On 05/15/2015 02:44 PM, nat...@nathanpeters.com wrote:
On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote:
[root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn
"cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw
supersecretpassword --passsync supersecretpassword --cacert
/etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v
Directory Manager password:

Added CA certificate /etc/openldap/cacerts/addc2-test.cer to
certificate
database for ipadc1.ipadomain.net
ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net
Windows PassSync system account exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready .
.
.
ipa: INFO: Replication Update in progress: FALSE: status: -11  - LDAP
error: Connect error: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.

[ipadc1.ipadomain.net] reports: Update failed! Status: [-11  - LDAP
error:
Connect error]
Have you tried using ldapsearch to verify the connection?

# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ
-h
addc2.test.mycompany.net -D "cn=ad
sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
"supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
"objectclass=*"

and/or

# LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer  ldapsearch -xLLL
-ZZ -h addc2.test.mycompany.net -D "cn=ad
sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
"supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
"objectclass=*"

Both commands give the same successful result.  I don't think it's a
problem with the credentials because I was able to generate different
error messages during the attempted sync setup if I intentionally gave a
bad password or username.
Ok.  Have you tried enabling the replication log level?

http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting

After doing that and poking around in
/var/log/dirsrv/slapd-IPADOMAIN-NET/errors I found this :

[15/May/2015:20:27:17 +0000] slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect error) errno 0 (Success)
[15/May/2015:20:27:17 +0000] NSMMReplicationPlugin - windows sync -
agmt="cn=meToaddc2.test.mycompany.net" (addc2:389): Replication bind with
SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8179:Peer's
Certificate issuer is not recognized.)

So it's complaining that it doesn't recognize the certificate that was
signed by my AD certificate authority as suggested in here :
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html#ad-ca-req

I copied the certificate

Which certificate? The CA cert or the server cert? You need the CA cert, not the server cert.

to my server though and created the hashes just
like the manual said.

"created the hashes"?  There is nothing in

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html#ad-ca-req

about creating any hashes.


The only issue I had was the directions here :
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/managing-sync-agmt.html
tell you to go to my network places but that didn't exist on my server.  I
did it through start menu -> administrative tools -> certification
authority.  The rest of double clicking on the cert and going to the
details tab and copy to file was the same though.

Was it the CA cert or the server cert? You need the CA cert, not the server cert.


So how do I get FreeIPA to not choke up on the self signed cert?


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to