On 08/06/2012 02:28 AM, Baptiste AGASSE wrote:


Hi all,

i've a problem with winsync between ipa 2.2 on centos 6.3 and
directory 2008R2.

I'm following this documentation to enable synchronization:
There is nothing on this page about running certutil? Which link
about certutil?
Links present in the documentation talk about commands and options
for certutil but i don't see anything about this error.

Can one of the IPA developers explain why it is necessary to install
IPA CA certificate into the Windows Cert Store in order to get
Winsync/PassSync working? I don't believe it is necessary.

For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active
Directory and IPA CA Certificates
- I trusted IPA certificate on AD.
To do this, i've launched mmc and added "Certificate" component for "local 
computer", and then added IPA cert to Trusted root CA.

Now when i run "openssl s_client -host ad-server.example.com -port 636" i can 
see IPA certificate as Trusted client CA.

- I tested AD ldap connection:
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE-LOCAL ldapsearch -xLLL -H ldap://ad-server.example.com 
-ZZ -D "cn=ipasync,cn=users,dc=example,dc=com" -w XXXXX -s base -b "" 
'objectclass=*' namingcontexts
namingContexts: DC=example,DC=com
namingContexts: CN=Configuration,DC=example,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=example,DC=com
namingContexts: DC=DomainDnsZones,DC=example,DC=com
namingContexts: DC=ForestDnsZones,DC=example,DC=com

- Now i fall on another problem, when i run:

ipa-replica-manage connect --winsync --binddn 
cn=ipasync,cn=users,dc=example,dc=com --bindpw XXXXX --passsync XXXXX --cacert 
/etc/openldap/cacerts/ad-ca.crt ad-server.example.com -v
Directory Manager password:

Added CA certificate /etc/openldap/cacerts/ad-ca.crt to certificate database 
for ipa.foo.example.local
ipa: INFO: AD Suffix is: DC=example,DC=com
The user for the Windows PassSync service is 
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: -11  - System error: 
start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[ipa.foo.example.local] reports: Update failed! Status: [-11  - System error]
Failed to start replication
What platform?  What version of 389-ds-base?
Can you post some excerpts from your 389 errors log from /var/log/dirsrv/slapd-YOUR-DOMAIN/errors from around the time of the error?

I a newbie on Microsoft OSes, but I don't understand why certutil
don't find my file.

I will ask on a microsoft forum.


When i run as admin 'certutil -installcert -v -config
"ipa.foo.example.local\EXAMPLE.LOCAL Domain CA"
c:\Users\John\Documents\ipa-ca.crt' it returns (translated from
french) :

CertUtil : -installCert command failure : 0x80070002 (WIN32: 2)
CertUtil: Specified file not found

someone saw this issue ?

Have a nice day.



Freeipa-users mailing list
Have a nice day.



Freeipa-users mailing list

Reply via email to