On 02/04/2014 01:48 PM, Todd Maugh wrote:
but what about the "cant contact LDAP server in the passsync log"

>  LDAP bind error in connect
>    81: Can't Contact LDAP Server

That means
1) ipa ldap server is down
2) some sort of network problem
3) incorrect host/port specified in passsync config
4) host specified in passsync config is not the FQDN, or the FQDN doesn't resolve both forward and reverse from the windows box 5) host specified in the passsync config does not match the ipa ldap server certificate subject dn
6) incorrect CA cert installed in passsync cert db


and are you saying I should try to change one of the passwords in AD for it to go to IDM, or vice versa?

In order for AD to send a password, you have to change a password in AD. When I said "This is one of the (many) problems with passsync", I meant that passsync will not sync existing passwords from AD to IdM. Passsync requires an AD password change operation in order to sync a password. If you were expecting that your existing AD passwords would just suddenly work in IdM, without having all of your AD users change their passwords, that's not how passsync works. There is no way to do that. This is but one of the reasons why the AD/IdM cross domain trust solution is preferred.

When I said "This is one of the (many) problems with passsync", I most certainly did not mean that "LDAP bind error in connect > 81: Can't Contact LDAP Server" is one of the many problems. It is almost always a configuration issue.


thanks


------------------------------------------------------------------------
*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Tuesday, February 04, 2014 12:45 PM
*To:* Todd Maugh; d...@redhat.com
*Cc:* freeipa-users@redhat.com
*Subject:* Re: Creating password sync

On 02/04/2014 01:42 PM, Todd Maugh wrote:
I have not changed any passwords in AD yet.

Then passsync will not have sent anything.


and the users I have in IDM  from AD, their passwords are not working

Right. This is one of the (many) problems with the passsync approach - there currently is no way to populate the initial passwords - that is, passsync/IdM cannot copy your passwords over from AD to IdM.



------------------------------------------------------------------------
*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Tuesday, February 04, 2014 12:40 PM
*To:* Todd Maugh; d...@redhat.com
*Cc:* freeipa-users@redhat.com
*Subject:* Re: Creating password sync

On 02/04/2014 01:20 PM, Todd Maugh wrote:
my passhook.log file is empty

Have you changed any passwords in AD?

------------------------------------------------------------------------
*From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com]
*Sent:* Tuesday, February 04, 2014 11:56 AM
*To:* Rich Megginson; d...@redhat.com
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Creating password sync

Im seeing these errors in the passsync.log

32: No such object
02/03/14 16:23:40: Ldap error in QueryUsername
32: No such object
02/03/14 16:57:48: Abandoning password change for scottb, backoff expired
02/03/14 16:57:48: Ldap bind error in Connect
32: No such object
02/03/14 16:57:48: Ldap error in QueryUsername
32: No such object
02/03/14 18:06:04: Abandoning password change for scottb, backoff expired
02/03/14 18:06:04: Ldap bind error in Connect
32: No such object
02/04/14 10:24:59: PassSync service initialized
02/04/14 10:24:59: PassSync service running
02/04/14 10:25:00: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: PassSync service stopped
02/04/14 10:58:38: PassSync service initialized
02/04/14 10:58:38: PassSync service running
02/04/14 10:58:39: Ldap bind error in Connect
32: No such object



------------------------------------------------------------------------
*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Tuesday, February 04, 2014 9:19 AM
*To:* Todd Maugh; d...@redhat.com
*Cc:* freeipa-users@redhat.com
*Subject:* Re: Creating password sync

On 02/04/2014 10:17 AM, Todd Maugh wrote:
also I have verified the password synchronization service is started and running on the windows 2008 R2 server


but I cant tell if or what it is doing because iM not getting passwords to my IDM
http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging

You can also look at the 389 access log to see if you have connections from the windows box.

------------------------------------------------------------------------
*From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com]
*Sent:* Tuesday, February 04, 2014 9:04 AM
*To:* Rich Megginson; d...@redhat.com
*Cc:* freeipa-users@redhat.com
*Subject:* [Freeipa-users] Creating password sync

Ok, So I have my replication agreement set up.

and I see accounts coming in to my IDM server from AD

I have followed this guide from redhat

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html

to set up my password sync.

I get no errors

but my passwords are not syncing!

Help! the documentation tells o fno way to verify or trouble shoot


Thank You

-Todd Maugh
tma...@boingo.com




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to