Prady Dash wrote:
> Hi,
> 
>  
> 
> I am trying to integrate AD with FreeIPA.  I was following the below
> document.
> 
>  
> 
> https://www.freeipa.org/images/2/2b/Installation_and_Deployment_Guide.pdf
> 
>  
> 
> While configuring am facing the below error.
> 
>  
> 
> /[root@appserver2 ~]# ipa-replica-manage connect --winsync --binddn
> cn=Administrator,cn=users,dc=abc,dc=local --bindpw XXXXXXX --passsync
> XXXXXX  --passsync XXXXXXX --cacert /etc/openldap/certs/abc.cer
> ad.abc.local -v/
> 
> /Directory Manager password:/
> 
> / /
> 
> /Added CA certificate /etc/openldap/certs/ abc.cer to certificate
> database for appserver2.qinec.com/
> 
> /ipa: INFO: AD Suffix is: DC=abc,DC=local/
> 
> /The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=xyz,dc=com/
> 
> /Windows PassSync entry exists, not resetting password/
> 
> /ipa: INFO: Added new sync agreement, waiting for it to become ready . . ./
> 
> /ipa: INFO: Replication Update in progress: FALSE: status: -11  - LDAP
> error: Connect error: start: 0: end: 0/
> 
> /ipa: INFO: Agreement is ready, starting replication . . ./
> 
> /Starting replication, please wait until this has completed./
> 
> /[appserver2.abc.com] reports: Update failed! Status: [-11  - LDAP
> error: Connect error]/
> 
> /Failed to start replication/
> 
> / /
> 
> Please suggest.//

LDAP error -11 is LDAP_CONNECT_ERROR so normally I'd suggest checking
firewalls and such. The thing is though, IPA made an LDAP connection to
find the AD Suffix so both connectivity and the CA provided are
exercised successfully.

I'd check the 389-ds access and error logs in /var/log/dirsrv/slapd-REALM/

You probably want to consider using AD trust instead of winsync if you
haven't looked into it yet.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to