Hi everyone, I'm back with my winsync replication. The replication process works fine, but whenI specify "OU=Linux,DC=mycompany,DC=com" where 2 users have been created, nothing is replicated. btw this is a big AD (90k objects). is it a problem? (idrange for example)
If I replicate "cn=Users,DC=company,DC=com" I have users replicated. but I'm not sure that all are replicated. ----- Mail original ----- De: "Nicolas Zin" <[email protected]> À: "Rich Megginson" <[email protected]> Cc: [email protected] Envoyé: Jeudi 12 Février 2015 09:37:26 Objet: Re: [Freeipa-users] ad relation with winsync Next step: having the replication working. The customer dont want to give to my sync user "Replicating directory changes", "Account Operator" and "Enterprise Read-Only Domain Controller" attributs and just want a "oneway replication". For the one way replication, I followed the documentation But I don't see any imported users. Do you have an idea? Are some of the Windows attributs necessary even for a one way (windows to linux) synchronisation? Regards, Nicolas ----- Mail original ----- De: "Rich Megginson" <[email protected]> À: [email protected] Envoyé: Mercredi 11 Février 2015 18:57:43 Objet: Re: [Freeipa-users] ad relation with winsync On 02/11/2015 04:18 AM, Nicolas Zin wrote: > I reply to myself. > This was certainly a Windows configurarion issue. I went further: > ipa-replica-manage connect --winsync --binddb > cn=Administrator,cn=Users,dc=company,dc=com --bindpwd <passwd> --passsync > whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v > Directory Manager password: ******** > > Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate > database for srv7idm2.ipa.company.com > ipa: INFO: AD Suffix is: DC=company,DC=com > The user for Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com > ipa: INFO: Added new sync agreement, waiting for it to become ready. . . > ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: > Connect error: start: 0 end: 0 > ipa: INFO: Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > > [srv7idm2.ipa.company.com] reports: Update failed! Status: [-11 - LDAP > error: Connect error] > > > > So apparently I manage to connect to AD but something went wrong after? > How can I debug it? You can test it like this: # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H ldap://fqdn.of.ad.host -s base -b "DC=company,DC=com" -D "cn=Administrator,cn=Users,dc=company,dc=com" -w "password" > > > > Regards, > > > > Nicolas Zin > > > > ----- Mail original ----- > De: "Nicolas Zin" <[email protected]> > À: [email protected] > Envoyé: Mercredi 11 Février 2015 12:06:47 > Objet: [Freeipa-users] ad relation with winsync > > Hi, > > I now try to establish a winsync relation with a Windows 2008R2. > I installed IDM 3.3 on RHEL7. > > When I try to create the replication: > ipa-replica-manage connect --winsync --binddb > cn=Administrator,cn=Users,dc=company,dc=com --bindpwd <passwd> --passsync > whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com > Directory Manager password: ******** > > Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate > database for srv7idm2.ipa.company.com > ipa: INFO: Failed to connect to AD srever dc.company.com > ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not > found','desc': 'Connect error'} > Failed to setup winsync replication > > > Do you have an idea, what's wrong? > Also is it possible to point to port 636 instead? > > > Notes: > - On the windows side, ssl has been activated (with pain) and ldp.exe manage > to connect via ssl on the 636 port correctly (so the certificate is in > place). I don't know how to check it is working properly on port 389, i.e. > START_TLS works > - I checked that the 2 box have the same time (ntp) > - I nearly manage to make it working once, but I got another error during > replication > > > > Nicolas Zin > [email protected] > Ligne directe: 514-276-5468 poste 135 > > Fax : 514-276-5465 > 7275 Saint Urbain > Bureau 200 > Montréal, QC, H2R 2Y5 > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
