Shan Kumaraswamy wrote:
While installing IPA its creates its won CA cert right? (cacert.p12),
and also I done the setep of export this CA file as dsca.crt.
Right. You have to do that so that AD can be an SSL client to the IPA SSL server.
Please let me know steps to generate the IPA CA and server cert?
The other part is that you have to install the AD CA cert in IPA so that IPA can be the SSL client to the AD SSL server.

On Mon, Aug 16, 2010 at 5:41 PM, Rich Megginson < <>> wrote:

    Shan Kumaraswamy wrote:


        I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I want to sync
        with Active Directory (windows 2008 R2). Can please anyone
        have step-by-step configuration doc and share to me?
        Previously I have done the same exercise, but now that is not
        working for me and I am facing lot of challenges to make this

        Please find the steps what exactly I done so for:

        1.       Installed RHDS 8.1 and FreeIPA 1.2.1 and configured
        properly and tested its working fine

        2.       In AD side, installed Active Directory certificate
        Server as a Enterprise Root

        3.       Copy the “cacert.p12” file and imported under
        Certificates –Service (Active Directory Domain service) on
        Local Computer using MMC.

        4.       Installed PasSync.msi file and given all the required

        5.       Run the command “certutil -d . -L -n "CA certificate"
        -a > dsca.crt” from IPA server and copied the .crt file in to
        AD server and ran this command from “cd "C:\Program Files\Red
        Hat Directory Password Synchronization"

        6.       certutil.exe -d . -N

        7.       certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i

        8.       certutil.exe -d . -L -n "DS CA cert" and rebooted the
        AD server.

        After this steps, when try to create sync agreement from IPA
        server I am getting  this error:

ldap_simple_bind: Can't contact LDAP server

               SSL error -8179 (Peer's Certificate issuer is not

        Please share the steps to configure AD Sync with IPA server.

    But it looks as though there is a step missing.  If you use MS AD
    CA to generate the AD cert, and use IPA to generate the IPA CA and
    server cert, then you have to import the MS AD CA cert into IPA.

-- Thanks & Regards
        Shan Kumaraswamy

Thanks & Regards
Shan Kumaraswamy

Freeipa-users mailing list

Reply via email to