> On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote:
>>>> [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn
>>>> "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw
>>>> supersecretpassword --passsync supersecretpassword --cacert
>>>> /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v
>>>> Directory Manager password:
>>>>
>>>> Added CA certificate /etc/openldap/cacerts/addc2-test.cer to
>>>> certificate
>>>> database for ipadc1.ipadomain.net
>>>> ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net
>>>> The user for the Windows PassSync service is
>>>> uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net
>>>> Windows PassSync system account exists, not resetting password
>>>> ipa: INFO: Added new sync agreement, waiting for it to become ready .
>>>> .
>>>> .
>>>> ipa: INFO: Replication Update in progress: FALSE: status: -11  - LDAP
>>>> error: Connect error: start: 0: end: 0
>>>> ipa: INFO: Agreement is ready, starting replication . . .
>>>> Starting replication, please wait until this has completed.
>>>>
>>>> [ipadc1.ipadomain.net] reports: Update failed! Status: [-11  - LDAP
>>>> error:
>>>> Connect error]
>>> Have you tried using ldapsearch to verify the connection?
>>>
>>> # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ
>>> -h
>>> addc2.test.mycompany.net -D "cn=ad
>>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
>>> "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
>>> "objectclass=*"
>>>
>>> and/or
>>>
>>> # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer  ldapsearch -xLLL
>>> -ZZ -h addc2.test.mycompany.net -D "cn=ad
>>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
>>> "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
>>> "objectclass=*"
>>>
>> Both commands give the same successful result.  I don't think it's a
>> problem with the credentials because I was able to generate different
>> error messages during the attempted sync setup if I intentionally gave a
>> bad password or username.
>
> Ok.  Have you tried enabling the replication log level?
>
> http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
>

After doing that and poking around in
/var/log/dirsrv/slapd-IPADOMAIN-NET/errors I found this :

[15/May/2015:20:27:17 +0000] slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect error) errno 0 (Success)
[15/May/2015:20:27:17 +0000] NSMMReplicationPlugin - windows sync -
agmt="cn=meToaddc2.test.mycompany.net" (addc2:389): Replication bind with
SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8179:Peer's
Certificate issuer is not recognized.)

So it's complaining that it doesn't recognize the certificate that was
signed by my AD certificate authority as suggested in here :
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html#ad-ca-req

I copied the certificate to my server though and created the hashes just
like the manual said.

The only issue I had was the directions here :
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/managing-sync-agmt.html
tell you to go to my network places but that didn't exist on my server.  I
did it through start menu -> administrative tools -> certification
authority.  The rest of double clicking on the cert and going to the
details tab and copy to file was the same though.

So how do I get FreeIPA to not choke up on the self signed cert?


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to