On 01/20/2012 01:08 PM, Jimmy wrote:
That was it! I have passwords syncing, *BUT*(at the risk of sounding stupid)-- is it not possible to also sync(add) the users from AD to DS?
Yes, it is.  Just configure IPA Windows Sync
I created a new user in AD and it doesn't propogate to DS, just says:

attempting to sync password for testuser3
searching for (ntuserdomainid=testuser3)
There are no entries that match: testuser3
deferring password change for testuser3

On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    On 01/20/2012 12:46 PM, Jimmy wrote:
    Getting close here... Now I see this message in the sync log file:

    attempting to sync password for testuser
    searching for (ntuserdomainid=testuser)
    ldap error in queryusername
     32: no such object
    deferring password change for testuser
    This usually means the search base is incorrect or not found.  You
    can look at the 389 access log to see what it was using as the
    search criteria.


    On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson
    <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

        On 01/20/2012 10:23 AM, Jimmy wrote:
        You are correct. I had installed as an Enterprise root, but
        the doc I was reading(original link) seemed to say that I
        had to do the certreq manually, my bad. I think I'm getting
        closer I can establish an openssl connection from DS to AD
        but I get these errors:

         openssl s_client -connect 192.168.201.150:636
        <http://192.168.201.150:636> -showcerts -CAfile dsca.crt
        CONNECTED(00000003)
        depth=0 CN = csp-ad.cspad.pdh.csp
        verify error:num=20:unable to get local issuer certificate
        verify return:1
        depth=0 CN = csp-ad.cspad.pdh.csp
        verify error:num=27:certificate not trusted
        verify return:1
        depth=0 CN = csp-ad.cspad.pdh.csp
        verify error:num=21:unable to verify the first certificate
        verify return:1

        I thought I had imported the cert from AD but it doesn't
        seem so. I'm still researching but if you guys have a
        suggestion let me know.
        Is dsca.crt the CA that issued the DS server cert?  If so,
        that won't work.  You need the CA cert from the CA that
        issued the AD server cert (i.e. the CA cert from the MS
        Enterprise Root CA).

        -J

        On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson
        <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

            On 01/19/2012 02:59 PM, Jimmy wrote:
            ok. I started from scratch this week on this and I
            think I've got the right doc and understand better
            where this is going. My problem now is that when
            configuring SSL on the AD server (step c in this url:
            
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
 )

            I get this error:

            certreq -submit request.req certnew.cer
            Active Directory Enrollment Policy
              {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
              ldap:
            RequestId: 3
            RequestId: "3"
            Certificate not issued (Denied) Denied by Policy Module
             0x80094801, The request does not contain a certificate
            template extension or the CertificateTemplate request
            attribute.
             The request contains no certificate template
            information. 0x80094801 (-2146875391 <tel:%28-2146875391>)
            Certificate Request Processor: The request contains no
            certificate template information. 0x80094801
            (-2146875391 <tel:%28-2146875391>)
            Denied by Policy Module  0x80094801, The request does
            not contain a certificate template extension or the
            CertificateTemplate request attribute.

            The RH doc says to use the browser if an error occurs
            and IIS is running but I'm not running IIS. I
            researched that error but didn't find anything that
            helps with FreeIPA and passsync.
            Hmm - try installing Microsoft Certificate Authority in
            Enterprise Root CA mode - it will usually automatically
            create and install the AD server cert.
            http://directory.fedoraproject.org/wiki/Howto:WindowsSync


            Jimmy

            On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
            <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

                On 01/11/2012 11:22 AM, Jimmy wrote:
                We need to be able to replicate user/pass between
                Windows 2008 AD and FreeIPA.

                That's what IPA Windows Sync is supposed to do.


                I have followed many different documents and
                posted here about it and from what I've read and
                procedures I've followed we are unable to
                accomplish this.

                What have you tried, and what problems have you run
                into?

                It doesn't need to be a full trust.

                Thanks

                On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
                <jzel...@redhat.com <mailto:jzel...@redhat.com>>
                wrote:

                    > Just wondering if there was anyone listening
                    on the list that might be
                    > available for little work integrating
                    FreeIPA with Active Directory
                    > (preferrably in the south east US.) I hope
                    this isn't against the list
                    > rules, I just thought one of you guys could
                    help or point me in the right
                    > direction.

                    If you want some help, it is certainly not
                    against list rules ;-) But in that
                    case, it would be much better if you asked
                    what exactly do you need.

                    I'm not an AD expert, but a couple tips: If
                    you are looking for cross-domain
                    (cross-realm) trust, then you might be a bit
                    disappointed, it is still in
                    development, so it probably won't be 100%
                    functional at this moment.

                    If you are looking for something else, could
                    you be a little more specific what
                    it is?

                    I also recommend starting with reading some doc:
                    http://freeipa.org/page/DocumentationPortal

                    Thanks
                    Jan



                _______________________________________________
                Freeipa-users mailing list
                Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
                https://www.redhat.com/mailman/listinfo/freeipa-users









_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to