Jeff Moody wrote:
Following the instructions on
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html
I am running into an error generating the certificate for the DC. The specific
error I am getting is:
Denied by Policy Module 0x80094801, The request does not contain a certificate
template extension or the CertificateTemplate request attribute.
I apologize that I am so ignorant on SSL, but what type of certificate template
should I put on the request? Domain Controller? Root CA?
Thanks a ton for the help on this.
Your Active Directory may already be SSL secured. But if not I suspect
it is Domain Controller. Where is the Microsoft Certificate Authority
installed? On the same machine as the Domain Controller? If the
Certificate Authority is installed on the same machine and was installed
before installing the domain controller - it automatically issues
machines certificates for all machines added to the domain. Then you
would just need to export the Root CA certificate and add it to the
Directory Server as a trusted Root CA.
Jenny
----
Jeff Moody
Senior Systems Engineer
EVS Corporation
5050 Poplar Avenue ,Suite 1600
Memphis, Tennessee 38157
(901) 259-2387 - 24x7 Helpdesk
(901) 881-0919 - Office
(901) 497-1444 - Cell
[email protected]
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Jeff Moody
Sent: Monday, July 27, 2009 10:49 AM
To: Jenny Galipeau; Rob Crittenden
Cc: [email protected]
Subject: RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora
10
I've been communicating some with Rob off-list and have rebooted the Windows
server after installing the Passsync software, but not after installing the
certificate for the IPA server in the passsync directory.
----
Jeff Moody
Senior Systems Engineer
EVS Corporation
5050 Poplar Avenue ,Suite 1600
Memphis, Tennessee 38157
(901) 259-2387 - 24x7 Helpdesk
(901) 881-0919 - Office
(901) 497-1444 - Cell
[email protected]
-----Original Message-----
From: Jenny Galipeau [mailto:[email protected]]
Sent: Monday, July 27, 2009 10:41 AM
To: Rob Crittenden
Cc: Jeff Moody; [email protected]
Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora
10
Rob Crittenden wrote:
Jeff Moody wrote:
I'm trying to set up password/identity sync to the FreeIPA server
from a Windows 2003R2 SP2 server to a Fedora 10 VM.
I have installed the FreeIPA software and can load its configuration
page on the IPA server - so the service appears to be running.
I have our Windows DC running the Windows 2003 Enterprise Certificate
Authority service and have exported its root certificate and SCP'ed
that to the IPA server.
Following the instructions from TFM, I run the following command:
[r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn
CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw
WindowsAccountPassword --cacert /root/dc1-base64-x509.cer
dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync
This is the output from that command:
Directory Manager password:
INFO:root:Shutting down dirsrv:
EVSCORPORATION-COM... [ OK ]
INFO:root:
INFO:root:
INFO:root:
INFO:root:Starting dirsrv:
EVSCORPORATION-COM... [ OK ]
INFO:root:
INFO:root:Added CA certificate /root/dc1-base64-x509.cer to
certificate database for ipamem1.evscorporation.com
INFO:root:Restarted directory server ipamem1.evscorporation.com
INFO:root:Could not validate connection to remote server
dc1.evscorporation.com:636 - continuing
INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed',
'desc': "Can't contact LDAP server"}
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP
error: Can't contact LDAP server: start: 0: end: 0
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[ipamem1.evscorporation.com] reports: Update failed! Status: [81 -
LDAP error: Can't contact LDAP server]
INFO:root:Added agreement for other host dc1.evscorporation.com
Additionally, in the /var/lib/dirsrv/ errors log, I have the
following error:
[25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send
bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com]
mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's
Certificate issuer is not recognized.) 11 (Resource temporarily
unavailable)
On the Windows server, the Passsync service is running and as far as
I know I installed the right certificate on the Passsync side by
following the instructions at
(http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service)
and the only message in the Passsync log on the Windows side is:
07/25/09 14:32:15: PassSync service started
I'm sure that I'm just missing some simple, stupid little thing.but I
have no earthly idea as to what that could be. Any
help/suggestions/troubleshooting anyone can help me with, I would
greatly appreciate it.
Hmm, clearly an SSL trust issue.
Lets start by making sure that DS has the CA you provided loaded and
trusted:
# certutil -L -d /etc/dirsrv/slapd-INSTANCE
It should include your CA and have a trust like CT,,C
I found that I needed to reboot my AD server when installing the CA
service and getting PassSync installed. Have you rebooted recently?
These instructions are much more comprehensive and include that a reboot
of the AD machine is required.
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html
Jenny
rob
------------------------------------------------------------------------
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Jenny Galipeau <[email protected]>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
