Thanks for the feedback! ldp.exe does support ssl.   The comment about 636
being the non-ssl port  was cruft from a previous version where I was
trying to keep things simple.

On Fri, Dec 28, 2012 at 3:40 PM, Rich Megginson <rmegg...@redhat.com> wrote:

>  On 12/24/2012 09:13 AM, Nate Marks wrote:
>
> I'd love some feedback on these. They seemed to work for me.Thanks!
>
>
> Introduction
> This guide starts at the point where your freeipa server is correctly
> replicating accounts from a windows active directory server.  The following
> steps are intended to help you roll out the passync software to all of your
> domain controllers.  Detailed descriptions of how the software works are
> available from people far more competent than myself.  I’m just covering
> some installation tips.  One thing that really screwed me up is that there
> are great passsync docs for 389 directory server and great passsync docs
> for freeipa server.  They are similar.  They are NOT interchangeable.  When
> using freeipa server stick with freeipa docs .  I know this seems obvious,
> but when passsync doesn’t work the first time, my instinct is to cast about
> on google for things that seem to be related.  When you find the 389 server
> docs under those circumstances and try to apply them  to freeipa, you find
> a rathole.
>
>
> Fixed - see below.
>
>
>
> Getting started:
>
> It’s theoretically possible to get the passsync to work on the first
> attempt.  I’ve just never  done it.  In order for that to work, you have to
> have exactly the right values  ready  to go when you run the passsync
> installer. The installer has input fields for the following items:
>
> verifying the hostname, username password and search base values
> hostname: <FQDN of the freeipa server>
> port: 636
> username: uid=passsync,cn=sysaccounts,cn=etc,dc=<xxx>,dc=<xxx>
> password: <password>
> cert token :  tried it with and without the
> /etc/dirsrv/slapd-instance/pwdfile.txt contents
>
>
> Right - not needed
>
>
>  serach base=cn=users,cn=accounts,dc=inframax,dc=ncare
>
> The best tool I found in windows for checking the passsync installation
> settings is ldp.
> First I’ll talk about verifying the easy stuff (hostname, username,
> password, search base).  run notepad on the windows server and put in the
> values you’re going to use before running the passsync installer.  Then run
> ldp.exe and use the values from notepad  and the steps below to verify the
> hostname, username, password and search base.
>
> ldp.exe
> connection > connect
> enter the freeipa server hostname in the server field
> enter port 636 (non-ssl port) in the port field
>
>
> 636 is the SSL port
> Does ldp have an option for StartTLS?
>
>
>  check the SSL box
> click OK
>
>
> connection > bind
> select the 'simple bind' radio button
> enter the DN for the passsync account on the freeipa server in the
> userfield.  this is
> "uid=passsync,cn=sysaccounts,cn=etc,dc=<domain>,dc=<domaintld>"  by default
> enter the password for the passsync account in the password field
> click ok
>
> select view > tree and make sure you can browse the tree  in the ipa
> server. browse to the subtree that you're going to use for search base and
> make sure you
>  see your replicated accounts in that container.
> if you can, then the values  you used for the hostname, username, password
> and search base are all correct.  It also means that the ca.crt file you
> imported for ldap account syunchronization is working correctly.
>
> NOTE:  I left cert token empty.  it seems to be used for encrypting the
> certificate db in c:\program files\389 directory password synchronization.
>  That can be done after you get password synchronization working.
>
> Right - it is not needed
>
>
> Installing Passsync:
> Now we’ve done a bunch of work to  check our values, but we haven’t
> accomplished anything.  So go ahead and run the passsync msi installer and
> enter  your values into the appropriate fields.
>
> The installer will create files, directories and registry stuff, but we’re
> not  nearly done.
>
> Step 5 in the link below seems to have the correct steps.   Be sure to
> import the same certificate that you imported in the account
> synchronization process.  I got mine  with wget 
> http://<iapserver>/ipa/config/ca.crt.
>
>
>
> https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html
>
>
>
> One mroe thing before rebooting, use regedit to change the value of
> HKLM->Software->PasswordSync  “Log Level” from 0 to 1. If everything works
> and you don’t need it, great!
>
> If the stars line up, you’ve put good values into the passsync installer,
> imported the freeipa servers certificate into the cert DB that passsync
> uses and the installer registered a new  dll to capture password change
> events.  You need to reboot the server to get the dll registration to take
> effect.
> After it restarts,  change the password on an account that’s being
> replicated to free ipa.  use notepad to open the file c:\program files\389
> directory password synchronization\ passsync.txt
> if the passhook.dll is working correctly, you’ll see an entry like:
> ‘1 new entries loaded from data file’
>
>
> If ssl is working correctly, you’ll be able to log into the freeipa server
> with the test account  and newly changed password.
>
> Ifit doesn’t work, verify your cert and your values with ldp.exe.  I just
> don’t have anything better that that yet.
>
>
> This takes me to the point where I’d love more tools to troubleshoot the
> problem.
>
> Other things I’ve tried:
> 1) UAC.  I disable it, but I’d love some feedback on whether or not that’s
> required on win 2k8R2.
> 2) some of my DCs have certificate services installed and some don’t.  I
> don’t think any of that matters  or passsync, but I’d love feedback there
> too.
>
>
> It doesn't matter, as long as the Active Directory is using TLS/SSL
> somehow, and you have access to the CA cert of the CA that issued the
> Active Directory Server cert.
>
>
> 3)  Here are the details on the 389 directory server steps that screwed me
> up.:
>
> I found these steps for exporting cert from the linux  that apparently
> apply to 389 and not to freeipa(
> http://directory.fedoraproject.org/wiki/Howto:WindowsSync) and they
> really screwed me up with freeipa:
> ***DO NOT USE THIS METHOD TO GET A PASSSYNC CERT***
> cd /usr/lib/dirsrv/slapd-instance_name
> certutil -d . -L -n "CA certificate" -a > dsca.crt
> # NOTE - it might not be called CA certificate - use certutil -d . -L to
> list your certs
> ***DO NOT USE THIS METHOD TO GET A PASSSYNC CERT***
>
> I think the problem is that it tells you to use /usr/lib/dirsrv/slapd-INST
> which is bogus - it should be /etc/dirsrv/slapd-INST - I've fixed the wiki
> page
>
>
> instead, just use the process that worked for the account replication
> setup.
> just use the ca.crt from 
> http://<ipaserver>/ipa/config/ac.crt<http://ipaserver/ipa/config/ac.crt>
> .
>
> this is probably simpler and will  work from the windows machine as well
>
>
>  The steps don’t throw any errors, but that certificate didn’t work for
> me.   It may be a little obvious, but it only worked if I  imported the
> same cert file used in the replication process.  I got that file
>
>
> _______________________________________________
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to