Hello Hugh,
Could you tell us the version of 389-ds-base the PassSync is trying to
access? If the directory server is not new enough
(389-ds-base-*1.3.2.26
<http://www.port389.org/docs/389ds/releases/release-1-3-2-26.html> *or
389-ds-base-<http://www.port389.org/docs/389ds/releases/release-1-3-3-8.html>*1.3.3.8
<http://www.port389.org/docs/389ds/releases/release-1-3-3-8.html>*),
could you please try setting the following environment variable on the
Windows machine on which PassSync is running?*
<http://www.port389.org/docs/389ds/releases/release-1-3-3-8.html>*
http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html
PassSync 1.1.6 supports TLS version 1.1 and newer SSL versions
supported by NSS. SSLv3 is disabled, by default. To force to enable
SSLv3.0, an environment variable LDAPSSL_ALLOW_OLD_SSL_VERSION has
to be set with some non NULL value.
In Computer | Properties | Advanced system settings | Environment
Variables | System variables, add variable:
LDAPSSL_ALLOW_OLD_SSL_VERSION, value: 1
Thanks,
--noriko
-------- Forwarded Message --------
Subject: [Freeipa-users] Passsync fails to connect to LDAP
Date: Tue, 17 Feb 2015 13:55:52 -0600
From: Hugh <[email protected]>
To: [email protected]
All,
After my education on what IPA/AD trusts can and can't do, I decided
to give the IPA-AD sync option a try. After finally finding what I
think is the proper software to install on the AD DC
(389-PassSync-1.1.6-x86_64.exe from the Fedora site), I believe I have
the settings correct, but the Password Synchronization software
refuses to connect. After changing the Log Level option to 1, I get
the below in the log file, which doesn't really tell me much of anything.
02/17/15 13:18:20: Backoff time expired. Attempting sync
02/17/15 13:18:20: Password list has 1 entries
02/17/15 13:18:20: Ldap bind error in Connect
81: Can't contact LDAP server
02/17/15 13:18:20: Attempting to sync password for ADSERVER$
02/17/15 13:18:20: Searching for (ntuserdomainid=ADSERVER$)
02/17/15 13:18:20: Ldap error in QueryUsername
81: Can't contact LDAP server
02/17/15 13:18:20: Deferring password change for ADSERVER$
02/17/15 13:18:20: Backing off for 256000ms
The credentials are definitely correct and IPA is set up to do LDAPS
as, on the same AD server, I can connect and bind using ldp.exe with
the same settings/credentials and I'm able to browse the LDAP tree.
I've done a wireshark capture and it looks like it's failing in the
TLS negotiation. I can see this entry in the capture:
TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Protocol Version (70)
I added the IPA CA cert to the cert files in the 389 passsynch
directory and I can confirm that as below.
C:\Program Files\389 Directory Password Synchronization>certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
IPA CA cert CT,,
When I list that specific certificate, I can see the below in the output.
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Object Signing Flags:
Any pointers/ideas?
Thanks in advance,
Hugh
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
