https://bugzilla.redhat.com/show_bug.cgi?id=744306
Description of problem: Setting up windows synchronization with ipa-server is unsuccessful: Here are my steps :: 1) Make sure IPA server and ADS server are resolvable via DNS. ACTIVE DIRECTORY 2) Transfer IPA CA Cert to your ADS server. 3) Install passsync on ADS > hostname : ipaserver.jgalipea.redhat.com port : 636 binddn : ??? used cn=Directory Manager (no instructions to set up different sync user and ipa-manage-cli does not ask you to specify one) password : DM's password Security Device Password : password to use when you create the passsync's certdbs (chicken before the egg as always) user search : cn=users,cn=accounts,dc=jgalipea 4) Make IPA CA trusted C:\Program Files\Red Hat Directory Password Synchronization certutil -d . -N (supply password you defined when installing passsync for the Security Device Password) certutil -d . -A -n "IPA CA" -t CT,, -a -i c:\path\to\ipaca.crt TO NOTE : change passsync log level to 1 5) Restart you ADS machine passsync log : 10/07/11 12:07:29: PassSync service initialized 10/07/11 12:07:29: PassSync service running 10/07/11 12:07:29: No entries yet 10/07/11 12:07:29: Password list is empty. Waiting for passhook event IPA SERVER 6) Transfer ADS CA Cert to you IPA Server Verify you can connect via TLS to ADS server # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-JGALIPEA ldapsearch -x -ZZ -h jgalipea-win2008r2.ipa.qe -D "cn=Administrator,cn=users,dc=ipa,dc=qe" -w MySecret -b "cn=administrator,cn=users,dc=ipa,dc=qe" 7) NEW STEP : Do Not think this should be required - but was told by development to do this Copy AD certificate to /etc/openldap/cacerts/ Run cacertdir_rehash /etc/openldap/cacerts/ Modify /etc/openldap/ldap.conf, add: TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow 8) Add winsync agreement .. # ipa-replica-manage connect --passsync --winsync --binddn "cn=administrator,cn=users,dc=ipa,dc=qe" --bindpw MySecret --cacert /tmp/WIN-CA.cer jgalipea-win2008r2.ipa.qe -v -p Secret123 RESULT :: Added CA certificate /tmp/WIN-CA.cer to certificate database for ipaserver.jgalipea.redhat.com Failed to get data from 'ipaserver.jgalipea.redhat.com': {'desc': "Can't contact LDAP server"} Version-Release number of selected component (if applicable): ipa-server-2.1.1-4.el6.x86_64 How reproducible: everytime Steps to Reproduce: 1. See description 2. 3. Actual results: Added CA certificate /tmp/WIN-CA.cer to certificate database for ipaserver.jgalipea.redhat.com Failed to get data from 'ipaserver.jgalipea.redhat.com': {'desc': "Can't contact LDAP server"} Expected results: Sync Agreement to be set up and successfully sync users and passwords from AD Additional info:
It is working for me with:
Directory Manager password:
Added CA certificate /home/rcrit/AD.cer to certificate database for rawhide.greyoak.com INFO:root:AD Suffix is: DC=greyoak,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=greyoak,dc=com INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 0 No replication sessions started since server startup: start: 0: end: 0 INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update succeeded Connected 'rawhide.greyoak.com' to 'win2003.greyoak.com'
I added a user in AD and verified that it eventually made its way to IPA.
A user in #freep was having a problem as well. He would get a looping "Update in progress".
Turned out the problem was he lacked the ds-replication plugin. He was on RHEL 6.1.
It isn't clear why IPA didn't detect this but upgrading to 6.2beta fixed it for him.
attachment freeipa-rcrit-894-winsync.patch
The root cause of most of the problems was inadequate documentation. Added a section on winsync to the ipa-replica-manage man page.
master: eaec3c4[[BR]] ipa-2-1: 2427d3b
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.1.3 (bug fixing)
Login to comment on this ticket.