I apologize if this is just too much text, but I've had some struggles and I'm hoping to make things better for myself and others at the same time. I'd love to have some feedback here. I've gotten passsync to work once in a lab and never in production.
Introduction This guide starts at the point where your freeipa server is correctly replicating accounts from a windows active directory server. The following steps are intended to help you roll out the passync software to all of your domain controllers. Detailed descriptions of how the software works are available from people far more competent than myself. I’m just covering some installation tips. Before you begin One thing I think is missing are adequate tools for testing SSL on the windows side. It’s just as likely that I simply don’t know what tools are available. In fact the article below seems to suggest that there’s a way to run openssl.exe s_client on a windows machine. Not sure where that executable would come from. http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Enabling_SSL_with_Active_Directory The thing I think is really missing is the ability to do ldapsearch with -zz using the certificate database in c:\program files\389 directory password synchronization\ directory. I suspect that would be the best test. I think that’s where I fall on my face the most. I hope someone can help me figure that part out a little better. Getting started: It’s theoretically possible to get the passsync to work on the first attempt. I’ve just never done it. In order for that to work, you have to have exactly the right values ready to go when you run the passsync installer. The installer has input fields for the following items: verifying the hostname, username password and search base values hostname: <FQDN of the freeipa server> port: 636 username: uid=passsync,cn=sysaccounts,cn=etc,dc=<xxx>,dc=<xxx> password: <password> cert token : tried it with and without the /etc/dirsrv/slapd-instance/pwdfile.txt contents serach base=cn=users,cn=accounts,dc=inframax,dc=ncare First I’ll talk about verifying the easy stuff (hostname, username, password, search base). run notepad on the windows server and put in the values you’re going to use before running the passsync installer. Then run ldp.exe and use the values from notepad and the steps below to verify the hostname, username, password and search base. this connection is a non-SSL connection but it’s a start. ldp.exe connection > connect enter the freeipa server hostname in the server field enter port 389 (non-ssl port) int he port field uncheck the SSL box click OK connection > bind select the 'simple bind' radio button enter the DN for the passsync account on the freeipa server in the userfield. this is "uid=passsync,cn=sysaccounts,cn=etc,dc=<domain>,dc=<domaintld>" by default enter the password for the passsync account in the password field click ok select view > tree and make sure you can browse the tree in the ipa server. browse to the subtree that you're going to use for search base and make sure you see your replicated accounts in that container. if you can, then the values you used for the hostname, username, password and search base are all correct Moving on: assuming you’ve verified all four values you stashed in notepad. I’ll talk through the remaining values: 1) the first four values are useless by themselves. passsync won’t work without SSL and if it did, it probably shouldn’t (someone correct this if I’m wrong please) 2) port or ldaps (ldap over SSL) is 636 by default. unless you have some good reason to change that port, just use it. 3) cert token: I think the only valid value for this field comes from the file on the freeipa server (/etc/dirsrv/slapd-instance/pwdfile.txt). what I don’t know is if I can break passsync by entering it when it’s not needed. The docs say to leave it empty to begin. I also don’t know if I can change that value just by entering it into the registry and restarting the passsync service. Honestly, I’m not even sure how to figure out if I need it. Hopefully someone will enlighten me. Installing Passsync: Now we’ve done a bunch fo work to check our values, but we haven’t accomplished anything. So go ahead and run the passsync msi installer and enter your values into the appropriate fields. The installer will create filed, directories and registry stuff, but we’re not nearly done. Step 5 in the link below looks like the correct next step but this is where my confidence starts to collapse. I’ve gotten passsync to work exactly once and have had at least one case where I appear to have and SSL problem that I just can’t figure out. https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html this other link seems to have more detailed instructions for the same import step, but I can’t say they helped me either: http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Enabling_SSL_with_Active_Directory One mroe thing before rebooting, use regedit to change the value of HKLM->Software->PasswordSync “Log Level” from 0 to 1. If everything works and you don’t need it, great! If the stars line up, you’ve put good values into the passsync installer, imported the freeipa servers certificate into the cert DB that passsync uses and the installer registered a new dll to capture password change events. You need to reboot the server to get the dll registration to take effect. After it restarts, change the password on an account that’s being replicated to free ipa. use notepad to open the file c:\program files\389 directory password synchronization\ passsync.txt if the passhook.dll is working correctly, you’ll see an entry like: ‘1 new entries loaded from data file’ If ssl is working correctly, you’ll be able to log into the freeipa server with the test account and newly changed password. It seems more common that I end up with: ldp bind error in connet 81: can’t contact ldap server Can not connect to ldap server in Syncpasswords. This takes me to the point where I’d love more tools to troubleshoot the problem. Other things I’ve tried: 1) UAC. I disable it, but I’d love some feedback on whether or not that’s required on win 2k8R2. 2) some of my DCs have certificate services installed and some don’t. I don’t think any of that matters or passsync, but I’d love feedback there too.
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
