Sayid Munawar wrote:

I have successfully installed freeipa-server 2 rc2. and create some test
user and tested machine enrollment. now, what i want to do next is sync
all my windows 2008r2 AD accounts. i've got already get the cert needed,
and tested it with ldapsearch tools in the same host as the
freeipa-server. so i assume that AD connection is ok. but when i did
ipa-manage-replica, it complaints about "Can't connect LDAP server".
here it is:

[root@yk ~]# ipa-replica-manage connect --winsync --binddn "cn=Fedora
DS,ou=JogjaCamp,dc=dot,dc=jc" --bindpw "somesecret" --cacert
/root/jcamp-DC1-buat-389DirServ.cer --passsync secretagain -p
anothersecret DC1.DOT.JC

Added CA certificate /root/jcamp-DC1-buat-389DirServ.cer to certificate
database for yk.nix.jc
ipa: INFO: Failed to connect to AD server
ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f
13', 'desc': "Can't contact LDAP server"}
ipa: INFO: Continuning ...
The user for the Windows PassSync service is
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 No
replication sessions started since server startup: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Can't contact LDAP server
[root@yk ~]#

- I have no idea why AD connection is fail here, while it was ok with
ldapsearch tool. any clue ?

- and one more question: what is --passsync argument for? is it for foce
setting a "new password" for passsync user, or we have to first define a
password for passsync  user ?


Sayid Munawar

Passsync is a service that needs to run on all of your AD servers. It is a windows service that intercepts password requests and sends them along to IPA (over SSL). We need to have the password in the clear in order to generate Kerberos key material.

A special LDAP user is used for authentication to the Passsync service, the --passsync option sets the password for that account.

Make sure your CA was installed as an Enterprise CA (apparently it is the only kind that sets up a pure SSL LDAP port as opposed to using TLS over 389).

We discovered several winsync issues shortly after RC 2 was released. They are fixed now, you can take a look at them here:

We discovered these while fixing this:



Freeipa-users mailing list

Reply via email to