 -Z -P /etc/dirsrv/slapd-YOUR-INSTANCE-HERE/cert8.db -D "CN=Administrator,CN=Users,DC=prism,DC=internal" -w password -s base -b ""
I exported the certificate using the directions
http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Prerequisites.html,
and the file is readable by all users.


This seems to be similar to Jeff Moody's problem earlier this year in
the topic "IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10". I
also created an "Enterprise root CA", but he didn't specify how he
finally found the correct certificate, just that it wasn't easy! I've
searched the computer, and the only ".crt" file is the one I used. In
the "Certification Authority" tool, I see that there are two
certificates in the chain, but if I export the other one,
ipa-replica-manage says "could not add certificate to token or
database: Error adding certificate to database."

Does anyone have any idea what might be going wrong?
If you are able to successfully use openldap ldapsearch with that ca cert, then either it's not a problem with the CA cert, or you have no TLS/SSL checking whatsoever in your ldap configuration.
Thank you,
Sam Hartsfield

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to