That was it! I have passwords syncing, *BUT*(at the risk of sounding
stupid)-- is it not possible to also sync(add) the users from AD to DS? I
created a new user in AD and it doesn't propogate to DS, just says:

attempting to sync password for testuser3
searching for (ntuserdomainid=testuser3)
There are no entries that match: testuser3
deferring password change for testuser3

On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson <rmegg...@redhat.com> wrote:

> **
> On 01/20/2012 12:46 PM, Jimmy wrote:
>
> Getting close here... Now I see this message in the sync log file:
>
>  attempting to sync password for testuser
> searching for (ntuserdomainid=testuser)
> ldap error in queryusername
>  32: no such object
> deferring password change for testuser
>
> This usually means the search base is incorrect or not found.  You can
> look at the 389 access log to see what it was using as the search criteria.
>
>
> On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson <rmegg...@redhat.com>wrote:
>
>>  On 01/20/2012 10:23 AM, Jimmy wrote:
>>
>> You are correct. I had installed as an Enterprise root, but the doc I was
>> reading(original link) seemed to say that I had to do the certreq manually,
>> my bad. I think I'm getting closer I can establish an openssl connection
>> from DS to AD but I get these errors:
>>
>>   openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile
>> dsca.crt
>> CONNECTED(00000003)
>> depth=0 CN = csp-ad.cspad.pdh.csp
>>  verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 CN = csp-ad.cspad.pdh.csp
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 CN = csp-ad.cspad.pdh.csp
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>>
>>  I thought I had imported the cert from AD but it doesn't seem so. I'm
>> still researching but if you guys have a suggestion let me know.
>>
>>  Is dsca.crt the CA that issued the DS server cert?  If so, that won't
>> work.  You need the CA cert from the CA that issued the AD server cert
>> (i.e. the CA cert from the MS Enterprise Root CA).
>>
>>  -J
>>
>>  On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson <rmegg...@redhat.com>wrote:
>>
>>>  On 01/19/2012 02:59 PM, Jimmy wrote:
>>>
>>> ok. I started from scratch this week on this and I think I've got the
>>> right doc and understand better where this is going. My problem now is that
>>> when configuring SSL on the AD server (step c in this url:
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
>>>  )
>>>
>>> I get this error:
>>>
>>>  certreq -submit request.req certnew.cer
>>> Active Directory Enrollment Policy
>>>   {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>>   ldap:
>>> RequestId: 3
>>> RequestId: "3"
>>> Certificate not issued (Denied) Denied by Policy Module  0x80094801, The
>>> request does not contain a certificate template extension or the
>>> CertificateTemplate request attribute.
>>>  The request contains no certificate template information. 0x80094801
>>> (-2146875391)
>>> Certificate Request Processor: The request contains no certificate
>>> template information. 0x80094801 (-2146875391)
>>>  Denied by Policy Module  0x80094801, The request does not contain a
>>> certificate template extension or the CertificateTemplate request attribute.
>>>
>>>  The RH doc says to use the browser if an error occurs and IIS is
>>> running but I'm not running IIS. I researched that error but didn't find
>>> anything that helps with FreeIPA and passsync.
>>>
>>>  Hmm - try installing Microsoft Certificate Authority in Enterprise Root
>>> CA mode - it will usually automatically create and install the AD server
>>> cert.  http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>>>
>>>
>>>  Jimmy
>>>
>>> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson <rmegg...@redhat.com>wrote:
>>>
>>>>  On 01/11/2012 11:22 AM, Jimmy wrote:
>>>>
>>>> We need to be able to replicate user/pass between Windows 2008 AD and
>>>> FreeIPA.
>>>>
>>>>
>>>>  That's what IPA Windows Sync is supposed to do.
>>>>
>>>>
>>>> I have followed many different documents and posted here about it and
>>>> from what I've read and procedures I've followed we are unable to
>>>> accomplish this.
>>>>
>>>>
>>>>  What have you tried, and what problems have you run into?
>>>>
>>>>  It doesn't need to be a full trust.
>>>>
>>>>  Thanks
>>>>
>>>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený <jzel...@redhat.com> wrote:
>>>>
>>>>>  > Just wondering if there was anyone listening on the list that
>>>>> might be
>>>>> > available for little work integrating FreeIPA with Active Directory
>>>>> > (preferrably in the south east US.) I hope this isn't against the
>>>>> list
>>>>> > rules, I just thought one of you guys could help or point me in the
>>>>> right
>>>>> > direction.
>>>>>
>>>>>  If you want some help, it is certainly not against list rules ;-)
>>>>> But in that
>>>>> case, it would be much better if you asked what exactly do you need.
>>>>>
>>>>> I'm not an AD expert, but a couple tips: If you are looking for
>>>>> cross-domain
>>>>> (cross-realm) trust, then you might be a bit disappointed, it is still
>>>>> in
>>>>> development, so it probably won't be 100% functional at this moment.
>>>>>
>>>>> If you are looking for something else, could you be a little more
>>>>> specific what
>>>>> it is?
>>>>>
>>>>> I also recommend starting with reading some doc:
>>>>> http://freeipa.org/page/DocumentationPortal
>>>>>
>>>>> Thanks
>>>>> Jan
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing 
>>>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to