Ok.  What about the ssl connection from the windows AD machine to your IdM ldap 
server?



ld = ldap_sslinit("se-idm-01.boingo.com:636<http://se-idm-01.boingo.com:636>", 
389, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to 
se-idm-01.boingo.com:636<http://se-idm-01.boingo.com:636>.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
dataversion: 020140131234000;
defaultnamingcontext: dc=boingo,dc=com;
lastusn: 5177;
namingContexts: dc=boingo,dc=com;
netscapemdsuffix: cn=ldap://dc=se-idm-01,dc=boingo,dc=com:389;
objectClass: top;
supportedControl (21): 2.16.840.1.113730.3.4.2; 2.16.840.1.113730.3.4.3; 
2.16.840.1.113730.3.4.4; 2.16.840.1.113730.3.4.5; 1.2.840.113556.1.4.473 = ( 
SORT ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.16; 
2.16.840.1.113730.3.4.15; 2.16.840.1.113730.3.4.17; 2.16.840.1.113730.3.4.19; 
1.3.6.1.4.1.42.2.27.8.5.1; 1.3.6.1.4.1.42.2.27.9.5.2; 1.2.840.113556.1.4.319 = 
( PAGED_RESULT ); 1.3.6.1.4.1.42.2.27.9.5.8; 1.3.6.1.4.1.4203.666.5.16; 
2.16.840.1.113730.3.4.14; 2.16.840.1.113730.3.4.20; 1.3.6.1.4.1.1466.29539.12; 
2.16.840.1.113730.3.4.12; 2.16.840.1.113730.3.4.18; 2.16.840.1.113730.3.4.13;
supportedExtension (17): 2.16.840.1.113730.3.5.7; 2.16.840.1.113730.3.5.8; 
2.16.840.1.113730.3.5.10; 2.16.840.1.113730.3.8.10.3; 1.3.6.1.4.1.4203.1.11.1; 
2.16.840.1.113730.3.8.10.1; 2.16.840.1.113730.3.5.3; 2.16.840.1.113730.3.5.12; 
2.16.840.1.113730.3.5.5; 2.16.840.1.113730.3.5.6; 2.16.840.1.113730.3.5.9; 
2.16.840.1.113730.3.5.4; 2.16.840.1.113730.3.6.5; 2.16.840.1.113730.3.6.6; 
2.16.840.1.113730.3.6.7; 2.16.840.1.113730.3.6.8; 1.3.6.1.4.1.1466.20037 = ( 
START_TLS );
supportedLDAPVersion (2): 2; 3;
supportedSASLMechanisms (7): EXTERNAL; ANONYMOUS; PLAIN; LOGIN; DIGEST-MD5; 
GSSAPI; CRAM-MD5;
vendorName: 389 Project;
vendorVersion: 389-Directory/1.2.11.15<http://1.2.11.15> B2013.337.1530;

this is the output


  openssl s_client -connect qatestdc2.boingoqa.local:636
CONNECTED(00000003)
depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=27:certificate not trusted
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:
   i:/DC=local/DC=boingoqa/CN=SKYWARPCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGpzCCBI+gAwIBAgIKYTm2iQAAAAAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK
CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG
A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow
ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7
q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T
RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX
PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5
4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT
j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l
wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF
oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF
AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD
AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG
CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj
gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE
MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy
LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl
UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q
b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D
Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/
Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo
b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i
b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3
Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB
ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI
TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7
mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY
TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz
eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8
Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP
lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N
B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb
nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6
1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9
-----END CERTIFICATE-----
subject=
issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA
---
Acceptable client certificate CA names

/DC=local/DC=boingoqa/CN=SKYWARPCA
/CN=QATESTDC2.boingoqa.local
/DC=local/DC=boingoqa/CN=boingoqaca
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - 
For authorized use only/CN=VeriSign Class 3 Public Primary Certification 
Authority - G5
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits 
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority 
(2048)
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust 
Global Root
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/O=BOINGO.COM/CN=Certificate Authority
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft 
Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
---
SSL handshake has read 3480 bytes and written 601 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 333C0000854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A
    Session-ID-ctx:
    Master-Key: 
63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1391547347
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---




________________________________
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on 
behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>]
Sent: Tuesday, February 04, 2014 12:53 PM
To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com>
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Creating password sync

I tried changing the password for a user in AD

this is what the passsync log shows:

02/04/14 12:29:14: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:34: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:34: Ldap error in QueryUsername
81: Can't contact LDAP server
02/04/14 12:49:36: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:36: Ldap error in QueryUsername
81: Can't contact LDAP server


and you say this is one of many issues with passsync. do you recommend another 
option?


________________________________
From: Todd Maugh
Sent: Tuesday, February 04, 2014 12:48 PM
To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com>
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: RE: Creating password sync

but what about the "cant contact LDAP server in the passsync log"

and are you saying I should try to change one of the passwords in AD for it to 
go to IDM, or vice versa?

thanks


________________________________
From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>]
Sent: Tuesday, February 04, 2014 12:45 PM
To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com>
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: Creating password sync

On 02/04/2014 01:42 PM, Todd Maugh wrote:
I have not changed any passwords in AD yet.

Then passsync will not have sent anything.


and the users I have in IDM  from AD, their passwords are not working

Right.  This is one of the (many) problems with the passsync approach - there 
currently is no way to populate the initial passwords - that is, passsync/IdM 
cannot copy your passwords over from AD to IdM.



________________________________
From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>]
Sent: Tuesday, February 04, 2014 12:40 PM
To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com>
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: Creating password sync

On 02/04/2014 01:20 PM, Todd Maugh wrote:
my passhook.log file is empty

Have you changed any passwords in AD?

________________________________
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on 
behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>]
Sent: Tuesday, February 04, 2014 11:56 AM
To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com>
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] Creating password sync

Im seeing these errors in the passsync.log

32: No such object
02/03/14 16:23:40: Ldap error in QueryUsername
32: No such object
02/03/14 16:57:48: Abandoning password change for scottb, backoff expired
02/03/14 16:57:48: Ldap bind error in Connect
32: No such object
02/03/14 16:57:48: Ldap error in QueryUsername
32: No such object
02/03/14 18:06:04: Abandoning password change for scottb, backoff expired
02/03/14 18:06:04: Ldap bind error in Connect
32: No such object
02/04/14 10:24:59: PassSync service initialized
02/04/14 10:24:59: PassSync service running
02/04/14 10:25:00: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: PassSync service stopped
02/04/14 10:58:38: PassSync service initialized
02/04/14 10:58:38: PassSync service running
02/04/14 10:58:39: Ldap bind error in Connect
32: No such object



________________________________
From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>]
Sent: Tuesday, February 04, 2014 9:19 AM
To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com>
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: Creating password sync

On 02/04/2014 10:17 AM, Todd Maugh wrote:
also I have verified the password synchronization service is started and 
running on the windows 2008 R2 server


but I cant tell if or what it is doing because iM not getting passwords to my 
IDM
http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging

You can also look at the 389 access log to see if you have connections from the 
windows box.

________________________________
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on 
behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>]
Sent: Tuesday, February 04, 2014 9:04 AM
To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com>
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: [Freeipa-users] Creating password sync

Ok, So I have my replication agreement set up.

and I see accounts coming in to my IDM server from AD

I have followed this guide from redhat

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html

to set up my password sync.

I get no errors

but my passwords are not syncing!

Help! the documentation tells o fno way to verify or trouble shoot


Thank You

-Todd Maugh
tma...@boingo.com<mailto:tma...@boingo.com>




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to