Re: [Freeipa-users] Setup of freeipa 4.1.3 failed
Markus Not sure if this might be related, at least is a place where to look at.. https://bugzilla.redhat.com/show_bug.cgi?id=1196455 thanks On 31/03/2015 10:54, Markus Roth wrote: Hi all, I want setup freeipa 4.1.3 on a fresh installed fedora 21. The ipa-server-install shows the following output: configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring certmap.conf [18/38]: configure autobind for root [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache [21/38]: enable SASL mapping fallback [22/38]: restarting directory server [23/38]: adding default layout [24/38]: adding delegation layout [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: initializing group membership [33/38]: adding master entry [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s CA did not start in 300.0s The ipa server install log shows this: 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... 2015-03-31T17:39:36Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 279, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 229, in start self.wait_until_running() File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 223, in wait_until_running raise RuntimeError('CA did not start in %ss' % timeout) RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG [error] RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG File /usr/lib/python2.7/site- packages/ipaserver/install/installutils.py, line 642, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1183, in main ca_signing_algorithm=options.ca_signing_algorithm) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 520, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 279, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 229, in start self.wait_until_running() File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 223, in
Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD
Hi Jakub Yes, I can also include that. The configuration I was showing was a simple one, mainly I focused on the library set as it is usually the most problematic part in old distributions, but I will also include your comment as indeed makes more sense. As I was suggesting in the post, sssd is flexible enough admit multiple configurations, once you get a working one you can work on improving it. (Also I wanted to write that asap before I forget any important detail) Your comment is very much appreciated and I will update accordingly Thanks On 30/03/2015 01:16, Jakub Hrozek wrote: On Mon, Mar 30, 2015 at 05:36:00AM +0100, g.fer.or...@unicyber.co.uk wrote: Hey Guys Not sure if I am missing any bit but this was the thing in the end: http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html I managed to have it working and I have documented all those nasty bits which might save people's time. The whole weekend gone but for the less has been productive. I am including the SUDO bit which is usually a pain in my experience.. Thanks Thank you very much for documenting this, but wouldn't it be better to use id_provider=ipa instead? Then the configuration would be simpler, less error prone and would authenticate more securely. You don't need to run ipa-client-install on the box, you can generate the client keytab elsewhere and transfer it to the client. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD
Yes, you are right. I was using the enumerate on my testing I forgot to disable the enumerate when I was templating the configuration. On 30/03/2015 07:21, Lukas Slebodnik wrote: On (30/03/15 05:36), g.fer.or...@unicyber.co.uk wrote: Hey Guys Not sure if I am missing any bit but this was the thing in the end: http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html I managed to have it working and I have documented all those nasty bits which might save people's time. The whole weekend gone but for the less has been productive. I am including the SUDO bit which is usually a pain in my experience.. Do you relly have to enabled enumeration? enumerate = True It would be good if you could remove it from the post. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
You need the development package. that should be popt-devel If you are still using amazon you have to modify the sources to include the devel Otherwise if you feel very crafty you can get to a site such us: http://rpm.pbone.net/ and look for the relevant development package which got the same version as your existing binaries.. On 30/03/2015 01:48, Yogesh Sharma wrote: Hi List, We have trying to install IPA-Client using source code. While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it. I will update if I found anything. gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3 -DWITH_MOZLDAP -g -O2 -MT ipa-getkeytab.o -MD -MP -MF .deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory #include popt.h ^ compilation terminated. make[2]: *** [ipa-getkeytab.o] Error 1 make[2]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make: *** [all] Error 2 / Best Regards, __ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ RHCE, VCE-CIA, RackSpace Cloud U My LinkedIn Profile http://in.linkedin.com/in/yks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client Install on Amazon Linux
Yogesh My personal experience using AWS Linux and LDAP is not a good one and mostly an utter nightmare in relation to packages. Personally I would recommend you to keep away from AWS Linux and get a Centos, Fedora or Redhat. Still, if you want to go ahead, I can give you the right versions for a couple of packages as the default sudo given by Amazon simply DOES NOT work (no idea what they have done to it..) Thanks On 27/03/2015 00:03, Yogesh Sharma wrote: Hello, Is there any repo available for Amazon Linux to install IPA Client OR below is the only way to do as found from freeipa-user mail archive. http://www.redhat.com/archives/freeipa-users/2013-October/msg00058.html Thanks for the help. / Best Regards, __ / /Yogesh Sharma / -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD
I have to test a few options to see how I can overcome that issue. A pity as I nearly got everything setup in full. Any findings I will get back to the list as this might be relevant for other users. On 25/03/2015 19:56, Rob Crittenden wrote: Gonzalo Fernandez Ordas wrote: Exactly the document i was having a look at. In simple words,is possible to work this around and how,? Otherwise i have to drop freeipa and get back to 389_ds as still seems fully ldap sssd compatible. Have you got any doc clearly stating how to get this done? I really invested many days on reaching this far being sudo the last tiny bit to get sorted which is hugely frustrated. How to configure sudo largely depends on the version of SSSD you have in Ubuntu. I'm not sure how configuring SSSD is going to affect your choice of server though. If you still use SSSD the same problem will exist regardless, right? rob Thanks for all the support Sent from Type Mail http://r.typeapp.com On Mar 25, 2015, at 5:35 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/25/2015 08:32 PM, g.fer.or...@unicyber.co.uk wrote: Hi I am setting up a plain and simple sssd service against my FreeIPA Server. The FreeIPA Server is a Centos 7.1 box with IPA version 4.1 and the client box is ubuntu: Ubuntu 12.04.5 LTS The Users and Credentials are being Synched out of an AD Server (the passwords happened to be transferred using the PassSync Service) Now.. I wanted to setup a very simple sssd service (not the FreeIPA client service) And so far I succeeded on synching the users along with the passwords using SSSD. Now, Trying to get the sudo access sorted I cannot see that working, and I came across some documentation mentioning SSSD is NOT currently supporting IPA schema for the SUDOers if that is the case Can anybody point me to the right document or procedure in terms of getting also the sudoers installed? Would be possible , somehow, to have this sorted WITHOUT using the ipa-client? many thanks! http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD
Exactly the document i was having a look at. In simple words,is possible to work this around and how,? Otherwise i have to drop freeipa and get back to 389_ds as still seems fully ldap sssd compatible. Have you got any doc clearly stating how to get this done? I really invested many days on reaching this far beingĀ sudo the last tiny bit to get sorted which is hugely frustrated. Thanks for all the support Sent from Type Mail On Mar 25, 2015, 5:35 PM, at 5:35 PM, Dmitri Pal d...@redhat.com wrote: On 03/25/2015 08:32 PM, g.fer.or...@unicyber.co.uk wrote: Hi I am setting up a plain and simple sssd service against my FreeIPA Server. The FreeIPA Server is a Centos 7.1 box with IPA version 4.1 and the client box is ubuntu: Ubuntu 12.04.5 LTS The Users and Credentials are being Synched out of an AD Server (the passwords happened to be transferred using the PassSync Service) Now.. I wanted to setup a very simple sssd service (not the FreeIPA client service) And so far I succeeded on synching the users along with the passwords using SSSD. Now, Trying to get the sudo access sorted I cannot see that working, and I came across some documentation mentioning SSSD is NOT currently supporting IPA schema for the SUDOers if that is the case Can anybody point me to the right document or procedure in terms of getting also the sudoers installed? Would be possible , somehow, to have this sorted WITHOUT using the ipa-client? many thanks! http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Fwd: Re: AD -- FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol
Hi I have completed changed the scenario and I managed to install freeipa-server 4.1 (Somebody publish the right repo for Centos and it worked really well) --Let me double check a couple of things. You wrote you installed PassSync on Windows 2013 (which could be a typo?) We support Windows Server 2008 R2 and 2012 R2. We also confirmed it works on Windows Server 2003 R2. Yes, sorry, that was a typo. So, starting again from scratch, new machine, the whole installation process went well, not issues there but: * FreeIPA is supposed to generate a PassSync user by running ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man ipa-replica-manage). I tried 5 times, the user was never created on the ipa server, I had to create it manually (I gave it admin permissions so it could create/delete/update users). Doing that, the password sync worked all right. We submit a password reset in AD and that propagated all right, tested and it worked fine. / * In one scenario I uninstalled freeipa (still kept the packages), installed again and something went wrong with the kerberos keys. After creating the AD -- LDAP certs and successfully syncing the passwords, I could read in the /var/log/messages a password decryption issue (kerberos related) everytime I tried to log as any user. I have tried uninstalling freeipa and also uninstalling removing the product completely and re-installing. it did not matter if I tried to rebuild the kerberos keys, the issue was always there, so I have to start afresh with a new box. So.. that has been all so far Thanks Gonzalo On 16/03/2015 20:05, Noriko Hosoi wrote: Hello, Gonzalo, Any progress on your Password Synchronization? Let me double check a couple of things. You wrote you installed PassSync on Windows 2013 (which could be a typo?) We support Windows Server 2008 R2 and 2012 R2. We also confirmed it works on Windows Server 2003 R2. On 03/13/2015 12:45 PM,g.fer.or...@unicyber.co.uk wrote: I got the Password Sync Tool installed in the Windows2013 box You can find the doc on PassSync here. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#windows-pass-sync The doc is on PassSync 1.1.5, but 1.1.6 remains intact except the default SSL version to connect to the 389 Directory Server (as we discussed before). We had a dicussion regarding the PassSync user you had to create: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com FreeIPA is supposed to generate a PassSync user by running ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man ipa-replica-manage)./ there must some problem as FreeIPA creates own Passsync user in cn=sysaccounts,cn=etc,SUFFIX also sets it's DN as passSyncManagersDNs in ipa_pwd_extop plugin to avoid it creating expired passwords. So there is no need to create uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com manually. Please see the above doc regarding the user creation. * The username of the system user which Active Directory uses to connect to the IdM machine. This account is configured automatically when sync is configured on the IdM server. The default account is |uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com|. * The password set in the |--passsync| option when the sync agreement was created. I'm sending this response to freeipa-users to share the info and request for more suggestions. Thanks, --noriko On 03/13/2015 02:48 PM, g.fer.or...@unicyber.co.uk wrote: I forgot to attach the search command now: # passsync, users, accounts, corp.company.com dn: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com cn: passsync displayName: passsync krbLastFailedAuth: 20150313211546Z krbLoginFailedCount: 1 krbExtraData:: AALUUQNVcm9vdC9hZG1pbkBDT1JQLkhPT1RTVUlURU1FRElBLkNPTQA= memberOf: cn=ipausers,cn=groups,cn=accounts,dc=corp,dc=company,dc=com krbLastPwdChange: 20150313210836Z krbPasswordExpiration: 20150611210836Z mepManagedEntry: cn=passsync,cn=groups,cn=accounts,dc=corp,dc=company,d c=com objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/bash gecos: pass sync sn: sync homeDirectory: /home/passsync uid: passsync mail: passs...@corp.company.com krbPrincipalName: passs...@corp.company.com givenName: pass initials: ps userPassword:: z= = ipaUniqueID: 1d76b14a-c9c5-11e4-93f4-12d2e19d1e3c uidNumber: 1481000829 gidNumber: 1481000829 krbPrincipalKey:: dfrerererer # search result search: 2 On 2015-03-13 21:39, g.fer.or...@unicyber.co.uk wrote: Hi I had to manually create the user!! For some reason I thought the sync Agreement task was also creating that entry
Re: [Freeipa-users] AD -- FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol
I am having a look at the documentation again.. And having version 1.1.6 of the PassSync tool means: [**] 389-PassSync-1.1.6disables SSLv3 by default. And I can see in the LDAP Info from IPA that SSLv3 and SSLv2 as OFF.. So, theoretically, it should work as SSLv3 is disable on both? thanks! On 13/03/2015 19:04, g.fer.or...@unicyber.co.uk wrote: Thanks to everyone for the replies. The installed version for the passsync is 1.1.6 and using the latest I got in RPMs form centos7 so the following: 89-ds-base-1.3.1.6-26.el7_0.x86_64 389-ds-base-libs-1.3.1.6-26.el7_0.x86_64 sssd-ipa-1.11.2-68.el7_0.6.x86_64 ipa-python-3.3.3-28.0.1.el7.centos.3.x86_64 ipa-admintools-3.3.3-28.0.1.el7.centos.3.x86_64 libipa_hbac-1.11.2-68.el7_0.6.x86_64 ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64 ipa-client-3.3.3-28.0.1.el7.centos.3.x86_64 libipa_hbac-python-1.11.2-68.el7_0.6.x86_64 I haven't installed anything manually but using the Centos' Repos... thanks!!! On 2015-03-13 17:02, Dmitri Pal wrote: On 03/13/2015 12:45 PM, g.fer.or...@unicyber.co.uk wrote: Hi I am going forward with a Password Sync AD (window 2013) FreeIPA ipa-server-3.3.3-28.0.1.el7 on a Centos7 Box. I got the Password Sync Tool installed in the Windows2013 box and I have created a user with it's related password as I am trying to test the password changes... Looking at the access logs I can see the following related to the Sync Process: [13/Mar/2015:09:22:02 -0700] conn=2 op=10 RESULT err=32 tag=101 nentries=0 etime=0 [13/Mar/2015:09:23:27 -0700] conn=13 fd=82 slot=82 SSL connection from AD.Server to FreeIPA.Server [13/Mar/2015:09:23:27 -0700] conn=13 op=-1 fd=82 closed - Peer reports incompatible or unsupported protocol version. [13/Mar/2015:09:23:29 -0700] conn=14 fd=82 slot=82 SSL connection from AD.Server to FreeIPA.Server [13/Mar/2015:09:23:29 -0700] conn=14 op=-1 fd=82 closed - Peer reports incompatible or unsupported protocol version. [13/Mar/2015:09:23:33 -0700] conn=15 fd=82 slot=82 SSL connection from AD.Server to FreeIPA.Server [13/Mar/2015:09:23:33 -0700] conn=15 op=-1 fd=82 closed - Peer reports incompatible or unsupported protocol version. [13/Mar/2015:09:23:41 -0700] conn=16 fd=82 slot=82 SSL connection from AD.Server to FreeIPA.Server [13/Mar/2015:09:23:41 -0700] conn=16 op=-1 fd=82 closed - Peer reports incompatible or unsupported protocol version. [13/Mar/2015:09:23:57 -0700] conn=17 fd=82 slot=82 SSL connection from AD.Server to FreeIPA.Server [13/Mar/2015:09:23:57 -0700] conn=17 op=-1 fd=82 closed - Peer reports incompatible or unsupported protocol version. [13/Mar/2015:09:24:29 -0700] conn=18 fd=82 slot=82 SSL connection from AD.Server to FreeIPA.Server [13/Mar/2015:09:24:29 -0700] conn=18 op=-1 fd=82 closed - Peer reports incompatible or unsupported protocol version. [13/Mar/2015:09:25:34 -0700] conn=19 fd=91 slot=91 SSL connection from AD.Server to FreeIPA.Server [13/Mar/2015:09:25:34 -0700] conn=19 op=-1 fd=91 closed - Peer reports incompatible or unsupported protocol version. So the passwords do not seem to be copied across. Any idea why is this happening and how to troubleshoot it? Many Thanks This might be related to the one of the vulnerabilities that was found last year. Make sure that you have the latest available versions on both sides. If you have a mismatch then the client might not talk the TLS version that server expects or vice verse. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Windows AD -- LDAP (oneWay)
Hi I have successfully setup an AD--- freeipa Model and joining bits and pieces from 389-ds I have setup a oneWaySinc fromWindows. The issue I got for the last week is the pasword sync which does not seem to work at all, it does not matter what I do in the AD server I never get the passwords being transferred over. I went through many manual pages, different versions and I do not have clear if I need to run any ldapmodification at all! This will be a onewaySync and I do not want the passwords being replicated BACK to AD, also I read about the reset setting and I am not sure if every single password needs to be reset at all? has anybody got any sort of definitive guide or maybe a clear path to follow? Many thanks for all your help Gonzalo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Windows AD -- LDAP (oneWay)
Thanks very much for the quick reply. And that was exactly the bit I never fully understood, till now. is it known anyway of synchronising the passwords? Any recommendations on those regards? Thanks On 12/03/2015 22:13, Rich Megginson wrote: On 03/12/2015 03:07 PM, Gonzalo Fernandez Ordas wrote: Hi I have successfully setup an AD--- freeipa Model and joining bits and pieces from 389-ds I have setup a oneWaySinc fromWindows. The issue I got for the last week is the pasword sync which does not seem to work at all, it does not matter what I do in the AD server I never get the passwords being transferred over. I went through many manual pages, different versions and I do not have clear if I need to run any ldapmodification at all! This will be a onewaySync and I do not want the passwords being replicated BACK to AD, also I read about the reset setting and I am not sure if every single password needs to be reset at all? has anybody got any sort of definitive guide or maybe a clear path to follow? http://www.port389.org/docs/389ds/howto/howto-windowssync.html#configuring-passsync Note that you have to change a password in AD in order for it to be sync'd to freeipa. PassSync will not sync already existing password.s Many thanks for all your help Gonzalo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project