On 02/12/2015 12:37 AM, Nicolas Zin wrote:
That was that:
in the logs (/var/log/dirsrv/slapd-HQ-EMIRATES-COM/errors) I got:
slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect
error) errno 0 (Success)
And when i did "LDAPTLS_CACERTDIR=/etc/dirsrv/... ldapsearch ...", it began to
be interesting:
ldap_start_tls: Connect error (-11)
additionnal info: TLS: hostname does not match CN in peer certificate
So I correct my problem: put the correct hostname in the ipa-replica-manage (
and not the ip). And it connects!
Next step: having the replication working. The customer dont want to give to my sync user "Replicating directory
changes", "Account Operator" and "Enterprise Read-Only Domain Controller" attributs and just
want a "oneway replication".
For the one way replication, I followed the documentation
But I don't see any imported users. Do you have an idea? Are some of the
Windows attributs necessary even for a one way (windows to linux)
synchronisation?
Regards,
Nicolas
----- Mail original -----
De: "Rich Megginson" <[email protected]>
À: [email protected]
Envoyé: Mercredi 11 Février 2015 18:57:43
Objet: Re: [Freeipa-users] ad relation with winsync
On 02/11/2015 04:18 AM, Nicolas Zin wrote:
I reply to myself.
This was certainly a Windows configurarion issue. I went further:
ipa-replica-manage connect --winsync --binddb
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd <passwd> --passsync
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v
Directory Manager password: ********
Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database
for srv7idm2.ipa.company.com
ipa: INFO: AD Suffix is: DC=company,DC=com
The user for Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com
ipa: INFO: Added new sync agreement, waiting for it to become ready. . .
ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error:
Connect error: start: 0 end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[srv7idm2.ipa.company.com] reports: Update failed! Status: [-11 - LDAP error:
Connect error]
So apparently I manage to connect to AD but something went wrong after?
How can I debug it?
You can test it like this:
# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H
ldap://fqdn.of.ad.host -s base -b "DC=company,DC=com" -D
"cn=Administrator,cn=Users,dc=company,dc=com" -w "password"
Regards,
Nicolas Zin
----- Mail original -----
De: "Nicolas Zin" <[email protected]>
À: [email protected]
Envoyé: Mercredi 11 Février 2015 12:06:47
Objet: [Freeipa-users] ad relation with winsync
Hi,
I now try to establish a winsync relation with a Windows 2008R2.
I installed IDM 3.3 on RHEL7.
When I try to create the replication:
ipa-replica-manage connect --winsync --binddb
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd <passwd> --passsync
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com
Directory Manager password: ********
Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database
for srv7idm2.ipa.company.com
ipa: INFO: Failed to connect to AD srever dc.company.com
ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not
found','desc': 'Connect error'}
Failed to setup winsync replication
Do you have an idea, what's wrong?
Also is it possible to point to port 636 instead?
Notes:
- On the windows side, ssl has been activated (with pain) and ldp.exe manage to
connect via ssl on the 636 port correctly (so the certificate is in place). I
don't know how to check it is working properly on port 389, i.e. START_TLS works
- I checked that the 2 box have the same time (ntp)
- I nearly manage to make it working once, but I got another error during
replication
The is is treated as the ultimate source so adds should go only from AD
to IPA but you need the modify to work both ways otherwise your account
state will get out of sync.
Whatever is required by docs is the minimal privilege you need to have
to sync users.
However did you consider trust?
It us a two way trust but it acts as a one way trust.
Nicolas Zin
[email protected]
Ligne directe: 514-276-5468 poste 135
Fax : 514-276-5465
7275 Saint Urbain
Bureau 200
Montréal, QC, H2R 2Y5
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
