On 02/12/2015 12:37 AM, Nicolas Zin wrote:
That was that:

in the logs (/var/log/dirsrv/slapd-HQ-EMIRATES-COM/errors) I got:
slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect 
error) errno 0 (Success)


And when i did "LDAPTLS_CACERTDIR=/etc/dirsrv/... ldapsearch ...", it began to 
be interesting:
ldap_start_tls: Connect error (-11)
      additionnal info: TLS: hostname does not match CN in peer certificate

So I correct my problem: put the correct hostname in the ipa-replica-manage ( 
and not the ip). And it connects!


Next step: having the replication working. The customer dont want to give to my sync user "Replicating directory 
changes", "Account Operator" and "Enterprise Read-Only Domain Controller" attributs and just 
want a  "oneway replication".
For the one way replication, I followed the documentation

But I don't see any imported users. Do you have an idea? Are some of the 
Windows attributs necessary even for a one way (windows to linux) 
synchronisation?


Regards,



Nicolas

----- Mail original -----
De: "Rich Megginson" <rmegg...@redhat.com>
À: freeipa-users@redhat.com
Envoyé: Mercredi 11 Février 2015 18:57:43
Objet: Re: [Freeipa-users] ad relation with winsync

On 02/11/2015 04:18 AM, Nicolas Zin wrote:
I reply to myself.
This was certainly a Windows configurarion issue. I went further:
ipa-replica-manage connect --winsync --binddb 
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd <passwd> --passsync 
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v
Directory Manager password: ********

Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database 
for srv7idm2.ipa.company.com
ipa: INFO: AD Suffix is: DC=company,DC=com
The user for Windows PassSync service is 
uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com
ipa: INFO: Added new sync agreement, waiting for it to become ready. . .
ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: 
Connect error: start: 0 end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.

[srv7idm2.ipa.company.com] reports: Update failed! Status: [-11  - LDAP error: 
Connect error]



So apparently I manage to connect to AD but something went wrong after?
How can I debug it?
You can test it like this:

# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H
ldap://fqdn.of.ad.host -s base -b "DC=company,DC=com" -D
"cn=Administrator,cn=Users,dc=company,dc=com" -w "password"



Regards,



Nicolas Zin



----- Mail original -----
De: "Nicolas Zin" <nicolas....@savoirfairelinux.com>
À: freeipa-users@redhat.com
Envoyé: Mercredi 11 Février 2015 12:06:47
Objet: [Freeipa-users] ad relation with winsync

Hi,

I now try to establish a winsync relation with a Windows 2008R2.
I installed IDM 3.3 on RHEL7.

When I try to create the replication:
ipa-replica-manage connect --winsync --binddb 
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd <passwd> --passsync 
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com
Directory Manager password: ********

Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database 
for srv7idm2.ipa.company.com
ipa: INFO: Failed to connect to AD srever dc.company.com
ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not 
found','desc': 'Connect error'}
Failed to setup winsync replication


Do you have an idea, what's wrong?
Also is it possible to point to port 636 instead?


Notes:
- On the windows side, ssl has been activated (with pain) and ldp.exe manage to 
connect via ssl on the 636 port correctly (so the certificate is in place). I 
don't know how to check it is working properly on port 389, i.e. START_TLS works
- I checked that the 2 box have the same time (ntp)
- I nearly manage to make it working once, but I got another error during 
replication


The is is treated as the ultimate source so adds should go only from AD to IPA but you need the modify to work both ways otherwise your account state will get out of sync. Whatever is required by docs is the minimal privilege you need to have to sync users.

However did you consider trust?
It us a two way trust but it acts as a one way trust.





Nicolas Zin
nicolas....@savoirfairelinux.com
Ligne directe: 514-276-5468 poste 135

Fax : 514-276-5465
7275 Saint Urbain
Bureau 200
Montréal, QC, H2R 2Y5





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to