Thanks for the feedback! ldp.exe does support ssl. The comment about 636 being the non-ssl port was cruft from a previous version where I was trying to keep things simple.
On Fri, Dec 28, 2012 at 3:40 PM, Rich Megginson <rmegg...@redhat.com> wrote: > On 12/24/2012 09:13 AM, Nate Marks wrote: > > I'd love some feedback on these. They seemed to work for me.Thanks! > > > Introduction > This guide starts at the point where your freeipa server is correctly > replicating accounts from a windows active directory server. The following > steps are intended to help you roll out the passync software to all of your > domain controllers. Detailed descriptions of how the software works are > available from people far more competent than myself. I’m just covering > some installation tips. One thing that really screwed me up is that there > are great passsync docs for 389 directory server and great passsync docs > for freeipa server. They are similar. They are NOT interchangeable. When > using freeipa server stick with freeipa docs . I know this seems obvious, > but when passsync doesn’t work the first time, my instinct is to cast about > on google for things that seem to be related. When you find the 389 server > docs under those circumstances and try to apply them to freeipa, you find > a rathole. > > > Fixed - see below. > > > > Getting started: > > It’s theoretically possible to get the passsync to work on the first > attempt. I’ve just never done it. In order for that to work, you have to > have exactly the right values ready to go when you run the passsync > installer. The installer has input fields for the following items: > > verifying the hostname, username password and search base values > hostname: <FQDN of the freeipa server> > port: 636 > username: uid=passsync,cn=sysaccounts,cn=etc,dc=<xxx>,dc=<xxx> > password: <password> > cert token : tried it with and without the > /etc/dirsrv/slapd-instance/pwdfile.txt contents > > > Right - not needed > > > serach base=cn=users,cn=accounts,dc=inframax,dc=ncare > > The best tool I found in windows for checking the passsync installation > settings is ldp. > First I’ll talk about verifying the easy stuff (hostname, username, > password, search base). run notepad on the windows server and put in the > values you’re going to use before running the passsync installer. Then run > ldp.exe and use the values from notepad and the steps below to verify the > hostname, username, password and search base. > > ldp.exe > connection > connect > enter the freeipa server hostname in the server field > enter port 636 (non-ssl port) in the port field > > > 636 is the SSL port > Does ldp have an option for StartTLS? > > > check the SSL box > click OK > > > connection > bind > select the 'simple bind' radio button > enter the DN for the passsync account on the freeipa server in the > userfield. this is > "uid=passsync,cn=sysaccounts,cn=etc,dc=<domain>,dc=<domaintld>" by default > enter the password for the passsync account in the password field > click ok > > select view > tree and make sure you can browse the tree in the ipa > server. browse to the subtree that you're going to use for search base and > make sure you > see your replicated accounts in that container. > if you can, then the values you used for the hostname, username, password > and search base are all correct. It also means that the ca.crt file you > imported for ldap account syunchronization is working correctly. > > NOTE: I left cert token empty. it seems to be used for encrypting the > certificate db in c:\program files\389 directory password synchronization. > That can be done after you get password synchronization working. > > Right - it is not needed > > > Installing Passsync: > Now we’ve done a bunch of work to check our values, but we haven’t > accomplished anything. So go ahead and run the passsync msi installer and > enter your values into the appropriate fields. > > The installer will create files, directories and registry stuff, but we’re > not nearly done. > > Step 5 in the link below seems to have the correct steps. Be sure to > import the same certificate that you imported in the account > synchronization process. I got mine with wget > http://<iapserver>/ipa/config/ca.crt. > > > > https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html > > > > One mroe thing before rebooting, use regedit to change the value of > HKLM->Software->PasswordSync “Log Level” from 0 to 1. If everything works > and you don’t need it, great! > > If the stars line up, you’ve put good values into the passsync installer, > imported the freeipa servers certificate into the cert DB that passsync > uses and the installer registered a new dll to capture password change > events. You need to reboot the server to get the dll registration to take > effect. > After it restarts, change the password on an account that’s being > replicated to free ipa. use notepad to open the file c:\program files\389 > directory password synchronization\ passsync.txt > if the passhook.dll is working correctly, you’ll see an entry like: > ‘1 new entries loaded from data file’ > > > If ssl is working correctly, you’ll be able to log into the freeipa server > with the test account and newly changed password. > > Ifit doesn’t work, verify your cert and your values with ldp.exe. I just > don’t have anything better that that yet. > > > This takes me to the point where I’d love more tools to troubleshoot the > problem. > > Other things I’ve tried: > 1) UAC. I disable it, but I’d love some feedback on whether or not that’s > required on win 2k8R2. > 2) some of my DCs have certificate services installed and some don’t. I > don’t think any of that matters or passsync, but I’d love feedback there > too. > > > It doesn't matter, as long as the Active Directory is using TLS/SSL > somehow, and you have access to the CA cert of the CA that issued the > Active Directory Server cert. > > > 3) Here are the details on the 389 directory server steps that screwed me > up.: > > I found these steps for exporting cert from the linux that apparently > apply to 389 and not to freeipa( > http://directory.fedoraproject.org/wiki/Howto:WindowsSync) and they > really screwed me up with freeipa: > ***DO NOT USE THIS METHOD TO GET A PASSSYNC CERT*** > cd /usr/lib/dirsrv/slapd-instance_name > certutil -d . -L -n "CA certificate" -a > dsca.crt > # NOTE - it might not be called CA certificate - use certutil -d . -L to > list your certs > ***DO NOT USE THIS METHOD TO GET A PASSSYNC CERT*** > > I think the problem is that it tells you to use /usr/lib/dirsrv/slapd-INST > which is bogus - it should be /etc/dirsrv/slapd-INST - I've fixed the wiki > page > > > instead, just use the process that worked for the account replication > setup. > just use the ca.crt from > http://<ipaserver>/ipa/config/ac.crt<http://ipaserver/ipa/config/ac.crt> > . > > this is probably simpler and will work from the windows machine as well > > > The steps don’t throw any errors, but that certificate didn’t work for > me. It may be a little obvious, but it only worked if I imported the > same cert file used in the replication process. I got that file > > > _______________________________________________ > Freeipa-users mailing > listFreeipaemail@example.com://www.redhat.com/mailman/listinfo/freeipa-users > > >
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users