Re: [Freeipa-users] ad relation with winsync
On 02/18/2015 01:13 AM, Nicolas Zin wrote: Hi everyone, I'm back with my winsync replication. The replication process works fine, but whenI specify "OU=Linux,DC=mycompany,DC=com" where 2 users have been created, nothing is replicated. btw this is a big AD (90k objects). is it a problem? (idrange for example) Not sure. You can enable the replication logging level in 389 to see what the problem is. http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting If I replicate "cn=Users,DC=company,DC=com" I have users replicated. but I'm not sure that all are replicated. - Mail original - De: "Nicolas Zin" À: "Rich Megginson" Cc: freeipa-users@redhat.com Envoyé: Jeudi 12 Février 2015 09:37:26 Objet: Re: [Freeipa-users] ad relation with winsync Next step: having the replication working. The customer dont want to give to my sync user "Replicating directory changes", "Account Operator" and "Enterprise Read-Only Domain Controller" attributs and just want a "oneway replication". For the one way replication, I followed the documentation But I don't see any imported users. Do you have an idea? Are some of the Windows attributs necessary even for a one way (windows to linux) synchronisation? Regards, Nicolas - Mail original - De: "Rich Megginson" À: freeipa-users@redhat.com Envoyé: Mercredi 11 Février 2015 18:57:43 Objet: Re: [Freeipa-users] ad relation with winsync On 02/11/2015 04:18 AM, Nicolas Zin wrote: I reply to myself. This was certainly a Windows configurarion issue. I went further: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: AD Suffix is: DC=company,DC=com The user for Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com ipa: INFO: Added new sync agreement, waiting for it to become ready. . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0 end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [srv7idm2.ipa.company.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] So apparently I manage to connect to AD but something went wrong after? How can I debug it? You can test it like this: # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H ldap://fqdn.of.ad.host -s base -b "DC=company,DC=com" -D "cn=Administrator,cn=Users,dc=company,dc=com" -w "password" Regards, Nicolas Zin ----- Mail original - De: "Nicolas Zin" À: freeipa-users@redhat.com Envoyé: Mercredi 11 Février 2015 12:06:47 Objet: [Freeipa-users] ad relation with winsync Hi, I now try to establish a winsync relation with a Windows 2008R2. I installed IDM 3.3 on RHEL7. When I try to create the replication: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com Directory Manager password: Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: Failed to connect to AD srever dc.company.com ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not found','desc': 'Connect error'} Failed to setup winsync replication Do you have an idea, what's wrong? Also is it possible to point to port 636 instead? Notes: - On the windows side, ssl has been activated (with pain) and ldp.exe manage to connect via ssl on the 636 port correctly (so the certificate is in place). I don't know how to check it is working properly on port 389, i.e. START_TLS works - I checked that the 2 box have the same time (ntp) - I nearly manage to make it working once, but I got another error during replication Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ad relation with winsync
Hi everyone, I'm back with my winsync replication. The replication process works fine, but whenI specify "OU=Linux,DC=mycompany,DC=com" where 2 users have been created, nothing is replicated. btw this is a big AD (90k objects). is it a problem? (idrange for example) If I replicate "cn=Users,DC=company,DC=com" I have users replicated. but I'm not sure that all are replicated. - Mail original - De: "Nicolas Zin" À: "Rich Megginson" Cc: freeipa-users@redhat.com Envoyé: Jeudi 12 Février 2015 09:37:26 Objet: Re: [Freeipa-users] ad relation with winsync Next step: having the replication working. The customer dont want to give to my sync user "Replicating directory changes", "Account Operator" and "Enterprise Read-Only Domain Controller" attributs and just want a "oneway replication". For the one way replication, I followed the documentation But I don't see any imported users. Do you have an idea? Are some of the Windows attributs necessary even for a one way (windows to linux) synchronisation? Regards, Nicolas - Mail original - De: "Rich Megginson" À: freeipa-users@redhat.com Envoyé: Mercredi 11 Février 2015 18:57:43 Objet: Re: [Freeipa-users] ad relation with winsync On 02/11/2015 04:18 AM, Nicolas Zin wrote: > I reply to myself. > This was certainly a Windows configurarion issue. I went further: > ipa-replica-manage connect --winsync --binddb > cn=Administrator,cn=Users,dc=company,dc=com --bindpwd --passsync > whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v > Directory Manager password: > > Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate > database for srv7idm2.ipa.company.com > ipa: INFO: AD Suffix is: DC=company,DC=com > The user for Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com > ipa: INFO: Added new sync agreement, waiting for it to become ready. . . > ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: > Connect error: start: 0 end: 0 > ipa: INFO: Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > > [srv7idm2.ipa.company.com] reports: Update failed! Status: [-11 - LDAP > error: Connect error] > > > > So apparently I manage to connect to AD but something went wrong after? > How can I debug it? You can test it like this: # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H ldap://fqdn.of.ad.host -s base -b "DC=company,DC=com" -D "cn=Administrator,cn=Users,dc=company,dc=com" -w "password" > > > > Regards, > > > > Nicolas Zin > > > > - Mail original - > De: "Nicolas Zin" > À: freeipa-users@redhat.com > Envoyé: Mercredi 11 Février 2015 12:06:47 > Objet: [Freeipa-users] ad relation with winsync > > Hi, > > I now try to establish a winsync relation with a Windows 2008R2. > I installed IDM 3.3 on RHEL7. > > When I try to create the replication: > ipa-replica-manage connect --winsync --binddb > cn=Administrator,cn=Users,dc=company,dc=com --bindpwd --passsync > whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com > Directory Manager password: > > Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate > database for srv7idm2.ipa.company.com > ipa: INFO: Failed to connect to AD srever dc.company.com > ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not > found','desc': 'Connect error'} > Failed to setup winsync replication > > > Do you have an idea, what's wrong? > Also is it possible to point to port 636 instead? > > > Notes: > - On the windows side, ssl has been activated (with pain) and ldp.exe manage > to connect via ssl on the 636 port correctly (so the certificate is in > place). I don't know how to check it is working properly on port 389, i.e. > START_TLS works > - I checked that the 2 box have the same time (ntp) > - I nearly manage to make it working once, but I got another error during > replication > > > > Nicolas Zin > nicolas@savoirfairelinux.com > Ligne directe: 514-276-5468 poste 135 > > Fax : 514-276-5465 > 7275 Saint Urbain > Bureau 200 > Montréal, QC, H2R 2Y5 > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ad relation with winsync
the - Mail original - > De: "Alexander Bokovoy" > À: "Nicolas Zin" > Cc: d...@redhat.com, freeipa-users@redhat.com > Envoyé: Jeudi 12 Février 2015 12:57:07 > Objet: Re: [Freeipa-users] ad relation with winsync > > On Thu, 12 Feb 2015, Nicolas Zin wrote: >> >> >> >>> The is is treated as the ultimate source so adds should go only from AD >>> to IPA but you need the modify to work both ways otherwise your account >>> state will get out of sync. >>> Whatever is required by docs is the minimal privilege you need to have >>> to sync users. >>> >>> However did you consider trust? >>> It us a two way trust but it acts as a one way trust. >> >>I know, but my customer don't want a two-way trust, whatever it means: >>- it fear some security concern with a two-way. > We've been through this multiple times, check freeipa-users@ archives > for arguments for and against. > >> - if he migrates its AD into new version or new topology, he fears to >> encounter some migration path issue > Cross-forest trust is the standard feature of AD, we foresee no > migration path issues and it works with everything from Windows Server > 2003 to Windows Server 2012R2 (though Red Hat only supports cross-forest trust > starting with Windows Server 2008 onwards but this is mostly because > 2003 is already out of support by Microsoft). > I guess the client will change from mind when he will see the deployment (and maintenance) cost to install the password sync agent on all DC, and the need to reboot their DC. This is why we are in an PoC for the moment :-) I will try to see their points, and clarify the situation. For the arguments -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ad relation with winsync
On Thu, 12 Feb 2015, Nicolas Zin wrote: The is is treated as the ultimate source so adds should go only from AD to IPA but you need the modify to work both ways otherwise your account state will get out of sync. Whatever is required by docs is the minimal privilege you need to have to sync users. However did you consider trust? It us a two way trust but it acts as a one way trust. I know, but my customer don't want a two-way trust, whatever it means: - it fear some security concern with a two-way. We've been through this multiple times, check freeipa-users@ archives for arguments for and against. - if he migrates its AD into new version or new topology, he fears to encounter some migration path issue Cross-forest trust is the standard feature of AD, we foresee no migration path issues and it works with everything from Windows Server 2003 to Windows Server 2012R2 (though Red Hat only supports cross-forest trust starting with Windows Server 2008 onwards but this is mostly because 2003 is already out of support by Microsoft). So it has been decided to go the winsync way. btw, I manage to make my one way replication working, with less privileges, following http://directory.fedoraproject.org/docs/389ds/howto/howto-windowssync.html#creating-ad-user-with-replication-rights -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ad relation with winsync
> The is is treated as the ultimate source so adds should go only from AD > to IPA but you need the modify to work both ways otherwise your account > state will get out of sync. > Whatever is required by docs is the minimal privilege you need to have > to sync users. > > However did you consider trust? > It us a two way trust but it acts as a one way trust. I know, but my customer don't want a two-way trust, whatever it means: - it fear some security concern with a two-way. - if he migrates its AD into new version or new topology, he fears to encounter some migration path issue So it has been decided to go the winsync way. btw, I manage to make my one way replication working, with less privileges, following http://directory.fedoraproject.org/docs/389ds/howto/howto-windowssync.html#creating-ad-user-with-replication-rights Thank you Nicolas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ad relation with winsync
On 02/12/2015 12:37 AM, Nicolas Zin wrote: That was that: in the logs (/var/log/dirsrv/slapd-HQ-EMIRATES-COM/errors) I got: slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) And when i did "LDAPTLS_CACERTDIR=/etc/dirsrv/... ldapsearch ...", it began to be interesting: ldap_start_tls: Connect error (-11) additionnal info: TLS: hostname does not match CN in peer certificate So I correct my problem: put the correct hostname in the ipa-replica-manage ( and not the ip). And it connects! Next step: having the replication working. The customer dont want to give to my sync user "Replicating directory changes", "Account Operator" and "Enterprise Read-Only Domain Controller" attributs and just want a "oneway replication". For the one way replication, I followed the documentation But I don't see any imported users. Do you have an idea? Are some of the Windows attributs necessary even for a one way (windows to linux) synchronisation? Regards, Nicolas - Mail original - De: "Rich Megginson" À: freeipa-users@redhat.com Envoyé: Mercredi 11 Février 2015 18:57:43 Objet: Re: [Freeipa-users] ad relation with winsync On 02/11/2015 04:18 AM, Nicolas Zin wrote: I reply to myself. This was certainly a Windows configurarion issue. I went further: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: AD Suffix is: DC=company,DC=com The user for Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com ipa: INFO: Added new sync agreement, waiting for it to become ready. . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0 end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [srv7idm2.ipa.company.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] So apparently I manage to connect to AD but something went wrong after? How can I debug it? You can test it like this: # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H ldap://fqdn.of.ad.host -s base -b "DC=company,DC=com" -D "cn=Administrator,cn=Users,dc=company,dc=com" -w "password" Regards, Nicolas Zin - Mail original - De: "Nicolas Zin" À: freeipa-users@redhat.com Envoyé: Mercredi 11 Février 2015 12:06:47 Objet: [Freeipa-users] ad relation with winsync Hi, I now try to establish a winsync relation with a Windows 2008R2. I installed IDM 3.3 on RHEL7. When I try to create the replication: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com Directory Manager password: Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: Failed to connect to AD srever dc.company.com ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not found','desc': 'Connect error'} Failed to setup winsync replication Do you have an idea, what's wrong? Also is it possible to point to port 636 instead? Notes: - On the windows side, ssl has been activated (with pain) and ldp.exe manage to connect via ssl on the 636 port correctly (so the certificate is in place). I don't know how to check it is working properly on port 389, i.e. START_TLS works - I checked that the 2 box have the same time (ntp) - I nearly manage to make it working once, but I got another error during replication The is is treated as the ultimate source so adds should go only from AD to IPA but you need the modify to work both ways otherwise your account state will get out of sync. Whatever is required by docs is the minimal privilege you need to have to sync users. However did you consider trust? It us a two way trust but it acts as a one way trust. Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ad relation with winsync
That was that: in the logs (/var/log/dirsrv/slapd-HQ-EMIRATES-COM/errors) I got: slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) And when i did "LDAPTLS_CACERTDIR=/etc/dirsrv/... ldapsearch ...", it began to be interesting: ldap_start_tls: Connect error (-11) additionnal info: TLS: hostname does not match CN in peer certificate So I correct my problem: put the correct hostname in the ipa-replica-manage ( and not the ip). And it connects! Next step: having the replication working. The customer dont want to give to my sync user "Replicating directory changes", "Account Operator" and "Enterprise Read-Only Domain Controller" attributs and just want a "oneway replication". For the one way replication, I followed the documentation But I don't see any imported users. Do you have an idea? Are some of the Windows attributs necessary even for a one way (windows to linux) synchronisation? Regards, Nicolas - Mail original - De: "Rich Megginson" À: freeipa-users@redhat.com Envoyé: Mercredi 11 Février 2015 18:57:43 Objet: Re: [Freeipa-users] ad relation with winsync On 02/11/2015 04:18 AM, Nicolas Zin wrote: > I reply to myself. > This was certainly a Windows configurarion issue. I went further: > ipa-replica-manage connect --winsync --binddb > cn=Administrator,cn=Users,dc=company,dc=com --bindpwd --passsync > whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v > Directory Manager password: > > Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate > database for srv7idm2.ipa.company.com > ipa: INFO: AD Suffix is: DC=company,DC=com > The user for Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com > ipa: INFO: Added new sync agreement, waiting for it to become ready. . . > ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: > Connect error: start: 0 end: 0 > ipa: INFO: Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > > [srv7idm2.ipa.company.com] reports: Update failed! Status: [-11 - LDAP > error: Connect error] > > > > So apparently I manage to connect to AD but something went wrong after? > How can I debug it? You can test it like this: # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H ldap://fqdn.of.ad.host -s base -b "DC=company,DC=com" -D "cn=Administrator,cn=Users,dc=company,dc=com" -w "password" > > > > Regards, > > > > Nicolas Zin > > > > - Mail original - > De: "Nicolas Zin" > À: freeipa-users@redhat.com > Envoyé: Mercredi 11 Février 2015 12:06:47 > Objet: [Freeipa-users] ad relation with winsync > > Hi, > > I now try to establish a winsync relation with a Windows 2008R2. > I installed IDM 3.3 on RHEL7. > > When I try to create the replication: > ipa-replica-manage connect --winsync --binddb > cn=Administrator,cn=Users,dc=company,dc=com --bindpwd --passsync > whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com > Directory Manager password: > > Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate > database for srv7idm2.ipa.company.com > ipa: INFO: Failed to connect to AD srever dc.company.com > ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not > found','desc': 'Connect error'} > Failed to setup winsync replication > > > Do you have an idea, what's wrong? > Also is it possible to point to port 636 instead? > > > Notes: > - On the windows side, ssl has been activated (with pain) and ldp.exe manage > to connect via ssl on the 636 port correctly (so the certificate is in > place). I don't know how to check it is working properly on port 389, i.e. > START_TLS works > - I checked that the 2 box have the same time (ntp) > - I nearly manage to make it working once, but I got another error during > replication > > > > Nicolas Zin > nicolas@savoirfairelinux.com > Ligne directe: 514-276-5468 poste 135 > > Fax : 514-276-5465 > 7275 Saint Urbain > Bureau 200 > Montréal, QC, H2R 2Y5 > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ad relation with winsync
On 02/11/2015 04:18 AM, Nicolas Zin wrote: I reply to myself. This was certainly a Windows configurarion issue. I went further: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: AD Suffix is: DC=company,DC=com The user for Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com ipa: INFO: Added new sync agreement, waiting for it to become ready. . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0 end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [srv7idm2.ipa.company.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] So apparently I manage to connect to AD but something went wrong after? How can I debug it? You can test it like this: # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H ldap://fqdn.of.ad.host -s base -b "DC=company,DC=com" -D "cn=Administrator,cn=Users,dc=company,dc=com" -w "password" Regards, Nicolas Zin - Mail original - De: "Nicolas Zin" À: freeipa-users@redhat.com Envoyé: Mercredi 11 Février 2015 12:06:47 Objet: [Freeipa-users] ad relation with winsync Hi, I now try to establish a winsync relation with a Windows 2008R2. I installed IDM 3.3 on RHEL7. When I try to create the replication: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com Directory Manager password: Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: Failed to connect to AD srever dc.company.com ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not found','desc': 'Connect error'} Failed to setup winsync replication Do you have an idea, what's wrong? Also is it possible to point to port 636 instead? Notes: - On the windows side, ssl has been activated (with pain) and ldp.exe manage to connect via ssl on the 636 port correctly (so the certificate is in place). I don't know how to check it is working properly on port 389, i.e. START_TLS works - I checked that the 2 box have the same time (ntp) - I nearly manage to make it working once, but I got another error during replication Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ad relation with winsync
I reply to myself. This was certainly a Windows configurarion issue. I went further: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: AD Suffix is: DC=company,DC=com The user for Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com ipa: INFO: Added new sync agreement, waiting for it to become ready. . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0 end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [srv7idm2.ipa.company.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] So apparently I manage to connect to AD but something went wrong after? How can I debug it? Regards, Nicolas Zin - Mail original - De: "Nicolas Zin" À: freeipa-users@redhat.com Envoyé: Mercredi 11 Février 2015 12:06:47 Objet: [Freeipa-users] ad relation with winsync Hi, I now try to establish a winsync relation with a Windows 2008R2. I installed IDM 3.3 on RHEL7. When I try to create the replication: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com Directory Manager password: Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: Failed to connect to AD srever dc.company.com ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not found','desc': 'Connect error'} Failed to setup winsync replication Do you have an idea, what's wrong? Also is it possible to point to port 636 instead? Notes: - On the windows side, ssl has been activated (with pain) and ldp.exe manage to connect via ssl on the 636 port correctly (so the certificate is in place). I don't know how to check it is working properly on port 389, i.e. START_TLS works - I checked that the 2 box have the same time (ntp) - I nearly manage to make it working once, but I got another error during replication Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] ad relation with winsync
Hi, I now try to establish a winsync relation with a Windows 2008R2. I installed IDM 3.3 on RHEL7. When I try to create the replication: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com Directory Manager password: Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: Failed to connect to AD srever dc.company.com ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not found','desc': 'Connect error'} Failed to setup winsync replication Do you have an idea, what's wrong? Also is it possible to point to port 636 instead? Notes: - On the windows side, ssl has been activated (with pain) and ldp.exe manage to connect via ssl on the 636 port correctly (so the certificate is in place). I don't know how to check it is working properly on port 389, i.e. START_TLS works - I checked that the 2 box have the same time (ntp) - I nearly manage to make it working once, but I got another error during replication Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project