Re: [Freeipa-users] solved: here are some additional passsync notes
Thanks for the feedback! ldp.exe does support ssl. The comment about 636 being the non-ssl port was cruft from a previous version where I was trying to keep things simple. On Fri, Dec 28, 2012 at 3:40 PM, Rich Megginson wrote: > On 12/24/2012 09:13 AM, Nate Marks wrote: > > I'd love some feedback on these. They seemed to work for me.Thanks! > > > Introduction > This guide starts at the point where your freeipa server is correctly > replicating accounts from a windows active directory server. The following > steps are intended to help you roll out the passync software to all of your > domain controllers. Detailed descriptions of how the software works are > available from people far more competent than myself. I’m just covering > some installation tips. One thing that really screwed me up is that there > are great passsync docs for 389 directory server and great passsync docs > for freeipa server. They are similar. They are NOT interchangeable. When > using freeipa server stick with freeipa docs . I know this seems obvious, > but when passsync doesn’t work the first time, my instinct is to cast about > on google for things that seem to be related. When you find the 389 server > docs under those circumstances and try to apply them to freeipa, you find > a rathole. > > > Fixed - see below. > > > > Getting started: > > It’s theoretically possible to get the passsync to work on the first > attempt. I’ve just never done it. In order for that to work, you have to > have exactly the right values ready to go when you run the passsync > installer. The installer has input fields for the following items: > > verifying the hostname, username password and search base values > hostname: > port: 636 > username: uid=passsync,cn=sysaccounts,cn=etc,dc=,dc= > password: > cert token : tried it with and without the > /etc/dirsrv/slapd-instance/pwdfile.txt contents > > > Right - not needed > > > serach base=cn=users,cn=accounts,dc=inframax,dc=ncare > > The best tool I found in windows for checking the passsync installation > settings is ldp. > First I’ll talk about verifying the easy stuff (hostname, username, > password, search base). run notepad on the windows server and put in the > values you’re going to use before running the passsync installer. Then run > ldp.exe and use the values from notepad and the steps below to verify the > hostname, username, password and search base. > > ldp.exe > connection > connect > enter the freeipa server hostname in the server field > enter port 636 (non-ssl port) in the port field > > > 636 is the SSL port > Does ldp have an option for StartTLS? > > > check the SSL box > click OK > > > connection > bind > select the 'simple bind' radio button > enter the DN for the passsync account on the freeipa server in the > userfield. this is > "uid=passsync,cn=sysaccounts,cn=etc,dc=,dc=" by default > enter the password for the passsync account in the password field > click ok > > select view > tree and make sure you can browse the tree in the ipa > server. browse to the subtree that you're going to use for search base and > make sure you > see your replicated accounts in that container. > if you can, then the values you used for the hostname, username, password > and search base are all correct. It also means that the ca.crt file you > imported for ldap account syunchronization is working correctly. > > NOTE: I left cert token empty. it seems to be used for encrypting the > certificate db in c:\program files\389 directory password synchronization. > That can be done after you get password synchronization working. > > Right - it is not needed > > > Installing Passsync: > Now we’ve done a bunch of work to check our values, but we haven’t > accomplished anything. So go ahead and run the passsync msi installer and > enter your values into the appropriate fields. > > The installer will create files, directories and registry stuff, but we’re > not nearly done. > > Step 5 in the link below seems to have the correct steps. Be sure to > import the same certificate that you imported in the account > synchronization process. I got mine with wget > http:///ipa/config/ca.crt. > > > > https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html > > > > One mroe thing before rebooting, use regedit to change the value of > HKLM->Software->PasswordSync “Log Level” from 0 to 1. If everything works > and you don’t need it, great! > > If the stars line up, you’ve put good values into the passsync installer, > imported the freeipa servers certificate into the cert DB that passsync > uses and the installer registered a new dll to capture password change > events. You need to reboot the server to get the dll registration to take > effect. > After it restarts, change the password on an account that’s being > replicated to free ipa. use notepad to open the file c:\program files\389 > directory password synchronization\ passsync.txt > if the passhook.dll
Re: [Freeipa-users] solved: here are some additional passsync notes
On 12/24/2012 09:13 AM, Nate Marks wrote: I'd love some feedback on these. They seemed to work for me.Thanks! Introduction This guide starts at the point where your freeipa server is correctly replicating accounts from a windows active directory server. The following steps are intended to help you roll out the passync software to all of your domain controllers. Detailed descriptions of how the software works are available from people far more competent than myself. I'm just covering some installation tips. One thing that really screwed me up is that there are great passsync docs for 389 directory server and great passsync docs for freeipa server. They are similar. They are NOT interchangeable. When using freeipa server stick with freeipa docs . I know this seems obvious, but when passsync doesn't work the first time, my instinct is to cast about on google for things that seem to be related. When you find the 389 server docs under those circumstances and try to apply them to freeipa, you find a rathole. Fixed - see below. Getting started: It's theoretically possible to get the passsync to work on the first attempt. I've just never done it. In order for that to work, you have to have exactly the right values ready to go when you run the passsync installer. The installer has input fields for the following items: verifying the hostname, username password and search base values hostname: port: 636 username: uid=passsync,cn=sysaccounts,cn=etc,dc=,dc= password: cert token : tried it with and without the /etc/dirsrv/slapd-instance/pwdfile.txt contents Right - not needed serach base=cn=users,cn=accounts,dc=inframax,dc=ncare The best tool I found in windows for checking the passsync installation settings is ldp. First I'll talk about verifying the easy stuff (hostname, username, password, search base). run notepad on the windows server and put in the values you're going to use before running the passsync installer. Then run ldp.exe and use the values from notepad and the steps below to verify the hostname, username, password and search base. ldp.exe connection > connect enter the freeipa server hostname in the server field enter port 636 (non-ssl port) in the port field 636 is the SSL port Does ldp have an option for StartTLS? check the SSL box click OK connection > bind select the 'simple bind' radio button enter the DN for the passsync account on the freeipa server in the userfield. this is "uid=passsync,cn=sysaccounts,cn=etc,dc=,dc=" by default enter the password for the passsync account in the password field click ok select view > tree and make sure you can browse the tree in the ipa server. browse to the subtree that you're going to use for search base and make sure you see your replicated accounts in that container. if you can, then the values you used for the hostname, username, password and search base are all correct. It also means that the ca.crt file you imported for ldap account syunchronization is working correctly. NOTE: I left cert token empty. it seems to be used for encrypting the certificate db in c:\program files\389 directory password synchronization. That can be done after you get password synchronization working. Right - it is not needed Installing Passsync: Now we've done a bunch of work to check our values, but we haven't accomplished anything. So go ahead and run the passsync msi installer and enter your values into the appropriate fields. The installer will create files, directories and registry stuff, but we're not nearly done. Step 5 in the link below seems to have the correct steps. Be sure to import the same certificate that you imported in the account synchronization process. I got mine with wget http:///ipa/config/ca.crt. https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html One mroe thing before rebooting, use regedit to change the value of HKLM->Software->PasswordSync "Log Level" from 0 to 1. If everything works and you don't need it, great! If the stars line up, you've put good values into the passsync installer, imported the freeipa servers certificate into the cert DB that passsync uses and the installer registered a new dll to capture password change events. You need to reboot the server to get the dll registration to take effect. After it restarts, change the password on an account that's being replicated to free ipa. use notepad to open the file c:\program files\389 directory password synchronization\ passsync.txt if the passhook.dll is working correctly, you'll see an entry like: '1 new entries loaded from data file' If ssl is working correctly, you'll be able to log into the freeipa server with the test account and newly changed password. Ifit doesn't work, verify your cert and your values with ldp.exe. I just don't have anything better that that yet. This takes me to the point where I'd love more tools t
[Freeipa-users] solved: here are some additional passsync notes
I'd love some feedback on these. They seemed to work for me.Thanks! Introduction This guide starts at the point where your freeipa server is correctly replicating accounts from a windows active directory server. The following steps are intended to help you roll out the passync software to all of your domain controllers. Detailed descriptions of how the software works are available from people far more competent than myself. I’m just covering some installation tips. One thing that really screwed me up is that there are great passsync docs for 389 directory server and great passsync docs for freeipa server. They are similar. They are NOT interchangeable. When using freeipa server stick with freeipa docs . I know this seems obvious, but when passsync doesn’t work the first time, my instinct is to cast about on google for things that seem to be related. When you find the 389 server docs under those circumstances and try to apply them to freeipa, you find a rathole. Getting started: It’s theoretically possible to get the passsync to work on the first attempt. I’ve just never done it. In order for that to work, you have to have exactly the right values ready to go when you run the passsync installer. The installer has input fields for the following items: verifying the hostname, username password and search base values hostname: port: 636 username: uid=passsync,cn=sysaccounts,cn=etc,dc=,dc= password: cert token : tried it with and without the /etc/dirsrv/slapd-instance/pwdfile.txt contents serach base=cn=users,cn=accounts,dc=inframax,dc=ncare The best tool I found in windows for checking the passsync installation settings is ldp. First I’ll talk about verifying the easy stuff (hostname, username, password, search base). run notepad on the windows server and put in the values you’re going to use before running the passsync installer. Then run ldp.exe and use the values from notepad and the steps below to verify the hostname, username, password and search base. ldp.exe connection > connect enter the freeipa server hostname in the server field enter port 636 (non-ssl port) in the port field check the SSL box click OK connection > bind select the 'simple bind' radio button enter the DN for the passsync account on the freeipa server in the userfield. this is "uid=passsync,cn=sysaccounts,cn=etc,dc=,dc=" by default enter the password for the passsync account in the password field click ok select view > tree and make sure you can browse the tree in the ipa server. browse to the subtree that you're going to use for search base and make sure you see your replicated accounts in that container. if you can, then the values you used for the hostname, username, password and search base are all correct. It also means that the ca.crt file you imported for ldap account syunchronization is working correctly. NOTE: I left cert token empty. it seems to be used for encrypting the certificate db in c:\program files\389 directory password synchronization. That can be done after you get password synchronization working. Installing Passsync: Now we’ve done a bunch of work to check our values, but we haven’t accomplished anything. So go ahead and run the passsync msi installer and enter your values into the appropriate fields. The installer will create files, directories and registry stuff, but we’re not nearly done. Step 5 in the link below seems to have the correct steps. Be sure to import the same certificate that you imported in the account synchronization process. I got mine with wget http:///ipa/config/ca.crt. https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html One mroe thing before rebooting, use regedit to change the value of HKLM->Software->PasswordSync “Log Level” from 0 to 1. If everything works and you don’t need it, great! If the stars line up, you’ve put good values into the passsync installer, imported the freeipa servers certificate into the cert DB that passsync uses and the installer registered a new dll to capture password change events. You need to reboot the server to get the dll registration to take effect. After it restarts, change the password on an account that’s being replicated to free ipa. use notepad to open the file c:\program files\389 directory password synchronization\ passsync.txt if the passhook.dll is working correctly, you’ll see an entry like: ‘1 new entries loaded from data file’ If ssl is working correctly, you’ll be able to log into the freeipa server with the test account and newly changed password. Ifit doesn’t work, verify your cert and your values with ldp.exe. I just don’t have anything better that that yet. This takes me to the point where I’d love more tools to troubleshoot the problem. Other things I’ve tried: 1) UAC. I disable it, but I’d love some feedback on whether or not that’s required on win 2k8R2. 2) some of my DCs have certificate services installed and some don’t. I don’t think any
