On 05/16/2012 06:04 PM, Kline, Sara wrote:
I found the issue, it had to do with what Windows set the cn to, as
opposed to what I thought the CN was. Once I figured out where that
was set at I was able to fix it. Cn's for us are usually the user id
so that was where the disconnect was. Once I fixed that issue however
I got another error. I am logged in as root on the FreeIPA server.
When I run the ipa-manage-replica command I get:
Added CA certificate /etc/openldap/cacerts/winadcert.cer to
certificate database for oly-infra-ldap1.prod.tnsi.com
INFO:root:AD Suffix is: DC=prod,DC=example,DC=com
Insufficient access
I am not sure I understand why this is not working.
You have to set permissions for your AD user in order to use the DirSync
control.
See http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx
To use the DirSync control, caller must have the "directory get
changes" right assigned on the root of the partition being monitored.
By default, this right is assigned to the Administrator and
LocalSystem accounts on domain controllers. The caller must also have
the *DS-Replication-Get-Changes*
<http://msdn.microsoft.com/en-us/library/ms684354%28v=vs.85%29.aspx>
extended control access right. For more information about implementing
a change-tracking mechanism for applications that must run under an
account that does not have this right, see Polling for Changes Using
USNChanged
<http://msdn.microsoft.com/en-us/library/ms677627%28v=vs.85%29.aspx>.
For more information about privileges, see Privileges
<http://msdn.microsoft.com/en-us/library/aa379306%28v=vs.85%29.aspx>.
Thanks,
Sara Kline
*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Wednesday, May 16, 2012 4:12 PM
*To:* Kline, Sara
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Problems replicating with Windows 2008 AD
On 05/16/2012 04:33 PM, Kline, Sara wrote:
Hey all,
FreeIPA has been very simple to setup so far, I have been able to
follow along with the documentation every step of the way. I am
running into an issue however when trying to set up replication
between the Red Hat 6.2 server running FreeIPA and the Win 2008 R2
server running Active Directory. I created the replication user like
the instructions say and gave it the necessary permissions, however
when I try to set up the agreement, it tells me I am using invalid
credentials. I am unsure of what I should do at this point? SSL Certs
are installed on both and trusted on both, the servers are connected
and both are synced to the same time source. Can anyone think of
anything else?
I am using the command as follows:
Ipa-replica-manage connect --winsync
--binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com
--bindpw mypassword
--passsync mypassword
--cacert /etc/openldap/cacerts/winadcert.cer
oly-infra-ldap2.prod.example.com
You can use ldapsearch to test the connection with AD:
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -H
ldap://oly-infra-ldap2.prod.example.com -ZZ -D
"cn=freeipa,cn=users,dc=prod,dc=example,dc=com" -w mypassword -s base
-b "" 'objectclass=*' namingcontexts
This assumes
1) oly-infra-ldap2.prod.example.com is the correct FQDN of your AD machine
2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid AD user in AD
3) mypassword is the correct password and doesn't need to be quoted
for the shell
Sara Kline
System Administrator
Transaction Network Services, Inc
4501 Intelco Loop, Lacey WA 98503
Wk: (360) 493-6736
Cell: (360) 280-2495
------------------------------------------------------------------------
This e-mail message is for the sole use of the intended
recipient(s)and may
contain confidential and privileged information of Transaction Network
Services.
Any unauthorised review, use, disclosure or distribution is
prohibited. If you
are not the intended recipient, please contact the sender by reply
e-mail and destroy all copies of the original message.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
------------------------------------------------------------------------
This e-mail message is for the sole use of the intended
recipient(s)and may
contain confidential and privileged information of Transaction Network
Services.
Any unauthorised review, use, disclosure or distribution is
prohibited. If you
are not the intended recipient, please contact the sender by reply
e-mail and destroy all copies of the original message.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users