On 03/21/2013 01:45 PM, Joseph, Matthew (EXP) wrote:


Hey Rich,

I've changed the password multiple times now and it's still not accepting the password. I've even set it as simple as password.

I forgot to mention in my initial post that my domain looks more like this.

Domain1.domain2.ca

So my command looks like cn=idmpasssync,cn=users,dc=domain1,dc=domain2,dc=ca

That shouldn't make a difference should it?


As long as that is the DN you are using with ldapsearch -D, and the same as the DN you are passing to ipa-manage-replica, that should be fine.

Let's take a step back. Do you know the windows admin password? If so, try this:

ldapsearch -xLLL -ZZ -h adserver.domain.ca -D "cn=administrator,cn=idmpasssync,cn=users,dc=domain1,dc=domain2,dc=ca" -w 'admin password' -s base -b "cn=idmpasssync,cn=users,dc=domain1,dc=domain2,dc=ca"

*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Thursday, March 21, 2013 4:31 PM
*To:* Joseph, Matthew (EXP)
*Cc:* freeipa-users@redhat.com
*Subject:* Re: EXTERNAL: Re: [Freeipa-users] Winsync Issues

On 03/21/2013 01:26 PM, Joseph, Matthew (EXP) wrote:

    Hey Rich,

    Tried the command you listed below and it says ldap_bind: Invalid
    Credentials (49)


This means you have the wrong password.


If I take away the --w 'WindowsIDMPassSyncPW' then it will bring back the results of the LDAP search.


This means it is doing an anonymous search of "" which AD allows.

Try this:
ldapsearch -xLLL -ZZ -h adserver.domain.ca -D "cn=idmpasssync,cn=users,dc=domain,dc=ca" -w 'WindowsIDMPassSyncPW' -s base -b "cn=users,dc=domain,dc=ca"


*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Thursday, March 21, 2013 4:12 PM
*To:* Joseph, Matthew (EXP)
*Cc:* freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
*Subject:* EXTERNAL: Re: [Freeipa-users] Winsync Issues

On 03/21/2013 12:37 PM, Joseph, Matthew (EXP) wrote:

    Hello,

    I'm currently in the processing of installing/configuring IPA
    2.2.0-16  on a Red Hat 6.4 Server and I'm running into some issues
    trying to get IPA to replicate to a Windows 2003 SP2 DC.

    Here is the steps I took (I used the Red Hat Identity Management
    Guide)

    1)Create idmpasssync user under AD and give him the permissions
    requested

    2)Download IPA cert from web gui

    3)Installed IPA cert under Trusted Root Certificates Authorities

    4)Exported Windows cert to Red Hat Server

    5)Copied both IPA and Windows certs to /etc/openldap/cacerts

    6)Run the following command

    a.Ipa-replica-manage connect --winsync --binddn
    cn=idmpasssync,cn=users,dc=domain,dc=ca --bindpw
    WindowsIDMPassSyncPW     -- passsync WindowsIDMPassSyncPW --cacert
    /etc/openldap/cacerts/windows.cer adserver.domain.ca --v

    7)After running that command I get the following error;

    a.Added CA Certificate /etc/openldap/cacerts/windows.cer to
    certificate database for IPAserver.domain.ca
    ipa: INFO: Failed to connect to AD server adserver.domain.ca
    ipa: INFO: The error was: {'info': 80090308: LdapErr:
    DSID-0C090334, comment: AcceptSecurityContext error, data 525,
    vece', 'desc': 'Invalid Credentials'}
    Failed to setup winsync replication

    I checked the IPA logs and it says the same thing above, no new
    information

    I know I entered the password correctly and I even changed it on
    the Active Directory side just to make sure.

    Can anyone see what I am doing wrong on this configuration?


Try this:

ldapsearch -xLLL -ZZ -h adserver.domain.ca -D "cn=idmpasssync,cn=users,dc=domain,dc=ca" -w 'WindowsIDMPassSyncPW' -s base -b ""



Matt





_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to