I found the issue, it had to do with what Windows set the cn to, as opposed to 
what I thought the CN was. Once I figured out where that was set at I was able 
to fix it. Cn's for us are usually the user id so that was where the disconnect 
was. Once I fixed that issue however I got another error. I am logged in as 
root on the FreeIPA server. When I run the ipa-manage-replica command I get:
Added CA certificate /etc/openldap/cacerts/winadcert.cer to certificate 
database for oly-infra-ldap1.prod.tnsi.com
INFO:root:AD Suffix is: DC=prod,DC=example,DC=com
Insufficient access

I am not sure I understand why this is not working.

Thanks,
Sara Kline

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Wednesday, May 16, 2012 4:12 PM
To: Kline, Sara
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Problems replicating with Windows 2008 AD

On 05/16/2012 04:33 PM, Kline, Sara wrote:
Hey all,
FreeIPA has been very simple to setup so far, I have been able to follow along 
with the documentation every step of the way. I am running into an issue 
however when trying to set up replication between the Red Hat 6.2 server 
running FreeIPA and the Win 2008 R2 server running Active Directory. I created 
the replication user like the instructions say and gave it the necessary 
permissions, however when I try to set up the agreement, it tells me I am using 
invalid credentials. I am unsure of what I should do at this point? SSL Certs 
are installed on both and trusted on both, the servers are connected and both 
are synced to the same time source. Can anyone think of anything else?
I am using the command as follows:
Ipa-replica-manage connect -winsync
--binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com
--bindpw mypassword
--passsync mypassword
--cacert /etc/openldap/cacerts/winadcert.cer
oly-infra-ldap2.prod.example.com

You can use ldapsearch to test the connection with AD:

LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -H 
ldap://oly-infra-ldap2.prod.example.com -ZZ -D 
"cn=freeipa,cn=users,dc=prod,dc=example,dc=com" -w mypassword -s base -b "" 
'objectclass=*' namingcontexts

This assumes
1) oly-infra-ldap2.prod.example.com is the correct FQDN of your AD machine
2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid AD user in AD
3) mypassword is the correct password and doesn't need to be quoted for the 
shell



Sara Kline
System Administrator
Transaction Network Services, Inc
4501 Intelco Loop, Lacey WA 98503
Wk: (360) 493-6736
Cell: (360) 280-2495


________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.





_______________________________________________

Freeipa-users mailing list

Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users


________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to