On 02/11/2015 04:18 AM, Nicolas Zin wrote:
I reply to myself.
This was certainly a Windows configurarion issue. I went further:
ipa-replica-manage connect --winsync --binddb 
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd <passwd> --passsync 
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v
Directory Manager password: ********

Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database 
for srv7idm2.ipa.company.com
ipa: INFO: AD Suffix is: DC=company,DC=com
The user for Windows PassSync service is 
uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com
ipa: INFO: Added new sync agreement, waiting for it to become ready. . .
ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: 
Connect error: start: 0 end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.

[srv7idm2.ipa.company.com] reports: Update failed! Status: [-11  - LDAP error: 
Connect error]



So apparently I manage to connect to AD but something went wrong after?
How can I debug it?

You can test it like this:

# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H ldap://fqdn.of.ad.host -s base -b "DC=company,DC=com" -D "cn=Administrator,cn=Users,dc=company,dc=com" -w "password"




Regards,



Nicolas Zin



----- Mail original -----
De: "Nicolas Zin" <nicolas....@savoirfairelinux.com>
À: freeipa-users@redhat.com
Envoyé: Mercredi 11 Février 2015 12:06:47
Objet: [Freeipa-users] ad relation with winsync

Hi,

I now try to establish a winsync relation with a Windows 2008R2.
I installed IDM 3.3 on RHEL7.

When I try to create the replication:
ipa-replica-manage connect --winsync --binddb 
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd <passwd> --passsync 
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com
Directory Manager password: ********

Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database 
for srv7idm2.ipa.company.com
ipa: INFO: Failed to connect to AD srever dc.company.com
ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not 
found','desc': 'Connect error'}
Failed to setup winsync replication


Do you have an idea, what's wrong?
Also is it possible to point to port 636 instead?


Notes:
- On the windows side, ssl has been activated (with pain) and ldp.exe manage to 
connect via ssl on the 636 port correctly (so the certificate is in place). I 
don't know how to check it is working properly on port 389, i.e. START_TLS works
- I checked that the 2 box have the same time (ntp)
- I nearly manage to make it working once, but I got another error during 
replication



Nicolas Zin
nicolas....@savoirfairelinux.com
Ligne directe: 514-276-5468 poste 135

Fax : 514-276-5465
7275 Saint Urbain
Bureau 200
Montréal, QC, H2R 2Y5




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to