On 01/20/2012 12:46 PM, Jimmy wrote:
Getting close here... Now I see this message in the sync log file:

attempting to sync password for testuser
searching for (ntuserdomainid=testuser)
ldap error in queryusername
 32: no such object
deferring password change for testuser
This usually means the search base is incorrect or not found. You can look at the 389 access log to see what it was using as the search criteria.

On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    On 01/20/2012 10:23 AM, Jimmy wrote:
    You are correct. I had installed as an Enterprise root, but the
    doc I was reading(original link) seemed to say that I had to do
    the certreq manually, my bad. I think I'm getting closer I can
    establish an openssl connection from DS to AD but I get these
    errors:

     openssl s_client -connect 192.168.201.150:636
    <http://192.168.201.150:636> -showcerts -CAfile dsca.crt
    CONNECTED(00000003)
    depth=0 CN = csp-ad.cspad.pdh.csp
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 CN = csp-ad.cspad.pdh.csp
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 CN = csp-ad.cspad.pdh.csp
    verify error:num=21:unable to verify the first certificate
    verify return:1

    I thought I had imported the cert from AD but it doesn't seem so.
    I'm still researching but if you guys have a suggestion let me know.
    Is dsca.crt the CA that issued the DS server cert?  If so, that
    won't work.  You need the CA cert from the CA that issued the AD
    server cert (i.e. the CA cert from the MS Enterprise Root CA).

    -J

    On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson
    <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

        On 01/19/2012 02:59 PM, Jimmy wrote:
        ok. I started from scratch this week on this and I think
        I've got the right doc and understand better where this is
        going. My problem now is that when configuring SSL on the AD
        server (step c in this url:
        
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
 )

        I get this error:

        certreq -submit request.req certnew.cer
        Active Directory Enrollment Policy
          {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
          ldap:
        RequestId: 3
        RequestId: "3"
        Certificate not issued (Denied) Denied by Policy Module
         0x80094801, The request does not contain a certificate
        template extension or the CertificateTemplate request attribute.
         The request contains no certificate template information.
        0x80094801 (-2146875391 <tel:%28-2146875391>)
        Certificate Request Processor: The request contains no
        certificate template information. 0x80094801 (-2146875391
        <tel:%28-2146875391>)
        Denied by Policy Module  0x80094801, The request does not
        contain a certificate template extension or the
        CertificateTemplate request attribute.

        The RH doc says to use the browser if an error occurs and
        IIS is running but I'm not running IIS. I researched that
        error but didn't find anything that helps with FreeIPA and
        passsync.
        Hmm - try installing Microsoft Certificate Authority in
        Enterprise Root CA mode - it will usually automatically
        create and install the AD server cert.
        http://directory.fedoraproject.org/wiki/Howto:WindowsSync


        Jimmy

        On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
        <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

            On 01/11/2012 11:22 AM, Jimmy wrote:
            We need to be able to replicate user/pass between
            Windows 2008 AD and FreeIPA.

            That's what IPA Windows Sync is supposed to do.


            I have followed many different documents and posted
            here about it and from what I've read and procedures
            I've followed we are unable to accomplish this.

            What have you tried, and what problems have you run into?

            It doesn't need to be a full trust.

            Thanks

            On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
            <jzel...@redhat.com <mailto:jzel...@redhat.com>> wrote:

                > Just wondering if there was anyone listening on
                the list that might be
                > available for little work integrating FreeIPA
                with Active Directory
                > (preferrably in the south east US.) I hope this
                isn't against the list
                > rules, I just thought one of you guys could help
                or point me in the right
                > direction.

                If you want some help, it is certainly not against
                list rules ;-) But in that
                case, it would be much better if you asked what
                exactly do you need.

                I'm not an AD expert, but a couple tips: If you are
                looking for cross-domain
                (cross-realm) trust, then you might be a bit
                disappointed, it is still in
                development, so it probably won't be 100%
                functional at this moment.

                If you are looking for something else, could you be
                a little more specific what
                it is?

                I also recommend starting with reading some doc:
                http://freeipa.org/page/DocumentationPortal

                Thanks
                Jan



            _______________________________________________
            Freeipa-users mailing list
            Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
            https://www.redhat.com/mailman/listinfo/freeipa-users







_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to