On 01/19/2012 02:59 PM, Jimmy wrote:
ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service )
I get this error:

certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
  {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
  ldap:
RequestId: 3
RequestId: "3"
Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The request contains no certificate template information. 0x80094801 (-2146875391 <tel:%28-2146875391>) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391 <tel:%28-2146875391>) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.

The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything that helps with FreeIPA and passsync.
Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA mode - it will usually automatically create and install the AD server cert. http://directory.fedoraproject.org/wiki/Howto:WindowsSync

Jimmy

On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    On 01/11/2012 11:22 AM, Jimmy wrote:
    We need to be able to replicate user/pass between Windows 2008 AD
    and FreeIPA.

    That's what IPA Windows Sync is supposed to do.


    I have followed many different documents and posted here about it
    and from what I've read and procedures I've followed we are
    unable to accomplish this.

    What have you tried, and what problems have you run into?

    It doesn't need to be a full trust.

    Thanks

    On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený <jzel...@redhat.com
    <mailto:jzel...@redhat.com>> wrote:

        > Just wondering if there was anyone listening on the list
        that might be
        > available for little work integrating FreeIPA with Active
        Directory
        > (preferrably in the south east US.) I hope this isn't
        against the list
        > rules, I just thought one of you guys could help or point
        me in the right
        > direction.

        If you want some help, it is certainly not against list rules
        ;-) But in that
        case, it would be much better if you asked what exactly do
        you need.

        I'm not an AD expert, but a couple tips: If you are looking
        for cross-domain
        (cross-realm) trust, then you might be a bit disappointed, it
        is still in
        development, so it probably won't be 100% functional at this
        moment.

        If you are looking for something else, could you be a little
        more specific what
        it is?

        I also recommend starting with reading some doc:
        http://freeipa.org/page/DocumentationPortal

        Thanks
        Jan



    _______________________________________________
    Freeipa-users mailing list
    Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
    https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to