Re: [Freeipa-users] consulting?

2012-01-25 Thread Rich Megginson 

On 01/25/2012 12:07 PM, Jimmy wrote:
Found the reason for the ldap search not working- when I created the 
AD certificate role, I accidentally entered a new sub-domain so in 
stead of the FQDN in the cert being csp-ad.pdh.csp it came out 
csp-ad.cspad.pdh.csp. I updated DNS and now the ldap search seems to 
work-


ldif output-- http://fpaste.org/xbOC/
debug- http://fpaste.org/6g8q/

I guess I need to redo the sync agreement to fix the server DNS name.

Yep.  When using TLS/SSL you have to pay close attention to hostnames.


I will be traveling for work for the next couple days but should still 
be working on this issue some. I'll take VM's of the servers on my 
laptop to be able to keep working.

-Jimmy

On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson > wrote:


On 01/19/2012 02:59 PM, Jimmy wrote:

ok. I started from scratch this week on this and I think I've got
the right doc and understand better where this is going. My
problem now is that when configuring SSL on the AD server (step c
in this url:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
 )

I get this error:

certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
  {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
  ldap:
RequestId: 3
RequestId: "3"
Certificate not issued (Denied) Denied by Policy Module
 0x80094801, The request does not contain a certificate template
extension or the CertificateTemplate request attribute.
 The request contains no certificate template information.
0x80094801 (-2146875391 )
Certificate Request Processor: The request contains no
certificate template information. 0x80094801 (-2146875391
)
Denied by Policy Module  0x80094801, The request does not contain
a certificate template extension or the CertificateTemplate
request attribute.

The RH doc says to use the browser if an error occurs and IIS is
running but I'm not running IIS. I researched that error but
didn't find anything that helps with FreeIPA and passsync.

Hmm - try installing Microsoft Certificate Authority in Enterprise
Root CA mode - it will usually automatically create and install
the AD server cert.
http://directory.fedoraproject.org/wiki/Howto:WindowsSync



Jimmy

On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/11/2012 11:22 AM, Jimmy wrote:

We need to be able to replicate user/pass between Windows
2008 AD and FreeIPA.


That's what IPA Windows Sync is supposed to do.



I have followed many different documents and posted here
about it and from what I've read and procedures I've
followed we are unable to accomplish this.


What have you tried, and what problems have you run into?


It doesn't need to be a full trust.

Thanks

On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
mailto:jzel...@redhat.com>> wrote:

> Just wondering if there was anyone listening on the
list that might be
> available for little work integrating FreeIPA with
Active Directory
> (preferrably in the south east US.) I hope this isn't
against the list
> rules, I just thought one of you guys could help or
point me in the right
> direction.

If you want some help, it is certainly not against list
rules ;-) But in that
case, it would be much better if you asked what exactly
do you need.

I'm not an AD expert, but a couple tips: If you are
looking for cross-domain
(cross-realm) trust, then you might be a bit
disappointed, it is still in
development, so it probably won't be 100% functional at
this moment.

If you are looking for something else, could you be a
little more specific what
it is?

I also recommend starting with reading some doc:
http://freeipa.org/page/DocumentationPortal

Thanks
Jan



___
Freeipa-users mailing list
Freeipa-users@redhat.com  
https://www.redhat.com/mailman/listinfo/freeipa-users








___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] consulting?

2012-01-25 Thread Jimmy 
Found the reason for the ldap search not working- when I created the AD
certificate role, I accidentally entered a new sub-domain so in stead of
the FQDN in the cert being csp-ad.pdh.csp it came out csp-ad.cspad.pdh.csp.
I updated DNS and now the ldap search seems to work-

ldif output-- http://fpaste.org/xbOC/
debug-  http://fpaste.org/6g8q/

I guess I need to redo the sync agreement to fix the server DNS name.

I will be traveling for work for the next couple days but should still be
working on this issue some. I'll take VM's of the servers on my laptop to
be able to keep working.
-Jimmy

On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson  wrote:

> **
> On 01/19/2012 02:59 PM, Jimmy wrote:
>
> ok. I started from scratch this week on this and I think I've got the
> right doc and understand better where this is going. My problem now is that
> when configuring SSL on the AD server (step c in this url:
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
>  )
>
> I get this error:
>
>  certreq -submit request.req certnew.cer
> Active Directory Enrollment Policy
>   {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>   ldap:
> RequestId: 3
> RequestId: "3"
> Certificate not issued (Denied) Denied by Policy Module  0x80094801, The
> request does not contain a certificate template extension or the
> CertificateTemplate request attribute.
>  The request contains no certificate template information. 0x80094801
> (-2146875391)
> Certificate Request Processor: The request contains no certificate
> template information. 0x80094801 (-2146875391)
>  Denied by Policy Module  0x80094801, The request does not contain a
> certificate template extension or the CertificateTemplate request attribute.
>
>  The RH doc says to use the browser if an error occurs and IIS is running
> but I'm not running IIS. I researched that error but didn't find anything
> that helps with FreeIPA and passsync.
>
> Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA
> mode - it will usually automatically create and install the AD server
> cert.  http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>
>
>  Jimmy
>
> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson wrote:
>
>>  On 01/11/2012 11:22 AM, Jimmy wrote:
>>
>> We need to be able to replicate user/pass between Windows 2008 AD and
>> FreeIPA.
>>
>>
>>  That's what IPA Windows Sync is supposed to do.
>>
>>
>> I have followed many different documents and posted here about it and
>> from what I've read and procedures I've followed we are unable to
>> accomplish this.
>>
>>
>>  What have you tried, and what problems have you run into?
>>
>>  It doesn't need to be a full trust.
>>
>>  Thanks
>>
>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený  wrote:
>>
>>>  > Just wondering if there was anyone listening on the list that might
>>> be
>>> > available for little work integrating FreeIPA with Active Directory
>>> > (preferrably in the south east US.) I hope this isn't against the list
>>> > rules, I just thought one of you guys could help or point me in the
>>> right
>>> > direction.
>>>
>>>  If you want some help, it is certainly not against list rules ;-) But
>>> in that
>>> case, it would be much better if you asked what exactly do you need.
>>>
>>> I'm not an AD expert, but a couple tips: If you are looking for
>>> cross-domain
>>> (cross-realm) trust, then you might be a bit disappointed, it is still in
>>> development, so it probably won't be 100% functional at this moment.
>>>
>>> If you are looking for something else, could you be a little more
>>> specific what
>>> it is?
>>>
>>> I also recommend starting with reading some doc:
>>> http://freeipa.org/page/DocumentationPortal
>>>
>>> Thanks
>>> Jan
>>>
>>
>>
>> ___
>> Freeipa-users mailing 
>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] consulting?

2012-01-25 Thread Rich Megginson 

On 01/25/2012 08:13 AM, Jimmy wrote:

Here is the showcerts output:

http://fpaste.org/AkOC/

Looks like pcap output, not openssl s_client output - I have no idea if 
there is a showcerts option for pcap, or how it works, but it looks like 
it didn't work

I'll do the ldapsearch commands in a sec.
Thanks-
Jimmy


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] consulting?

2012-01-25 Thread Jimmy 
Here is the showcerts output:

http://fpaste.org/AkOC/

I'll do the ldapsearch commands in a sec.
Thanks-
Jimmy
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] consulting?

2012-01-23 Thread Jimmy 
I did create the winsync user and it is an admin.

I will fix the ip address(change to hostname,) I only did it that was
because this is currently a test system so I can figure out how to get it
all working.

On Mon, Jan 23, 2012 at 1:06 PM, Rich Megginson  wrote:

> **
> On 01/23/2012 10:52 AM, Jimmy wrote:
>
> That's what I was thinking, and what I did, but it still doesn't replicate
> new users. This is the command I used:
>
>   ipa-replica-manage connect --passsync --binddn
> cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp --bindpw= --cacert
> /home/winsync/AD-server-cert.cer 192.168.201.150 -v
>
>
> Did you create the user cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp?  And
> does this user have the rights to perform sync? (e.g. has to have
> replicator rights, or be some sort of admin) - see
> http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx - the AD
> user must have replication rights and write rights.
>
> In addition, since this process uses SSL, you cannot use an IP address,
> you must use a hostname, or the SSL cert hostname checking (for MITM) will
> fail.
>
>
> On Mon, Jan 23, 2012 at 12:30 PM, Rich Megginson wrote:
>
>>  On 01/23/2012 10:19 AM, Jimmy wrote:
>>
>> Here's what I found in the DS admin guide. Is this all that's needed to
>> create the sync agreement?
>>
>>  Not with ipa - you should use the ipa-replica-manage command instead
>>
>>  Thanks.
>>
>>  add sync agreement:
>> ldapmodify -x -D "cn=Directory Manager" -W
>> Enter LDAP Password: ***
>> dn: cn=ExampleSyncAgreement,cn=sync
>> replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config
>>
>>  it should be cn=replica, not cn=sync replica - does it use the latter in
>> the Admin Guide?
>>
>>  changetype: add
>> objectclass: top
>> objectclass: nsDSWindowsReplicationAgreement
>> cn: ExampleSyncAgreement
>> nsds7WindowsReplicaSubtree: cn=Users,dc=ad1
>> nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com
>>
>>  nsds7NewWinUserSyncEnabled: on
>> nsds7NewWinGroupSyncEnabled: on
>> nsds7WindowsDomain: ad1
>> nsDS5ReplicaRoot: dc=example,dc=com
>> nsDS5ReplicaHost: ad1.windows-server.com
>> nsDS5ReplicaPort: 389
>> nsDS5ReplicaBindDN: cn=sync user,cn=config
>> nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA==
>> nsDS5ReplicaTransportInfo: TLS
>> winSyncInterval: 1200
>>
>> On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson wrote:
>>
>>>  On 01/20/2012 01:08 PM, Jimmy wrote:
>>>
>>> That was it! I have passwords syncing, *BUT*(at the risk of sounding
>>> stupid)-- is it not possible to also sync(add) the users from AD to DS?
>>>
>>>  Yes, it is.  Just configure IPA Windows Sync
>>>
>>> I created a new user in AD and it doesn't propogate to DS, just says:
>>>
>>>  attempting to sync password for testuser3
>>> searching for (ntuserdomainid=testuser3)
>>> There are no entries that match: testuser3
>>> deferring password change for testuser3
>>>
>>> On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson wrote:
>>>
  On 01/20/2012 12:46 PM, Jimmy wrote:

 Getting close here... Now I see this message in the sync log file:

  attempting to sync password for testuser
 searching for (ntuserdomainid=testuser)
 ldap error in queryusername
  32: no such object
 deferring password change for testuser

  This usually means the search base is incorrect or not found.  You can
 look at the 389 access log to see what it was using as the search criteria.


 On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson 
 wrote:

>  On 01/20/2012 10:23 AM, Jimmy wrote:
>
> You are correct. I had installed as an Enterprise root, but the doc I
> was reading(original link) seemed to say that I had to do the certreq
> manually, my bad. I think I'm getting closer I can establish an openssl
> connection from DS to AD but I get these errors:
>
>   openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile
> dsca.crt
> CONNECTED(0003)
> depth=0 CN = csp-ad.cspad.pdh.csp
>  verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = csp-ad.cspad.pdh.csp
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 CN = csp-ad.cspad.pdh.csp
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
>  I thought I had imported the cert from AD but it doesn't seem so.
> I'm still researching but if you guys have a suggestion let me know.
>
>  Is dsca.crt the CA that issued the DS server cert?  If so, that won't
> work.  You need the CA cert from the CA that issued the AD server cert
> (i.e. the CA cert from the MS Enterprise Root CA).
>
>  -J
>
>  On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson 
> wrote:
>
>>  On 01/19/2012 02:59 PM, Jimmy wrote:
>>
>> ok. I started from scratch this week on this and I think I've got the
>> right doc and understand better where this is going. My

Re: [Freeipa-users] consulting?

2012-01-23 Thread Jimmy 
That's what I was thinking, and what I did, but it still doesn't replicate
new users. This is the command I used:

 ipa-replica-manage connect --passsync --binddn
cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp --bindpw= --cacert
/home/winsync/AD-server-cert.cer 192.168.201.150 -v

On Mon, Jan 23, 2012 at 12:30 PM, Rich Megginson wrote:

> **
> On 01/23/2012 10:19 AM, Jimmy wrote:
>
> Here's what I found in the DS admin guide. Is this all that's needed to
> create the sync agreement?
>
> Not with ipa - you should use the ipa-replica-manage command instead
>
>  Thanks.
>
>  add sync agreement:
> ldapmodify -x -D "cn=Directory Manager" -W
> Enter LDAP Password: ***
> dn: cn=ExampleSyncAgreement,cn=sync
> replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config
>
> it should be cn=replica, not cn=sync replica - does it use the latter in
> the Admin Guide?
>
>  changetype: add
> objectclass: top
> objectclass: nsDSWindowsReplicationAgreement
> cn: ExampleSyncAgreement
> nsds7WindowsReplicaSubtree: cn=Users,dc=ad1
> nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com
>
>  nsds7NewWinUserSyncEnabled: on
> nsds7NewWinGroupSyncEnabled: on
> nsds7WindowsDomain: ad1
> nsDS5ReplicaRoot: dc=example,dc=com
> nsDS5ReplicaHost: ad1.windows-server.com
> nsDS5ReplicaPort: 389
> nsDS5ReplicaBindDN: cn=sync user,cn=config
> nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA==
> nsDS5ReplicaTransportInfo: TLS
> winSyncInterval: 1200
>
> On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson wrote:
>
>>  On 01/20/2012 01:08 PM, Jimmy wrote:
>>
>> That was it! I have passwords syncing, *BUT*(at the risk of sounding
>> stupid)-- is it not possible to also sync(add) the users from AD to DS?
>>
>>  Yes, it is.  Just configure IPA Windows Sync
>>
>> I created a new user in AD and it doesn't propogate to DS, just says:
>>
>>  attempting to sync password for testuser3
>> searching for (ntuserdomainid=testuser3)
>> There are no entries that match: testuser3
>> deferring password change for testuser3
>>
>> On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson wrote:
>>
>>>  On 01/20/2012 12:46 PM, Jimmy wrote:
>>>
>>> Getting close here... Now I see this message in the sync log file:
>>>
>>>  attempting to sync password for testuser
>>> searching for (ntuserdomainid=testuser)
>>> ldap error in queryusername
>>>  32: no such object
>>> deferring password change for testuser
>>>
>>>  This usually means the search base is incorrect or not found.  You can
>>> look at the 389 access log to see what it was using as the search criteria.
>>>
>>>
>>> On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson wrote:
>>>
  On 01/20/2012 10:23 AM, Jimmy wrote:

 You are correct. I had installed as an Enterprise root, but the doc I
 was reading(original link) seemed to say that I had to do the certreq
 manually, my bad. I think I'm getting closer I can establish an openssl
 connection from DS to AD but I get these errors:

   openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile
 dsca.crt
 CONNECTED(0003)
 depth=0 CN = csp-ad.cspad.pdh.csp
  verify error:num=20:unable to get local issuer certificate
 verify return:1
 depth=0 CN = csp-ad.cspad.pdh.csp
 verify error:num=27:certificate not trusted
 verify return:1
 depth=0 CN = csp-ad.cspad.pdh.csp
 verify error:num=21:unable to verify the first certificate
 verify return:1

  I thought I had imported the cert from AD but it doesn't seem so. I'm
 still researching but if you guys have a suggestion let me know.

  Is dsca.crt the CA that issued the DS server cert?  If so, that won't
 work.  You need the CA cert from the CA that issued the AD server cert
 (i.e. the CA cert from the MS Enterprise Root CA).

  -J

  On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson 
 wrote:

>  On 01/19/2012 02:59 PM, Jimmy wrote:
>
> ok. I started from scratch this week on this and I think I've got the
> right doc and understand better where this is going. My problem now is 
> that
> when configuring SSL on the AD server (step c in this url:
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
>  )
>
> I get this error:
>
>  certreq -submit request.req certnew.cer
> Active Directory Enrollment Policy
>   {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>   ldap:
> RequestId: 3
> RequestId: "3"
> Certificate not issued (Denied) Denied by Policy Module  0x80094801,
> The request does not contain a certificate template extension or the
> CertificateTemplate request attribute.
>  The request contains no certificate template information. 0x80094801
> (-2146875391)
> Certificate Request Processor: The request contains no certificate
> template information. 0x80094801 (-2146875391)
>  Denied by Policy Mo

Re: [Freeipa-users] consulting?

2012-01-23 Thread Rich Megginson 

On 01/23/2012 10:19 AM, Jimmy wrote:
Here's what I found in the DS admin guide. Is this all that's needed 
to create the sync agreement?

Not with ipa - you should use the ipa-replica-manage command instead

Thanks.

add sync agreement:
ldapmodify -x -D "cn=Directory Manager" -W
Enter LDAP Password: ***
dn: cn=ExampleSyncAgreement,cn=sync 
replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config
it should be cn=replica, not cn=sync replica - does it use the latter in 
the Admin Guide?

changetype: add
objectclass: top
objectclass: nsDSWindowsReplicationAgreement
cn: ExampleSyncAgreement
nsds7WindowsReplicaSubtree: cn=Users,dc=ad1
nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com
nsds7NewWinUserSyncEnabled: on
nsds7NewWinGroupSyncEnabled: on
nsds7WindowsDomain: ad1
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaHost: ad1.windows-server.com 
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=sync user,cn=config
nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA==
nsDS5ReplicaTransportInfo: TLS
winSyncInterval: 1200

On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson > wrote:


On 01/20/2012 01:08 PM, Jimmy wrote:

That was it! I have passwords syncing, *BUT*(at the risk of
sounding stupid)-- is it not possible to also sync(add) the users
from AD to DS?

Yes, it is.  Just configure IPA Windows Sync


I created a new user in AD and it doesn't propogate to DS, just
says:

attempting to sync password for testuser3
searching for (ntuserdomainid=testuser3)
There are no entries that match: testuser3
deferring password change for testuser3

On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/20/2012 12:46 PM, Jimmy wrote:

Getting close here... Now I see this message in the sync log
file:

attempting to sync password for testuser
searching for (ntuserdomainid=testuser)
ldap error in queryusername
 32: no such object
deferring password change for testuser

This usually means the search base is incorrect or not
found.  You can look at the 389 access log to see what it was
using as the search criteria.



On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/20/2012 10:23 AM, Jimmy wrote:

You are correct. I had installed as an Enterprise root,
but the doc I was reading(original link) seemed to say
that I had to do the certreq manually, my bad. I think
I'm getting closer I can establish an openssl
connection from DS to AD but I get these errors:

 openssl s_client -connect 192.168.201.150:636
 -showcerts -CAfile dsca.crt
CONNECTED(0003)
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=21:unable to verify the first certificate
verify return:1

I thought I had imported the cert from AD but it
doesn't seem so. I'm still researching but if you guys
have a suggestion let me know.

Is dsca.crt the CA that issued the DS server cert?  If
so, that won't work.  You need the CA cert from the CA
that issued the AD server cert (i.e. the CA cert from
the MS Enterprise Root CA).


-J

On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/19/2012 02:59 PM, Jimmy wrote:

ok. I started from scratch this week on this and I
think I've got the right doc and understand better
where this is going. My problem now is that when
configuring SSL on the AD server (step c in this
url:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
 )

I get this error:

certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
  {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
  ldap:
RequestId: 3
RequestId: "3"
Certificate not issued (Denied) Denied by Policy
Module  0x80094801, The request does not contain a
certificate template extension or the
CertificateTemplate request attribute.
 The request contains no certificate template
information.

Re: [Freeipa-users] consulting?

2012-01-23 Thread Jimmy 
Here's what I found in the DS admin guide. Is this all that's needed to
create the sync agreement? Thanks.

add sync agreement:
ldapmodify -x -D "cn=Directory Manager" -W
Enter LDAP Password: ***
dn: cn=ExampleSyncAgreement,cn=sync
replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config
changetype: add
objectclass: top
objectclass: nsDSWindowsReplicationAgreement
cn: ExampleSyncAgreement
nsds7WindowsReplicaSubtree: cn=Users,dc=ad1
nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com
nsds7NewWinUserSyncEnabled: on
nsds7NewWinGroupSyncEnabled: on
nsds7WindowsDomain: ad1
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaHost: ad1.windows-server.com
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=sync user,cn=config
nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA==
nsDS5ReplicaTransportInfo: TLS
winSyncInterval: 1200

On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson  wrote:

> **
> On 01/20/2012 01:08 PM, Jimmy wrote:
>
> That was it! I have passwords syncing, *BUT*(at the risk of sounding
> stupid)-- is it not possible to also sync(add) the users from AD to DS?
>
> Yes, it is.  Just configure IPA Windows Sync
>
> I created a new user in AD and it doesn't propogate to DS, just says:
>
>  attempting to sync password for testuser3
> searching for (ntuserdomainid=testuser3)
> There are no entries that match: testuser3
> deferring password change for testuser3
>
> On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson wrote:
>
>>  On 01/20/2012 12:46 PM, Jimmy wrote:
>>
>> Getting close here... Now I see this message in the sync log file:
>>
>>  attempting to sync password for testuser
>> searching for (ntuserdomainid=testuser)
>> ldap error in queryusername
>>  32: no such object
>> deferring password change for testuser
>>
>>  This usually means the search base is incorrect or not found.  You can
>> look at the 389 access log to see what it was using as the search criteria.
>>
>>
>> On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson wrote:
>>
>>>  On 01/20/2012 10:23 AM, Jimmy wrote:
>>>
>>> You are correct. I had installed as an Enterprise root, but the doc I
>>> was reading(original link) seemed to say that I had to do the certreq
>>> manually, my bad. I think I'm getting closer I can establish an openssl
>>> connection from DS to AD but I get these errors:
>>>
>>>   openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile
>>> dsca.crt
>>> CONNECTED(0003)
>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>  verify error:num=20:unable to get local issuer certificate
>>> verify return:1
>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>> verify error:num=27:certificate not trusted
>>> verify return:1
>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>> verify error:num=21:unable to verify the first certificate
>>> verify return:1
>>>
>>>  I thought I had imported the cert from AD but it doesn't seem so. I'm
>>> still researching but if you guys have a suggestion let me know.
>>>
>>>  Is dsca.crt the CA that issued the DS server cert?  If so, that won't
>>> work.  You need the CA cert from the CA that issued the AD server cert
>>> (i.e. the CA cert from the MS Enterprise Root CA).
>>>
>>>  -J
>>>
>>>  On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson wrote:
>>>
  On 01/19/2012 02:59 PM, Jimmy wrote:

 ok. I started from scratch this week on this and I think I've got the
 right doc and understand better where this is going. My problem now is that
 when configuring SSL on the AD server (step c in this url:
 http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
  )

 I get this error:

  certreq -submit request.req certnew.cer
 Active Directory Enrollment Policy
   {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
   ldap:
 RequestId: 3
 RequestId: "3"
 Certificate not issued (Denied) Denied by Policy Module  0x80094801,
 The request does not contain a certificate template extension or the
 CertificateTemplate request attribute.
  The request contains no certificate template information. 0x80094801
 (-2146875391)
 Certificate Request Processor: The request contains no certificate
 template information. 0x80094801 (-2146875391)
  Denied by Policy Module  0x80094801, The request does not contain a
 certificate template extension or the CertificateTemplate request 
 attribute.

  The RH doc says to use the browser if an error occurs and IIS is
 running but I'm not running IIS. I researched that error but didn't find
 anything that helps with FreeIPA and passsync.

  Hmm - try installing Microsoft Certificate Authority in Enterprise
 Root CA mode - it will usually automatically create and install the AD
 server cert.  http://directory.fedoraproject.org/wiki/Howto:WindowsSync


  Jimmy

 On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson wrote:

>  On 01/11/2012 11:22 AM, Jimmy wrote:
>
>

Re: [Freeipa-users] consulting?

2012-01-20 Thread Rich Megginson 

On 01/20/2012 01:08 PM, Jimmy wrote:
That was it! I have passwords syncing, *BUT*(at the risk of sounding 
stupid)-- is it not possible to also sync(add) the users from AD to DS?

Yes, it is.  Just configure IPA Windows Sync

I created a new user in AD and it doesn't propogate to DS, just says:

attempting to sync password for testuser3
searching for (ntuserdomainid=testuser3)
There are no entries that match: testuser3
deferring password change for testuser3

On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson > wrote:


On 01/20/2012 12:46 PM, Jimmy wrote:

Getting close here... Now I see this message in the sync log file:

attempting to sync password for testuser
searching for (ntuserdomainid=testuser)
ldap error in queryusername
 32: no such object
deferring password change for testuser

This usually means the search base is incorrect or not found.  You
can look at the 389 access log to see what it was using as the
search criteria.



On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/20/2012 10:23 AM, Jimmy wrote:

You are correct. I had installed as an Enterprise root, but
the doc I was reading(original link) seemed to say that I
had to do the certreq manually, my bad. I think I'm getting
closer I can establish an openssl connection from DS to AD
but I get these errors:

 openssl s_client -connect 192.168.201.150:636
 -showcerts -CAfile dsca.crt
CONNECTED(0003)
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=21:unable to verify the first certificate
verify return:1

I thought I had imported the cert from AD but it doesn't
seem so. I'm still researching but if you guys have a
suggestion let me know.

Is dsca.crt the CA that issued the DS server cert?  If so,
that won't work.  You need the CA cert from the CA that
issued the AD server cert (i.e. the CA cert from the MS
Enterprise Root CA).


-J

On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/19/2012 02:59 PM, Jimmy wrote:

ok. I started from scratch this week on this and I
think I've got the right doc and understand better
where this is going. My problem now is that when
configuring SSL on the AD server (step c in this url:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
 )

I get this error:

certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
  {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
  ldap:
RequestId: 3
RequestId: "3"
Certificate not issued (Denied) Denied by Policy Module
 0x80094801, The request does not contain a certificate
template extension or the CertificateTemplate request
attribute.
 The request contains no certificate template
information. 0x80094801 (-2146875391 )
Certificate Request Processor: The request contains no
certificate template information. 0x80094801
(-2146875391 )
Denied by Policy Module  0x80094801, The request does
not contain a certificate template extension or the
CertificateTemplate request attribute.

The RH doc says to use the browser if an error occurs
and IIS is running but I'm not running IIS. I
researched that error but didn't find anything that
helps with FreeIPA and passsync.

Hmm - try installing Microsoft Certificate Authority in
Enterprise Root CA mode - it will usually automatically
create and install the AD server cert.
http://directory.fedoraproject.org/wiki/Howto:WindowsSync



Jimmy

On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/11/2012 11:22 AM, Jimmy wrote:

We need to be able to replicate user/pass between
Windows 2008 AD and FreeIPA.


That's what IPA Windows Sync is supposed to do.



I have followed many different documents and
posted here about it and from what I've read and
procedures I've followed we are unable to
accomplish this.


What have you tried,

Re: [Freeipa-users] consulting?

2012-01-20 Thread Jimmy 
That was it! I have passwords syncing, *BUT*(at the risk of sounding
stupid)-- is it not possible to also sync(add) the users from AD to DS? I
created a new user in AD and it doesn't propogate to DS, just says:

attempting to sync password for testuser3
searching for (ntuserdomainid=testuser3)
There are no entries that match: testuser3
deferring password change for testuser3

On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson  wrote:

> **
> On 01/20/2012 12:46 PM, Jimmy wrote:
>
> Getting close here... Now I see this message in the sync log file:
>
>  attempting to sync password for testuser
> searching for (ntuserdomainid=testuser)
> ldap error in queryusername
>  32: no such object
> deferring password change for testuser
>
> This usually means the search base is incorrect or not found.  You can
> look at the 389 access log to see what it was using as the search criteria.
>
>
> On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson wrote:
>
>>  On 01/20/2012 10:23 AM, Jimmy wrote:
>>
>> You are correct. I had installed as an Enterprise root, but the doc I was
>> reading(original link) seemed to say that I had to do the certreq manually,
>> my bad. I think I'm getting closer I can establish an openssl connection
>> from DS to AD but I get these errors:
>>
>>   openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile
>> dsca.crt
>> CONNECTED(0003)
>> depth=0 CN = csp-ad.cspad.pdh.csp
>>  verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 CN = csp-ad.cspad.pdh.csp
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 CN = csp-ad.cspad.pdh.csp
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>>
>>  I thought I had imported the cert from AD but it doesn't seem so. I'm
>> still researching but if you guys have a suggestion let me know.
>>
>>  Is dsca.crt the CA that issued the DS server cert?  If so, that won't
>> work.  You need the CA cert from the CA that issued the AD server cert
>> (i.e. the CA cert from the MS Enterprise Root CA).
>>
>>  -J
>>
>>  On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson wrote:
>>
>>>  On 01/19/2012 02:59 PM, Jimmy wrote:
>>>
>>> ok. I started from scratch this week on this and I think I've got the
>>> right doc and understand better where this is going. My problem now is that
>>> when configuring SSL on the AD server (step c in this url:
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
>>>  )
>>>
>>> I get this error:
>>>
>>>  certreq -submit request.req certnew.cer
>>> Active Directory Enrollment Policy
>>>   {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>>   ldap:
>>> RequestId: 3
>>> RequestId: "3"
>>> Certificate not issued (Denied) Denied by Policy Module  0x80094801, The
>>> request does not contain a certificate template extension or the
>>> CertificateTemplate request attribute.
>>>  The request contains no certificate template information. 0x80094801
>>> (-2146875391)
>>> Certificate Request Processor: The request contains no certificate
>>> template information. 0x80094801 (-2146875391)
>>>  Denied by Policy Module  0x80094801, The request does not contain a
>>> certificate template extension or the CertificateTemplate request attribute.
>>>
>>>  The RH doc says to use the browser if an error occurs and IIS is
>>> running but I'm not running IIS. I researched that error but didn't find
>>> anything that helps with FreeIPA and passsync.
>>>
>>>  Hmm - try installing Microsoft Certificate Authority in Enterprise Root
>>> CA mode - it will usually automatically create and install the AD server
>>> cert.  http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>>>
>>>
>>>  Jimmy
>>>
>>> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson wrote:
>>>
  On 01/11/2012 11:22 AM, Jimmy wrote:

 We need to be able to replicate user/pass between Windows 2008 AD and
 FreeIPA.


  That's what IPA Windows Sync is supposed to do.


 I have followed many different documents and posted here about it and
 from what I've read and procedures I've followed we are unable to
 accomplish this.


  What have you tried, and what problems have you run into?

  It doesn't need to be a full trust.

  Thanks

 On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený  wrote:

>  > Just wondering if there was anyone listening on the list that
> might be
> > available for little work integrating FreeIPA with Active Directory
> > (preferrably in the south east US.) I hope this isn't against the
> list
> > rules, I just thought one of you guys could help or point me in the
> right
> > direction.
>
>  If you want some help, it is certainly not against list rules ;-)
> But in that
> case, it would be much better if you asked what exactly do you need.
>
> I'm not an AD expert, but a c

Re: [Freeipa-users] consulting?

2012-01-20 Thread Rich Megginson 

On 01/20/2012 12:46 PM, Jimmy wrote:

Getting close here... Now I see this message in the sync log file:

attempting to sync password for testuser
searching for (ntuserdomainid=testuser)
ldap error in queryusername
 32: no such object
deferring password change for testuser
This usually means the search base is incorrect or not found.  You can 
look at the 389 access log to see what it was using as the search criteria.


On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson > wrote:


On 01/20/2012 10:23 AM, Jimmy wrote:

You are correct. I had installed as an Enterprise root, but the
doc I was reading(original link) seemed to say that I had to do
the certreq manually, my bad. I think I'm getting closer I can
establish an openssl connection from DS to AD but I get these
errors:

 openssl s_client -connect 192.168.201.150:636
 -showcerts -CAfile dsca.crt
CONNECTED(0003)
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=21:unable to verify the first certificate
verify return:1

I thought I had imported the cert from AD but it doesn't seem so.
I'm still researching but if you guys have a suggestion let me know.

Is dsca.crt the CA that issued the DS server cert?  If so, that
won't work.  You need the CA cert from the CA that issued the AD
server cert (i.e. the CA cert from the MS Enterprise Root CA).


-J

On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/19/2012 02:59 PM, Jimmy wrote:

ok. I started from scratch this week on this and I think
I've got the right doc and understand better where this is
going. My problem now is that when configuring SSL on the AD
server (step c in this url:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
 )

I get this error:

certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
  {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
  ldap:
RequestId: 3
RequestId: "3"
Certificate not issued (Denied) Denied by Policy Module
 0x80094801, The request does not contain a certificate
template extension or the CertificateTemplate request attribute.
 The request contains no certificate template information.
0x80094801 (-2146875391 )
Certificate Request Processor: The request contains no
certificate template information. 0x80094801 (-2146875391
)
Denied by Policy Module  0x80094801, The request does not
contain a certificate template extension or the
CertificateTemplate request attribute.

The RH doc says to use the browser if an error occurs and
IIS is running but I'm not running IIS. I researched that
error but didn't find anything that helps with FreeIPA and
passsync.

Hmm - try installing Microsoft Certificate Authority in
Enterprise Root CA mode - it will usually automatically
create and install the AD server cert.
http://directory.fedoraproject.org/wiki/Howto:WindowsSync



Jimmy

On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/11/2012 11:22 AM, Jimmy wrote:

We need to be able to replicate user/pass between
Windows 2008 AD and FreeIPA.


That's what IPA Windows Sync is supposed to do.



I have followed many different documents and posted
here about it and from what I've read and procedures
I've followed we are unable to accomplish this.


What have you tried, and what problems have you run into?


It doesn't need to be a full trust.

Thanks

On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
mailto:jzel...@redhat.com>> wrote:

> Just wondering if there was anyone listening on
the list that might be
> available for little work integrating FreeIPA
with Active Directory
> (preferrably in the south east US.) I hope this
isn't against the list
> rules, I just thought one of you guys could help
or point me in the right
> direction.

If you want some help, it is certainly not against
list rules ;-) But in that
case, it would be much better if you asked what
exactly do you need.

I'm not an AD expert, but a

Re: [Freeipa-users] consulting?

2012-01-20 Thread Jimmy 
Getting close here... Now I see this message in the sync log file:

attempting to sync password for testuser
searching for (ntuserdomainid=testuser)
ldap error in queryusername
 32: no such object
deferring password change for testuser

On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson wrote:

> **
> On 01/20/2012 10:23 AM, Jimmy wrote:
>
> You are correct. I had installed as an Enterprise root, but the doc I was
> reading(original link) seemed to say that I had to do the certreq manually,
> my bad. I think I'm getting closer I can establish an openssl connection
> from DS to AD but I get these errors:
>
>   openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile
> dsca.crt
> CONNECTED(0003)
> depth=0 CN = csp-ad.cspad.pdh.csp
>  verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = csp-ad.cspad.pdh.csp
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 CN = csp-ad.cspad.pdh.csp
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
>  I thought I had imported the cert from AD but it doesn't seem so. I'm
> still researching but if you guys have a suggestion let me know.
>
> Is dsca.crt the CA that issued the DS server cert?  If so, that won't
> work.  You need the CA cert from the CA that issued the AD server cert
> (i.e. the CA cert from the MS Enterprise Root CA).
>
>  -J
>
>  On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson wrote:
>
>>  On 01/19/2012 02:59 PM, Jimmy wrote:
>>
>> ok. I started from scratch this week on this and I think I've got the
>> right doc and understand better where this is going. My problem now is that
>> when configuring SSL on the AD server (step c in this url:
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
>>  )
>>
>> I get this error:
>>
>>  certreq -submit request.req certnew.cer
>> Active Directory Enrollment Policy
>>   {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>   ldap:
>> RequestId: 3
>> RequestId: "3"
>> Certificate not issued (Denied) Denied by Policy Module  0x80094801, The
>> request does not contain a certificate template extension or the
>> CertificateTemplate request attribute.
>>  The request contains no certificate template information. 0x80094801
>> (-2146875391)
>> Certificate Request Processor: The request contains no certificate
>> template information. 0x80094801 (-2146875391)
>>  Denied by Policy Module  0x80094801, The request does not contain a
>> certificate template extension or the CertificateTemplate request attribute.
>>
>>  The RH doc says to use the browser if an error occurs and IIS is
>> running but I'm not running IIS. I researched that error but didn't find
>> anything that helps with FreeIPA and passsync.
>>
>>  Hmm - try installing Microsoft Certificate Authority in Enterprise Root
>> CA mode - it will usually automatically create and install the AD server
>> cert.  http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>>
>>
>>  Jimmy
>>
>> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson wrote:
>>
>>>  On 01/11/2012 11:22 AM, Jimmy wrote:
>>>
>>> We need to be able to replicate user/pass between Windows 2008 AD and
>>> FreeIPA.
>>>
>>>
>>>  That's what IPA Windows Sync is supposed to do.
>>>
>>>
>>> I have followed many different documents and posted here about it and
>>> from what I've read and procedures I've followed we are unable to
>>> accomplish this.
>>>
>>>
>>>  What have you tried, and what problems have you run into?
>>>
>>>  It doesn't need to be a full trust.
>>>
>>>  Thanks
>>>
>>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený  wrote:
>>>
  > Just wondering if there was anyone listening on the list that might
 be
 > available for little work integrating FreeIPA with Active Directory
 > (preferrably in the south east US.) I hope this isn't against the list
 > rules, I just thought one of you guys could help or point me in the
 right
 > direction.

  If you want some help, it is certainly not against list rules ;-) But
 in that
 case, it would be much better if you asked what exactly do you need.

 I'm not an AD expert, but a couple tips: If you are looking for
 cross-domain
 (cross-realm) trust, then you might be a bit disappointed, it is still
 in
 development, so it probably won't be 100% functional at this moment.

 If you are looking for something else, could you be a little more
 specific what
 it is?

 I also recommend starting with reading some doc:
 http://freeipa.org/page/DocumentationPortal

 Thanks
 Jan

>>>
>>>
>>> ___
>>> Freeipa-users mailing 
>>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>
>>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www

Re: [Freeipa-users] consulting?

2012-01-20 Thread Rich Megginson 

On 01/20/2012 10:23 AM, Jimmy wrote:
You are correct. I had installed as an Enterprise root, but the doc I 
was reading(original link) seemed to say that I had to do the certreq 
manually, my bad. I think I'm getting closer I can establish an 
openssl connection from DS to AD but I get these errors:


 openssl s_client -connect 192.168.201.150:636 
 -showcerts -CAfile dsca.crt

CONNECTED(0003)
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=21:unable to verify the first certificate
verify return:1

I thought I had imported the cert from AD but it doesn't seem so. I'm 
still researching but if you guys have a suggestion let me know.
Is dsca.crt the CA that issued the DS server cert?  If so, that won't 
work.  You need the CA cert from the CA that issued the AD server cert 
(i.e. the CA cert from the MS Enterprise Root CA).

-J

On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson > wrote:


On 01/19/2012 02:59 PM, Jimmy wrote:

ok. I started from scratch this week on this and I think I've got
the right doc and understand better where this is going. My
problem now is that when configuring SSL on the AD server (step c
in this url:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
 )

I get this error:

certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
  {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
  ldap:
RequestId: 3
RequestId: "3"
Certificate not issued (Denied) Denied by Policy Module
 0x80094801, The request does not contain a certificate template
extension or the CertificateTemplate request attribute.
 The request contains no certificate template information.
0x80094801 (-2146875391 )
Certificate Request Processor: The request contains no
certificate template information. 0x80094801 (-2146875391
)
Denied by Policy Module  0x80094801, The request does not contain
a certificate template extension or the CertificateTemplate
request attribute.

The RH doc says to use the browser if an error occurs and IIS is
running but I'm not running IIS. I researched that error but
didn't find anything that helps with FreeIPA and passsync.

Hmm - try installing Microsoft Certificate Authority in Enterprise
Root CA mode - it will usually automatically create and install
the AD server cert.
http://directory.fedoraproject.org/wiki/Howto:WindowsSync



Jimmy

On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

On 01/11/2012 11:22 AM, Jimmy wrote:

We need to be able to replicate user/pass between Windows
2008 AD and FreeIPA.


That's what IPA Windows Sync is supposed to do.



I have followed many different documents and posted here
about it and from what I've read and procedures I've
followed we are unable to accomplish this.


What have you tried, and what problems have you run into?


It doesn't need to be a full trust.

Thanks

On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
mailto:jzel...@redhat.com>> wrote:

> Just wondering if there was anyone listening on the
list that might be
> available for little work integrating FreeIPA with
Active Directory
> (preferrably in the south east US.) I hope this isn't
against the list
> rules, I just thought one of you guys could help or
point me in the right
> direction.

If you want some help, it is certainly not against list
rules ;-) But in that
case, it would be much better if you asked what exactly
do you need.

I'm not an AD expert, but a couple tips: If you are
looking for cross-domain
(cross-realm) trust, then you might be a bit
disappointed, it is still in
development, so it probably won't be 100% functional at
this moment.

If you are looking for something else, could you be a
little more specific what
it is?

I also recommend starting with reading some doc:
http://freeipa.org/page/DocumentationPortal

Thanks
Jan



___
Freeipa-users mailing list
Freeipa-users@redhat.com  
https://www.redhat.com/mailman/listinfo/freeipa-users








___
Freeipa-users mailing list
Freeipa-users@redh

Re: [Freeipa-users] consulting?

2012-01-20 Thread Jimmy 
You are correct. I had installed as an Enterprise root, but the doc I was
reading(original link) seemed to say that I had to do the certreq manually,
my bad. I think I'm getting closer I can establish an openssl connection
from DS to AD but I get these errors:

 openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile dsca.crt
CONNECTED(0003)
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = csp-ad.cspad.pdh.csp
verify error:num=21:unable to verify the first certificate
verify return:1

I thought I had imported the cert from AD but it doesn't seem so. I'm still
researching but if you guys have a suggestion let me know.
-J

On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson  wrote:

> **
> On 01/19/2012 02:59 PM, Jimmy wrote:
>
> ok. I started from scratch this week on this and I think I've got the
> right doc and understand better where this is going. My problem now is that
> when configuring SSL on the AD server (step c in this url:
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
>  )
>
> I get this error:
>
>  certreq -submit request.req certnew.cer
> Active Directory Enrollment Policy
>   {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>   ldap:
> RequestId: 3
> RequestId: "3"
> Certificate not issued (Denied) Denied by Policy Module  0x80094801, The
> request does not contain a certificate template extension or the
> CertificateTemplate request attribute.
>  The request contains no certificate template information. 0x80094801
> (-2146875391)
> Certificate Request Processor: The request contains no certificate
> template information. 0x80094801 (-2146875391)
>  Denied by Policy Module  0x80094801, The request does not contain a
> certificate template extension or the CertificateTemplate request attribute.
>
>  The RH doc says to use the browser if an error occurs and IIS is running
> but I'm not running IIS. I researched that error but didn't find anything
> that helps with FreeIPA and passsync.
>
> Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA
> mode - it will usually automatically create and install the AD server
> cert.  http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>
>
>  Jimmy
>
> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson wrote:
>
>>  On 01/11/2012 11:22 AM, Jimmy wrote:
>>
>> We need to be able to replicate user/pass between Windows 2008 AD and
>> FreeIPA.
>>
>>
>>  That's what IPA Windows Sync is supposed to do.
>>
>>
>> I have followed many different documents and posted here about it and
>> from what I've read and procedures I've followed we are unable to
>> accomplish this.
>>
>>
>>  What have you tried, and what problems have you run into?
>>
>>  It doesn't need to be a full trust.
>>
>>  Thanks
>>
>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený  wrote:
>>
>>>  > Just wondering if there was anyone listening on the list that might
>>> be
>>> > available for little work integrating FreeIPA with Active Directory
>>> > (preferrably in the south east US.) I hope this isn't against the list
>>> > rules, I just thought one of you guys could help or point me in the
>>> right
>>> > direction.
>>>
>>>  If you want some help, it is certainly not against list rules ;-) But
>>> in that
>>> case, it would be much better if you asked what exactly do you need.
>>>
>>> I'm not an AD expert, but a couple tips: If you are looking for
>>> cross-domain
>>> (cross-realm) trust, then you might be a bit disappointed, it is still in
>>> development, so it probably won't be 100% functional at this moment.
>>>
>>> If you are looking for something else, could you be a little more
>>> specific what
>>> it is?
>>>
>>> I also recommend starting with reading some doc:
>>> http://freeipa.org/page/DocumentationPortal
>>>
>>> Thanks
>>> Jan
>>>
>>
>>
>> ___
>> Freeipa-users mailing 
>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] consulting?

2012-01-19 Thread Rich Megginson 

On 01/19/2012 02:59 PM, Jimmy wrote:
ok. I started from scratch this week on this and I think I've got the 
right doc and understand better where this is going. My problem now is 
that when configuring SSL on the AD server (step c in this url: 
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) 


I get this error:

certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
  {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
  ldap:
RequestId: 3
RequestId: "3"
Certificate not issued (Denied) Denied by Policy Module  0x80094801, 
The request does not contain a certificate template extension or the 
CertificateTemplate request attribute.
 The request contains no certificate template information. 0x80094801 
(-2146875391 )
Certificate Request Processor: The request contains no certificate 
template information. 0x80094801 (-2146875391 )
Denied by Policy Module  0x80094801, The request does not contain a 
certificate template extension or the CertificateTemplate request 
attribute.


The RH doc says to use the browser if an error occurs and IIS is 
running but I'm not running IIS. I researched that error but didn't 
find anything that helps with FreeIPA and passsync.
Hmm - try installing Microsoft Certificate Authority in Enterprise Root 
CA mode - it will usually automatically create and install the AD server 
cert.  http://directory.fedoraproject.org/wiki/Howto:WindowsSync


Jimmy

On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson > wrote:


On 01/11/2012 11:22 AM, Jimmy wrote:

We need to be able to replicate user/pass between Windows 2008 AD
and FreeIPA.


That's what IPA Windows Sync is supposed to do.



I have followed many different documents and posted here about it
and from what I've read and procedures I've followed we are
unable to accomplish this.


What have you tried, and what problems have you run into?


It doesn't need to be a full trust.

Thanks

On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený mailto:jzel...@redhat.com>> wrote:

> Just wondering if there was anyone listening on the list
that might be
> available for little work integrating FreeIPA with Active
Directory
> (preferrably in the south east US.) I hope this isn't
against the list
> rules, I just thought one of you guys could help or point
me in the right
> direction.

If you want some help, it is certainly not against list rules
;-) But in that
case, it would be much better if you asked what exactly do
you need.

I'm not an AD expert, but a couple tips: If you are looking
for cross-domain
(cross-realm) trust, then you might be a bit disappointed, it
is still in
development, so it probably won't be 100% functional at this
moment.

If you are looking for something else, could you be a little
more specific what
it is?

I also recommend starting with reading some doc:
http://freeipa.org/page/DocumentationPortal

Thanks
Jan



___
Freeipa-users mailing list
Freeipa-users@redhat.com  
https://www.redhat.com/mailman/listinfo/freeipa-users





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] consulting?

2012-01-19 Thread Jimmy 
ok. I started from scratch this week on this and I think I've got the right
doc and understand better where this is going. My problem now is that when
configuring SSL on the AD server (step c in this url:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
 )
I get this error:

certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
  {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
  ldap:
RequestId: 3
RequestId: "3"
Certificate not issued (Denied) Denied by Policy Module  0x80094801, The
request does not contain a certificate template extension or the
CertificateTemplate request attribute.
 The request contains no certificate template information. 0x80094801
(-2146875391)
Certificate Request Processor: The request contains no certificate template
information. 0x80094801 (-2146875391)
 Denied by Policy Module  0x80094801, The request does not contain a
certificate template extension or the CertificateTemplate request attribute.

The RH doc says to use the browser if an error occurs and IIS is running
but I'm not running IIS. I researched that error but didn't find anything
that helps with FreeIPA and passsync.

Jimmy

On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson  wrote:

> **
> On 01/11/2012 11:22 AM, Jimmy wrote:
>
> We need to be able to replicate user/pass between Windows 2008 AD and
> FreeIPA.
>
>
> That's what IPA Windows Sync is supposed to do.
>
>
> I have followed many different documents and posted here about it and from
> what I've read and procedures I've followed we are unable to accomplish
> this.
>
>
> What have you tried, and what problems have you run into?
>
> It doesn't need to be a full trust.
>
>  Thanks
>
> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený  wrote:
>
>>  > Just wondering if there was anyone listening on the list that might be
>> > available for little work integrating FreeIPA with Active Directory
>> > (preferrably in the south east US.) I hope this isn't against the list
>> > rules, I just thought one of you guys could help or point me in the
>> right
>> > direction.
>>
>>  If you want some help, it is certainly not against list rules ;-) But
>> in that
>> case, it would be much better if you asked what exactly do you need.
>>
>> I'm not an AD expert, but a couple tips: If you are looking for
>> cross-domain
>> (cross-realm) trust, then you might be a bit disappointed, it is still in
>> development, so it probably won't be 100% functional at this moment.
>>
>> If you are looking for something else, could you be a little more
>> specific what
>> it is?
>>
>> I also recommend starting with reading some doc:
>> http://freeipa.org/page/DocumentationPortal
>>
>> Thanks
>> Jan
>>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] consulting?

2012-01-13 Thread Jimmy 
Just popping up to let y'all know I haven't dropped this, just got tied up
working on OpenCA and PacketFence. I'll answer Rich's question by Monday
and hopefully get this thing going.

On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson  wrote:

> **
> On 01/11/2012 11:22 AM, Jimmy wrote:
>
> We need to be able to replicate user/pass between Windows 2008 AD and
> FreeIPA.
>
>
> That's what IPA Windows Sync is supposed to do.
>
>
> I have followed many different documents and posted here about it and from
> what I've read and procedures I've followed we are unable to accomplish
> this.
>
>
> What have you tried, and what problems have you run into?
>
> It doesn't need to be a full trust.
>
>  Thanks
>
> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený  wrote:
>
>>  > Just wondering if there was anyone listening on the list that might be
>> > available for little work integrating FreeIPA with Active Directory
>> > (preferrably in the south east US.) I hope this isn't against the list
>> > rules, I just thought one of you guys could help or point me in the
>> right
>> > direction.
>>
>>  If you want some help, it is certainly not against list rules ;-) But
>> in that
>> case, it would be much better if you asked what exactly do you need.
>>
>> I'm not an AD expert, but a couple tips: If you are looking for
>> cross-domain
>> (cross-realm) trust, then you might be a bit disappointed, it is still in
>> development, so it probably won't be 100% functional at this moment.
>>
>> If you are looking for something else, could you be a little more
>> specific what
>> it is?
>>
>> I also recommend starting with reading some doc:
>> http://freeipa.org/page/DocumentationPortal
>>
>> Thanks
>> Jan
>>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] consulting?

2012-01-11 Thread Rich Megginson 

On 01/11/2012 11:22 AM, Jimmy wrote:
We need to be able to replicate user/pass between Windows 2008 AD and 
FreeIPA.


That's what IPA Windows Sync is supposed to do.

I have followed many different documents and posted here about it and 
from what I've read and procedures I've followed we are unable to 
accomplish this.


What have you tried, and what problems have you run into?


It doesn't need to be a full trust.

Thanks

On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený > wrote:


> Just wondering if there was anyone listening on the list that
might be
> available for little work integrating FreeIPA with Active Directory
> (preferrably in the south east US.) I hope this isn't against
the list
> rules, I just thought one of you guys could help or point me in
the right
> direction.

If you want some help, it is certainly not against list rules ;-)
But in that
case, it would be much better if you asked what exactly do you need.

I'm not an AD expert, but a couple tips: If you are looking for
cross-domain
(cross-realm) trust, then you might be a bit disappointed, it is
still in
development, so it probably won't be 100% functional at this moment.

If you are looking for something else, could you be a little more
specific what
it is?

I also recommend starting with reading some doc:
http://freeipa.org/page/DocumentationPortal

Thanks
Jan



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] consulting?

2012-01-11 Thread Jimmy 
We need to be able to replicate user/pass between Windows 2008 AD and
FreeIPA. I have followed many different documents and posted here about it
and from what I've read and procedures I've followed we are unable to
accomplish this. It doesn't need to be a full trust.

Thanks

On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený  wrote:

> > Just wondering if there was anyone listening on the list that might be
> > available for little work integrating FreeIPA with Active Directory
> > (preferrably in the south east US.) I hope this isn't against the list
> > rules, I just thought one of you guys could help or point me in the right
> > direction.
>
> If you want some help, it is certainly not against list rules ;-) But in
> that
> case, it would be much better if you asked what exactly do you need.
>
> I'm not an AD expert, but a couple tips: If you are looking for
> cross-domain
> (cross-realm) trust, then you might be a bit disappointed, it is still in
> development, so it probably won't be 100% functional at this moment.
>
> If you are looking for something else, could you be a little more specific
> what
> it is?
>
> I also recommend starting with reading some doc:
> http://freeipa.org/page/DocumentationPortal
>
> Thanks
> Jan
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] consulting?

2012-01-10 Thread Jan Zelený 
> Just wondering if there was anyone listening on the list that might be
> available for little work integrating FreeIPA with Active Directory
> (preferrably in the south east US.) I hope this isn't against the list
> rules, I just thought one of you guys could help or point me in the right
> direction.

If you want some help, it is certainly not against list rules ;-) But in that 
case, it would be much better if you asked what exactly do you need.

I'm not an AD expert, but a couple tips: If you are looking for cross-domain 
(cross-realm) trust, then you might be a bit disappointed, it is still in 
development, so it probably won't be 100% functional at this moment.

If you are looking for something else, could you be a little more specific what 
it is?

I also recommend starting with reading some doc:
http://freeipa.org/page/DocumentationPortal

Thanks
Jan


signature.asc
Description: This is a digitally signed message part.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] consulting?

2012-01-09 Thread Jimmy 
Just wondering if there was anyone listening on the list that might be
available for little work integrating FreeIPA with Active Directory
(preferrably in the south east US.) I hope this isn't against the list
rules, I just thought one of you guys could help or point me in the right
direction.

Thanks.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users