On 02/04/2014 01:53 PM, Todd Maugh wrote:
I tried changing the password for a user in AD
this is what the passsync log shows:
02/04/14 12:29:14: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:34: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:34: Ldap error in QueryUsername
81: Can't contact LDAP server
02/04/14 12:49:36: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:36: Ldap error in QueryUsername
81: Can't contact LDAP server
and you say this is one of many issues with passsync. do you recommend
another option?
> LDAP bind error in connect
> 81: Can't Contact LDAP Server
That means
1) ipa ldap server is down
2) some sort of network problem
3) incorrect host/port specified in passsync config
4) host specified in passsync config is not the FQDN, or the FQDN
doesn't resolve both forward and reverse from the windows box
5) host specified in the passsync config does not match the ipa ldap
server certificate subject dn
6) incorrect CA cert installed in passsync cert db
In order for AD to send a password, you have to change a password in
AD. When I said "This is one of the (many) problems with passsync", I
meant that passsync will not sync existing passwords from AD to IdM.
Passsync requires an AD password change operation in order to sync a
password. If you were expecting that your existing AD passwords would
just suddenly work in IdM, without having all of your AD users change
their passwords, that's not how passsync works. There is no way to do
that. This is but one of the reasons why the AD/IdM cross domain trust
solution is preferred.
When I said "This is one of the (many) problems with passsync", I most
certainly did not mean that "LDAP bind error in connect
> 81: Can't Contact LDAP Server" is one of the many problems. It is
almost always a configuration issue.
------------------------------------------------------------------------
*From:* Todd Maugh
*Sent:* Tuesday, February 04, 2014 12:48 PM
*To:* Rich Megginson; [email protected]
*Cc:* [email protected]
*Subject:* RE: Creating password sync
but what about the "cant contact LDAP server in the passsync log"
and are you saying I should try to change one of the passwords in AD
for it to go to IDM, or vice versa?
thanks
------------------------------------------------------------------------
*From:* Rich Megginson [[email protected]]
*Sent:* Tuesday, February 04, 2014 12:45 PM
*To:* Todd Maugh; [email protected]
*Cc:* [email protected]
*Subject:* Re: Creating password sync
On 02/04/2014 01:42 PM, Todd Maugh wrote:
I have not changed any passwords in AD yet.
Then passsync will not have sent anything.
and the users I have in IDM from AD, their passwords are not working
Right. This is one of the (many) problems with the passsync approach
- there currently is no way to populate the initial passwords - that
is, passsync/IdM cannot copy your passwords over from AD to IdM.
------------------------------------------------------------------------
*From:* Rich Megginson [[email protected]]
*Sent:* Tuesday, February 04, 2014 12:40 PM
*To:* Todd Maugh; [email protected]
*Cc:* [email protected]
*Subject:* Re: Creating password sync
On 02/04/2014 01:20 PM, Todd Maugh wrote:
my passhook.log file is empty
Have you changed any passwords in AD?
------------------------------------------------------------------------
*From:* [email protected]
[[email protected]] on behalf of Todd Maugh
[[email protected]]
*Sent:* Tuesday, February 04, 2014 11:56 AM
*To:* Rich Megginson; [email protected]
*Cc:* [email protected]
*Subject:* Re: [Freeipa-users] Creating password sync
Im seeing these errors in the passsync.log
32: No such object
02/03/14 16:23:40: Ldap error in QueryUsername
32: No such object
02/03/14 16:57:48: Abandoning password change for scottb, backoff
expired
02/03/14 16:57:48: Ldap bind error in Connect
32: No such object
02/03/14 16:57:48: Ldap error in QueryUsername
32: No such object
02/03/14 18:06:04: Abandoning password change for scottb, backoff
expired
02/03/14 18:06:04: Ldap bind error in Connect
32: No such object
02/04/14 10:24:59: PassSync service initialized
02/04/14 10:24:59: PassSync service running
02/04/14 10:25:00: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: PassSync service stopped
02/04/14 10:58:38: PassSync service initialized
02/04/14 10:58:38: PassSync service running
02/04/14 10:58:39: Ldap bind error in Connect
32: No such object
------------------------------------------------------------------------
*From:* Rich Megginson [[email protected]]
*Sent:* Tuesday, February 04, 2014 9:19 AM
*To:* Todd Maugh; [email protected]
*Cc:* [email protected]
*Subject:* Re: Creating password sync
On 02/04/2014 10:17 AM, Todd Maugh wrote:
also I have verified the password synchronization service is
started and running on the windows 2008 R2 server
but I cant tell if or what it is doing because iM not getting
passwords to my IDM
http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging
You can also look at the 389 access log to see if you have
connections from the windows box.
------------------------------------------------------------------------
*From:* [email protected]
[[email protected]] on behalf of Todd Maugh
[[email protected]]
*Sent:* Tuesday, February 04, 2014 9:04 AM
*To:* Rich Megginson; [email protected]
*Cc:* [email protected]
*Subject:* [Freeipa-users] Creating password sync
Ok, So I have my replication agreement set up.
and I see accounts coming in to my IDM server from AD
I have followed this guide from redhat
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html
to set up my password sync.
I get no errors
but my passwords are not syncing!
Help! the documentation tells o fno way to verify or trouble shoot
Thank You
-Todd Maugh
[email protected]
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
