I reply to myself. This was certainly a Windows configurarion issue. I went further: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd <passwd> --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v Directory Manager password: ********
Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: AD Suffix is: DC=company,DC=com The user for Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com ipa: INFO: Added new sync agreement, waiting for it to become ready. . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0 end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [srv7idm2.ipa.company.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] So apparently I manage to connect to AD but something went wrong after? How can I debug it? Regards, Nicolas Zin ----- Mail original ----- De: "Nicolas Zin" <[email protected]> À: [email protected] Envoyé: Mercredi 11 Février 2015 12:06:47 Objet: [Freeipa-users] ad relation with winsync Hi, I now try to establish a winsync relation with a Windows 2008R2. I installed IDM 3.3 on RHEL7. When I try to create the replication: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd <passwd> --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com Directory Manager password: ******** Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: Failed to connect to AD srever dc.company.com ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not found','desc': 'Connect error'} Failed to setup winsync replication Do you have an idea, what's wrong? Also is it possible to point to port 636 instead? Notes: - On the windows side, ssl has been activated (with pain) and ldp.exe manage to connect via ssl on the 636 port correctly (so the certificate is in place). I don't know how to check it is working properly on port 389, i.e. START_TLS works - I checked that the 2 box have the same time (ntp) - I nearly manage to make it working once, but I got another error during replication Nicolas Zin [email protected] Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
