Re: [Freeipa-users] consulting?
Found the reason for the ldap search not working- when I created the AD certificate role, I accidentally entered a new sub-domain so in stead of the FQDN in the cert being csp-ad.pdh.csp it came out csp-ad.cspad.pdh.csp. I updated DNS and now the ldap search seems to work- ldif output-- http://fpaste.org/xbOC/ debug- http://fpaste.org/6g8q/ I guess I need to redo the sync agreement to fix the server DNS name. I will be traveling for work for the next couple days but should still be working on this issue some. I'll take VM's of the servers on my laptop to be able to keep working. -Jimmy On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.com wrote: ** On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit request.req certnew.cer Active Directory Enrollment Policy {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} ldap: RequestId: 3 RequestId: 3 Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The request contains no certificate template information. 0x80094801 (-2146875391) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything that helps with FreeIPA and passsync. Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA mode - it will usually automatically create and install the AD server cert. http://directory.fedoraproject.org/wiki/Howto:WindowsSync Jimmy On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are unable to accomplish this. What have you tried, and what problems have you run into? It doesn't need to be a full trust. Thanks On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený jzel...@redhat.com wrote: Just wondering if there was anyone listening on the list that might be available for little work integrating FreeIPA with Active Directory (preferrably in the south east US.) I hope this isn't against the list rules, I just thought one of you guys could help or point me in the right direction. If you want some help, it is certainly not against list rules ;-) But in that case, it would be much better if you asked what exactly do you need. I'm not an AD expert, but a couple tips: If you are looking for cross-domain (cross-realm) trust, then you might be a bit disappointed, it is still in development, so it probably won't be 100% functional at this moment. If you are looking for something else, could you be a little more specific what it is? I also recommend starting with reading some doc: http://freeipa.org/page/DocumentationPortal Thanks Jan ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] consulting?
On 01/25/2012 12:07 PM, Jimmy wrote: Found the reason for the ldap search not working- when I created the AD certificate role, I accidentally entered a new sub-domain so in stead of the FQDN in the cert being csp-ad.pdh.csp it came out csp-ad.cspad.pdh.csp. I updated DNS and now the ldap search seems to work- ldif output-- http://fpaste.org/xbOC/ debug- http://fpaste.org/6g8q/ I guess I need to redo the sync agreement to fix the server DNS name. Yep. When using TLS/SSL you have to pay close attention to hostnames. I will be traveling for work for the next couple days but should still be working on this issue some. I'll take VM's of the servers on my laptop to be able to keep working. -Jimmy On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit request.req certnew.cer Active Directory Enrollment Policy {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} ldap: RequestId: 3 RequestId: 3 Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The request contains no certificate template information. 0x80094801 (-2146875391 tel:%28-2146875391) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391 tel:%28-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything that helps with FreeIPA and passsync. Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA mode - it will usually automatically create and install the AD server cert. http://directory.fedoraproject.org/wiki/Howto:WindowsSync Jimmy On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are unable to accomplish this. What have you tried, and what problems have you run into? It doesn't need to be a full trust. Thanks On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený jzel...@redhat.com mailto:jzel...@redhat.com wrote: Just wondering if there was anyone listening on the list that might be available for little work integrating FreeIPA with Active Directory (preferrably in the south east US.) I hope this isn't against the list rules, I just thought one of you guys could help or point me in the right direction. If you want some help, it is certainly not against list rules ;-) But in that case, it would be much better if you asked what exactly do you need. I'm not an AD expert, but a couple tips: If you are looking for cross-domain (cross-realm) trust, then you might be a bit disappointed, it is still in development, so it probably won't be 100% functional at this moment. If you are looking for something else, could you be a little more specific what it is? I also recommend starting with reading some doc: http://freeipa.org/page/DocumentationPortal Thanks Jan ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] consulting?
Here's what I found in the DS admin guide. Is this all that's needed to create the sync agreement? Thanks. add sync agreement: ldapmodify -x -D cn=Directory Manager -W Enter LDAP Password: *** dn: cn=ExampleSyncAgreement,cn=sync replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsDSWindowsReplicationAgreement cn: ExampleSyncAgreement nsds7WindowsReplicaSubtree: cn=Users,dc=ad1 nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com nsds7NewWinUserSyncEnabled: on nsds7NewWinGroupSyncEnabled: on nsds7WindowsDomain: ad1 nsDS5ReplicaRoot: dc=example,dc=com nsDS5ReplicaHost: ad1.windows-server.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=sync user,cn=config nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA== nsDS5ReplicaTransportInfo: TLS winSyncInterval: 1200 On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson rmegg...@redhat.com wrote: ** On 01/20/2012 01:08 PM, Jimmy wrote: That was it! I have passwords syncing, *BUT*(at the risk of sounding stupid)-- is it not possible to also sync(add) the users from AD to DS? Yes, it is. Just configure IPA Windows Sync I created a new user in AD and it doesn't propogate to DS, just says: attempting to sync password for testuser3 searching for (ntuserdomainid=testuser3) There are no entries that match: testuser3 deferring password change for testuser3 On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/20/2012 12:46 PM, Jimmy wrote: Getting close here... Now I see this message in the sync log file: attempting to sync password for testuser searching for (ntuserdomainid=testuser) ldap error in queryusername 32: no such object deferring password change for testuser This usually means the search base is incorrect or not found. You can look at the 389 access log to see what it was using as the search criteria. On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/20/2012 10:23 AM, Jimmy wrote: You are correct. I had installed as an Enterprise root, but the doc I was reading(original link) seemed to say that I had to do the certreq manually, my bad. I think I'm getting closer I can establish an openssl connection from DS to AD but I get these errors: openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile dsca.crt CONNECTED(0003) depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=27:certificate not trusted verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=21:unable to verify the first certificate verify return:1 I thought I had imported the cert from AD but it doesn't seem so. I'm still researching but if you guys have a suggestion let me know. Is dsca.crt the CA that issued the DS server cert? If so, that won't work. You need the CA cert from the CA that issued the AD server cert (i.e. the CA cert from the MS Enterprise Root CA). -J On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit request.req certnew.cer Active Directory Enrollment Policy {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} ldap: RequestId: 3 RequestId: 3 Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The request contains no certificate template information. 0x80094801 (-2146875391) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything that helps with FreeIPA and passsync. Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA mode - it will usually automatically create and install the AD server cert. http://directory.fedoraproject.org/wiki/Howto:WindowsSync Jimmy On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've
Re: [Freeipa-users] consulting?
On 01/23/2012 10:19 AM, Jimmy wrote: Here's what I found in the DS admin guide. Is this all that's needed to create the sync agreement? Not with ipa - you should use the ipa-replica-manage command instead Thanks. add sync agreement: ldapmodify -x -D cn=Directory Manager -W Enter LDAP Password: *** dn: cn=ExampleSyncAgreement,cn=sync replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config it should be cn=replica, not cn=sync replica - does it use the latter in the Admin Guide? changetype: add objectclass: top objectclass: nsDSWindowsReplicationAgreement cn: ExampleSyncAgreement nsds7WindowsReplicaSubtree: cn=Users,dc=ad1 nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com nsds7NewWinUserSyncEnabled: on nsds7NewWinGroupSyncEnabled: on nsds7WindowsDomain: ad1 nsDS5ReplicaRoot: dc=example,dc=com nsDS5ReplicaHost: ad1.windows-server.com http://ad1.windows-server.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=sync user,cn=config nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA== nsDS5ReplicaTransportInfo: TLS winSyncInterval: 1200 On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/20/2012 01:08 PM, Jimmy wrote: That was it! I have passwords syncing, *BUT*(at the risk of sounding stupid)-- is it not possible to also sync(add) the users from AD to DS? Yes, it is. Just configure IPA Windows Sync I created a new user in AD and it doesn't propogate to DS, just says: attempting to sync password for testuser3 searching for (ntuserdomainid=testuser3) There are no entries that match: testuser3 deferring password change for testuser3 On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/20/2012 12:46 PM, Jimmy wrote: Getting close here... Now I see this message in the sync log file: attempting to sync password for testuser searching for (ntuserdomainid=testuser) ldap error in queryusername 32: no such object deferring password change for testuser This usually means the search base is incorrect or not found. You can look at the 389 access log to see what it was using as the search criteria. On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/20/2012 10:23 AM, Jimmy wrote: You are correct. I had installed as an Enterprise root, but the doc I was reading(original link) seemed to say that I had to do the certreq manually, my bad. I think I'm getting closer I can establish an openssl connection from DS to AD but I get these errors: openssl s_client -connect 192.168.201.150:636 http://192.168.201.150:636 -showcerts -CAfile dsca.crt CONNECTED(0003) depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=27:certificate not trusted verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=21:unable to verify the first certificate verify return:1 I thought I had imported the cert from AD but it doesn't seem so. I'm still researching but if you guys have a suggestion let me know. Is dsca.crt the CA that issued the DS server cert? If so, that won't work. You need the CA cert from the CA that issued the AD server cert (i.e. the CA cert from the MS Enterprise Root CA). -J On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit request.req certnew.cer Active Directory Enrollment Policy {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} ldap: RequestId: 3 RequestId: 3 Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The
Re: [Freeipa-users] consulting?
That's what I was thinking, and what I did, but it still doesn't replicate new users. This is the command I used: ipa-replica-manage connect --passsync --binddn cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp --bindpw= --cacert /home/winsync/AD-server-cert.cer 192.168.201.150 -v On Mon, Jan 23, 2012 at 12:30 PM, Rich Megginson rmegg...@redhat.comwrote: ** On 01/23/2012 10:19 AM, Jimmy wrote: Here's what I found in the DS admin guide. Is this all that's needed to create the sync agreement? Not with ipa - you should use the ipa-replica-manage command instead Thanks. add sync agreement: ldapmodify -x -D cn=Directory Manager -W Enter LDAP Password: *** dn: cn=ExampleSyncAgreement,cn=sync replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config it should be cn=replica, not cn=sync replica - does it use the latter in the Admin Guide? changetype: add objectclass: top objectclass: nsDSWindowsReplicationAgreement cn: ExampleSyncAgreement nsds7WindowsReplicaSubtree: cn=Users,dc=ad1 nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com nsds7NewWinUserSyncEnabled: on nsds7NewWinGroupSyncEnabled: on nsds7WindowsDomain: ad1 nsDS5ReplicaRoot: dc=example,dc=com nsDS5ReplicaHost: ad1.windows-server.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=sync user,cn=config nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA== nsDS5ReplicaTransportInfo: TLS winSyncInterval: 1200 On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/20/2012 01:08 PM, Jimmy wrote: That was it! I have passwords syncing, *BUT*(at the risk of sounding stupid)-- is it not possible to also sync(add) the users from AD to DS? Yes, it is. Just configure IPA Windows Sync I created a new user in AD and it doesn't propogate to DS, just says: attempting to sync password for testuser3 searching for (ntuserdomainid=testuser3) There are no entries that match: testuser3 deferring password change for testuser3 On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/20/2012 12:46 PM, Jimmy wrote: Getting close here... Now I see this message in the sync log file: attempting to sync password for testuser searching for (ntuserdomainid=testuser) ldap error in queryusername 32: no such object deferring password change for testuser This usually means the search base is incorrect or not found. You can look at the 389 access log to see what it was using as the search criteria. On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/20/2012 10:23 AM, Jimmy wrote: You are correct. I had installed as an Enterprise root, but the doc I was reading(original link) seemed to say that I had to do the certreq manually, my bad. I think I'm getting closer I can establish an openssl connection from DS to AD but I get these errors: openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile dsca.crt CONNECTED(0003) depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=27:certificate not trusted verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=21:unable to verify the first certificate verify return:1 I thought I had imported the cert from AD but it doesn't seem so. I'm still researching but if you guys have a suggestion let me know. Is dsca.crt the CA that issued the DS server cert? If so, that won't work. You need the CA cert from the CA that issued the AD server cert (i.e. the CA cert from the MS Enterprise Root CA). -J On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit request.req certnew.cer Active Directory Enrollment Policy {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} ldap: RequestId: 3 RequestId: 3 Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The request contains no certificate template information. 0x80094801 (-2146875391) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything
Re: [Freeipa-users] consulting?
I did create the winsync user and it is an admin. I will fix the ip address(change to hostname,) I only did it that was because this is currently a test system so I can figure out how to get it all working. On Mon, Jan 23, 2012 at 1:06 PM, Rich Megginson rmegg...@redhat.com wrote: ** On 01/23/2012 10:52 AM, Jimmy wrote: That's what I was thinking, and what I did, but it still doesn't replicate new users. This is the command I used: ipa-replica-manage connect --passsync --binddn cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp --bindpw= --cacert /home/winsync/AD-server-cert.cer 192.168.201.150 -v Did you create the user cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp? And does this user have the rights to perform sync? (e.g. has to have replicator rights, or be some sort of admin) - see http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx - the AD user must have replication rights and write rights. In addition, since this process uses SSL, you cannot use an IP address, you must use a hostname, or the SSL cert hostname checking (for MITM) will fail. On Mon, Jan 23, 2012 at 12:30 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/23/2012 10:19 AM, Jimmy wrote: Here's what I found in the DS admin guide. Is this all that's needed to create the sync agreement? Not with ipa - you should use the ipa-replica-manage command instead Thanks. add sync agreement: ldapmodify -x -D cn=Directory Manager -W Enter LDAP Password: *** dn: cn=ExampleSyncAgreement,cn=sync replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config it should be cn=replica, not cn=sync replica - does it use the latter in the Admin Guide? changetype: add objectclass: top objectclass: nsDSWindowsReplicationAgreement cn: ExampleSyncAgreement nsds7WindowsReplicaSubtree: cn=Users,dc=ad1 nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com nsds7NewWinUserSyncEnabled: on nsds7NewWinGroupSyncEnabled: on nsds7WindowsDomain: ad1 nsDS5ReplicaRoot: dc=example,dc=com nsDS5ReplicaHost: ad1.windows-server.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=sync user,cn=config nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA== nsDS5ReplicaTransportInfo: TLS winSyncInterval: 1200 On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/20/2012 01:08 PM, Jimmy wrote: That was it! I have passwords syncing, *BUT*(at the risk of sounding stupid)-- is it not possible to also sync(add) the users from AD to DS? Yes, it is. Just configure IPA Windows Sync I created a new user in AD and it doesn't propogate to DS, just says: attempting to sync password for testuser3 searching for (ntuserdomainid=testuser3) There are no entries that match: testuser3 deferring password change for testuser3 On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/20/2012 12:46 PM, Jimmy wrote: Getting close here... Now I see this message in the sync log file: attempting to sync password for testuser searching for (ntuserdomainid=testuser) ldap error in queryusername 32: no such object deferring password change for testuser This usually means the search base is incorrect or not found. You can look at the 389 access log to see what it was using as the search criteria. On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/20/2012 10:23 AM, Jimmy wrote: You are correct. I had installed as an Enterprise root, but the doc I was reading(original link) seemed to say that I had to do the certreq manually, my bad. I think I'm getting closer I can establish an openssl connection from DS to AD but I get these errors: openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile dsca.crt CONNECTED(0003) depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=27:certificate not trusted verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=21:unable to verify the first certificate verify return:1 I thought I had imported the cert from AD but it doesn't seem so. I'm still researching but if you guys have a suggestion let me know. Is dsca.crt the CA that issued the DS server cert? If so, that won't work. You need the CA cert from the CA that issued the AD server cert (i.e. the CA cert from the MS Enterprise Root CA). -J On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit
Re: [Freeipa-users] consulting?
You are correct. I had installed as an Enterprise root, but the doc I was reading(original link) seemed to say that I had to do the certreq manually, my bad. I think I'm getting closer I can establish an openssl connection from DS to AD but I get these errors: openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile dsca.crt CONNECTED(0003) depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=27:certificate not trusted verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=21:unable to verify the first certificate verify return:1 I thought I had imported the cert from AD but it doesn't seem so. I'm still researching but if you guys have a suggestion let me know. -J On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.com wrote: ** On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit request.req certnew.cer Active Directory Enrollment Policy {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} ldap: RequestId: 3 RequestId: 3 Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The request contains no certificate template information. 0x80094801 (-2146875391) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything that helps with FreeIPA and passsync. Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA mode - it will usually automatically create and install the AD server cert. http://directory.fedoraproject.org/wiki/Howto:WindowsSync Jimmy On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are unable to accomplish this. What have you tried, and what problems have you run into? It doesn't need to be a full trust. Thanks On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený jzel...@redhat.com wrote: Just wondering if there was anyone listening on the list that might be available for little work integrating FreeIPA with Active Directory (preferrably in the south east US.) I hope this isn't against the list rules, I just thought one of you guys could help or point me in the right direction. If you want some help, it is certainly not against list rules ;-) But in that case, it would be much better if you asked what exactly do you need. I'm not an AD expert, but a couple tips: If you are looking for cross-domain (cross-realm) trust, then you might be a bit disappointed, it is still in development, so it probably won't be 100% functional at this moment. If you are looking for something else, could you be a little more specific what it is? I also recommend starting with reading some doc: http://freeipa.org/page/DocumentationPortal Thanks Jan ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] consulting?
Getting close here... Now I see this message in the sync log file: attempting to sync password for testuser searching for (ntuserdomainid=testuser) ldap error in queryusername 32: no such object deferring password change for testuser On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson rmegg...@redhat.comwrote: ** On 01/20/2012 10:23 AM, Jimmy wrote: You are correct. I had installed as an Enterprise root, but the doc I was reading(original link) seemed to say that I had to do the certreq manually, my bad. I think I'm getting closer I can establish an openssl connection from DS to AD but I get these errors: openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile dsca.crt CONNECTED(0003) depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=27:certificate not trusted verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=21:unable to verify the first certificate verify return:1 I thought I had imported the cert from AD but it doesn't seem so. I'm still researching but if you guys have a suggestion let me know. Is dsca.crt the CA that issued the DS server cert? If so, that won't work. You need the CA cert from the CA that issued the AD server cert (i.e. the CA cert from the MS Enterprise Root CA). -J On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit request.req certnew.cer Active Directory Enrollment Policy {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} ldap: RequestId: 3 RequestId: 3 Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The request contains no certificate template information. 0x80094801 (-2146875391) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything that helps with FreeIPA and passsync. Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA mode - it will usually automatically create and install the AD server cert. http://directory.fedoraproject.org/wiki/Howto:WindowsSync Jimmy On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are unable to accomplish this. What have you tried, and what problems have you run into? It doesn't need to be a full trust. Thanks On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený jzel...@redhat.com wrote: Just wondering if there was anyone listening on the list that might be available for little work integrating FreeIPA with Active Directory (preferrably in the south east US.) I hope this isn't against the list rules, I just thought one of you guys could help or point me in the right direction. If you want some help, it is certainly not against list rules ;-) But in that case, it would be much better if you asked what exactly do you need. I'm not an AD expert, but a couple tips: If you are looking for cross-domain (cross-realm) trust, then you might be a bit disappointed, it is still in development, so it probably won't be 100% functional at this moment. If you are looking for something else, could you be a little more specific what it is? I also recommend starting with reading some doc: http://freeipa.org/page/DocumentationPortal Thanks Jan ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] consulting?
On 01/20/2012 12:46 PM, Jimmy wrote: Getting close here... Now I see this message in the sync log file: attempting to sync password for testuser searching for (ntuserdomainid=testuser) ldap error in queryusername 32: no such object deferring password change for testuser This usually means the search base is incorrect or not found. You can look at the 389 access log to see what it was using as the search criteria. On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/20/2012 10:23 AM, Jimmy wrote: You are correct. I had installed as an Enterprise root, but the doc I was reading(original link) seemed to say that I had to do the certreq manually, my bad. I think I'm getting closer I can establish an openssl connection from DS to AD but I get these errors: openssl s_client -connect 192.168.201.150:636 http://192.168.201.150:636 -showcerts -CAfile dsca.crt CONNECTED(0003) depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=27:certificate not trusted verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=21:unable to verify the first certificate verify return:1 I thought I had imported the cert from AD but it doesn't seem so. I'm still researching but if you guys have a suggestion let me know. Is dsca.crt the CA that issued the DS server cert? If so, that won't work. You need the CA cert from the CA that issued the AD server cert (i.e. the CA cert from the MS Enterprise Root CA). -J On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit request.req certnew.cer Active Directory Enrollment Policy {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} ldap: RequestId: 3 RequestId: 3 Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The request contains no certificate template information. 0x80094801 (-2146875391 tel:%28-2146875391) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391 tel:%28-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything that helps with FreeIPA and passsync. Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA mode - it will usually automatically create and install the AD server cert. http://directory.fedoraproject.org/wiki/Howto:WindowsSync Jimmy On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are unable to accomplish this. What have you tried, and what problems have you run into? It doesn't need to be a full trust. Thanks On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený jzel...@redhat.com mailto:jzel...@redhat.com wrote: Just wondering if there was anyone listening on the list that might be available for little work integrating FreeIPA with Active Directory (preferrably in the south east US.) I hope this isn't against the list rules, I just thought one of you guys could help or point me in the right direction. If you want some help, it is certainly not against list rules ;-) But in that case, it would be much better
Re: [Freeipa-users] consulting?
That was it! I have passwords syncing, *BUT*(at the risk of sounding stupid)-- is it not possible to also sync(add) the users from AD to DS? I created a new user in AD and it doesn't propogate to DS, just says: attempting to sync password for testuser3 searching for (ntuserdomainid=testuser3) There are no entries that match: testuser3 deferring password change for testuser3 On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson rmegg...@redhat.com wrote: ** On 01/20/2012 12:46 PM, Jimmy wrote: Getting close here... Now I see this message in the sync log file: attempting to sync password for testuser searching for (ntuserdomainid=testuser) ldap error in queryusername 32: no such object deferring password change for testuser This usually means the search base is incorrect or not found. You can look at the 389 access log to see what it was using as the search criteria. On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/20/2012 10:23 AM, Jimmy wrote: You are correct. I had installed as an Enterprise root, but the doc I was reading(original link) seemed to say that I had to do the certreq manually, my bad. I think I'm getting closer I can establish an openssl connection from DS to AD but I get these errors: openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile dsca.crt CONNECTED(0003) depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=27:certificate not trusted verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=21:unable to verify the first certificate verify return:1 I thought I had imported the cert from AD but it doesn't seem so. I'm still researching but if you guys have a suggestion let me know. Is dsca.crt the CA that issued the DS server cert? If so, that won't work. You need the CA cert from the CA that issued the AD server cert (i.e. the CA cert from the MS Enterprise Root CA). -J On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit request.req certnew.cer Active Directory Enrollment Policy {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} ldap: RequestId: 3 RequestId: 3 Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The request contains no certificate template information. 0x80094801 (-2146875391) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything that helps with FreeIPA and passsync. Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA mode - it will usually automatically create and install the AD server cert. http://directory.fedoraproject.org/wiki/Howto:WindowsSync Jimmy On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are unable to accomplish this. What have you tried, and what problems have you run into? It doesn't need to be a full trust. Thanks On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený jzel...@redhat.com wrote: Just wondering if there was anyone listening on the list that might be available for little work integrating FreeIPA with Active Directory (preferrably in the south east US.) I hope this isn't against the list rules, I just thought one of you guys could help or point me in the right direction. If you want some help, it is certainly not against list rules ;-) But in that case, it would be much better if you asked what exactly do you need. I'm not an AD expert, but a couple tips: If you are looking for cross-domain (cross-realm) trust, then you might be a bit disappointed, it is still in development, so it probably won't be 100% functional at this moment. If you are looking for something else, could you be a little more
Re: [Freeipa-users] consulting?
On 01/20/2012 01:08 PM, Jimmy wrote: That was it! I have passwords syncing, *BUT*(at the risk of sounding stupid)-- is it not possible to also sync(add) the users from AD to DS? Yes, it is. Just configure IPA Windows Sync I created a new user in AD and it doesn't propogate to DS, just says: attempting to sync password for testuser3 searching for (ntuserdomainid=testuser3) There are no entries that match: testuser3 deferring password change for testuser3 On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/20/2012 12:46 PM, Jimmy wrote: Getting close here... Now I see this message in the sync log file: attempting to sync password for testuser searching for (ntuserdomainid=testuser) ldap error in queryusername 32: no such object deferring password change for testuser This usually means the search base is incorrect or not found. You can look at the 389 access log to see what it was using as the search criteria. On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/20/2012 10:23 AM, Jimmy wrote: You are correct. I had installed as an Enterprise root, but the doc I was reading(original link) seemed to say that I had to do the certreq manually, my bad. I think I'm getting closer I can establish an openssl connection from DS to AD but I get these errors: openssl s_client -connect 192.168.201.150:636 http://192.168.201.150:636 -showcerts -CAfile dsca.crt CONNECTED(0003) depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=27:certificate not trusted verify return:1 depth=0 CN = csp-ad.cspad.pdh.csp verify error:num=21:unable to verify the first certificate verify return:1 I thought I had imported the cert from AD but it doesn't seem so. I'm still researching but if you guys have a suggestion let me know. Is dsca.crt the CA that issued the DS server cert? If so, that won't work. You need the CA cert from the CA that issued the AD server cert (i.e. the CA cert from the MS Enterprise Root CA). -J On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit request.req certnew.cer Active Directory Enrollment Policy {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} ldap: RequestId: 3 RequestId: 3 Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The request contains no certificate template information. 0x80094801 (-2146875391 tel:%28-2146875391) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391 tel:%28-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything that helps with FreeIPA and passsync. Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA mode - it will usually automatically create and install the AD server cert. http://directory.fedoraproject.org/wiki/Howto:WindowsSync Jimmy On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've read and
Re: [Freeipa-users] consulting?
ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit request.req certnew.cer Active Directory Enrollment Policy {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} ldap: RequestId: 3 RequestId: 3 Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The request contains no certificate template information. 0x80094801 (-2146875391) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything that helps with FreeIPA and passsync. Jimmy On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.com wrote: ** On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are unable to accomplish this. What have you tried, and what problems have you run into? It doesn't need to be a full trust. Thanks On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený jzel...@redhat.com wrote: Just wondering if there was anyone listening on the list that might be available for little work integrating FreeIPA with Active Directory (preferrably in the south east US.) I hope this isn't against the list rules, I just thought one of you guys could help or point me in the right direction. If you want some help, it is certainly not against list rules ;-) But in that case, it would be much better if you asked what exactly do you need. I'm not an AD expert, but a couple tips: If you are looking for cross-domain (cross-realm) trust, then you might be a bit disappointed, it is still in development, so it probably won't be 100% functional at this moment. If you are looking for something else, could you be a little more specific what it is? I also recommend starting with reading some doc: http://freeipa.org/page/DocumentationPortal Thanks Jan ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] consulting?
On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit request.req certnew.cer Active Directory Enrollment Policy {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} ldap: RequestId: 3 RequestId: 3 Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The request contains no certificate template information. 0x80094801 (-2146875391 tel:%28-2146875391) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391 tel:%28-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything that helps with FreeIPA and passsync. Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA mode - it will usually automatically create and install the AD server cert. http://directory.fedoraproject.org/wiki/Howto:WindowsSync Jimmy On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are unable to accomplish this. What have you tried, and what problems have you run into? It doesn't need to be a full trust. Thanks On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený jzel...@redhat.com mailto:jzel...@redhat.com wrote: Just wondering if there was anyone listening on the list that might be available for little work integrating FreeIPA with Active Directory (preferrably in the south east US.) I hope this isn't against the list rules, I just thought one of you guys could help or point me in the right direction. If you want some help, it is certainly not against list rules ;-) But in that case, it would be much better if you asked what exactly do you need. I'm not an AD expert, but a couple tips: If you are looking for cross-domain (cross-realm) trust, then you might be a bit disappointed, it is still in development, so it probably won't be 100% functional at this moment. If you are looking for something else, could you be a little more specific what it is? I also recommend starting with reading some doc: http://freeipa.org/page/DocumentationPortal Thanks Jan ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] consulting?
Just popping up to let y'all know I haven't dropped this, just got tied up working on OpenCA and PacketFence. I'll answer Rich's question by Monday and hopefully get this thing going. On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.com wrote: ** On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are unable to accomplish this. What have you tried, and what problems have you run into? It doesn't need to be a full trust. Thanks On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený jzel...@redhat.com wrote: Just wondering if there was anyone listening on the list that might be available for little work integrating FreeIPA with Active Directory (preferrably in the south east US.) I hope this isn't against the list rules, I just thought one of you guys could help or point me in the right direction. If you want some help, it is certainly not against list rules ;-) But in that case, it would be much better if you asked what exactly do you need. I'm not an AD expert, but a couple tips: If you are looking for cross-domain (cross-realm) trust, then you might be a bit disappointed, it is still in development, so it probably won't be 100% functional at this moment. If you are looking for something else, could you be a little more specific what it is? I also recommend starting with reading some doc: http://freeipa.org/page/DocumentationPortal Thanks Jan ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] consulting?
We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are unable to accomplish this. It doesn't need to be a full trust. Thanks On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený jzel...@redhat.com wrote: Just wondering if there was anyone listening on the list that might be available for little work integrating FreeIPA with Active Directory (preferrably in the south east US.) I hope this isn't against the list rules, I just thought one of you guys could help or point me in the right direction. If you want some help, it is certainly not against list rules ;-) But in that case, it would be much better if you asked what exactly do you need. I'm not an AD expert, but a couple tips: If you are looking for cross-domain (cross-realm) trust, then you might be a bit disappointed, it is still in development, so it probably won't be 100% functional at this moment. If you are looking for something else, could you be a little more specific what it is? I also recommend starting with reading some doc: http://freeipa.org/page/DocumentationPortal Thanks Jan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] consulting?
On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are unable to accomplish this. What have you tried, and what problems have you run into? It doesn't need to be a full trust. Thanks On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený jzel...@redhat.com mailto:jzel...@redhat.com wrote: Just wondering if there was anyone listening on the list that might be available for little work integrating FreeIPA with Active Directory (preferrably in the south east US.) I hope this isn't against the list rules, I just thought one of you guys could help or point me in the right direction. If you want some help, it is certainly not against list rules ;-) But in that case, it would be much better if you asked what exactly do you need. I'm not an AD expert, but a couple tips: If you are looking for cross-domain (cross-realm) trust, then you might be a bit disappointed, it is still in development, so it probably won't be 100% functional at this moment. If you are looking for something else, could you be a little more specific what it is? I also recommend starting with reading some doc: http://freeipa.org/page/DocumentationPortal Thanks Jan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users