>> [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn >> "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw >> supersecretpassword --passsync supersecretpassword --cacert >> /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v >> Directory Manager password: >> >> Added CA certificate /etc/openldap/cacerts/addc2-test.cer to certificate >> database for ipadc1.ipadomain.net >> ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net >> The user for the Windows PassSync service is >> uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net >> Windows PassSync system account exists, not resetting password >> ipa: INFO: Added new sync agreement, waiting for it to become ready . . >> . >> ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP >> error: Connect error: start: 0: end: 0 >> ipa: INFO: Agreement is ready, starting replication . . . >> Starting replication, please wait until this has completed. >> >> [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP >> error: >> Connect error] > > Have you tried using ldapsearch to verify the connection? > > # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ -h > addc2.test.mycompany.net -D "cn=ad > sync,cn=Users,dc=test,dc=mycompany,dc=net" -w > "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net" > "objectclass=*" > > and/or > > # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL > -ZZ -h addc2.test.mycompany.net -D "cn=ad > sync,cn=Users,dc=test,dc=mycompany,dc=net" -w > "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net" > "objectclass=*" >
Both commands give the same successful result. I don't think it's a problem with the credentials because I was able to generate different error messages during the attempted sync setup if I intentionally gave a bad password or username. Here is what happens when I run the above commands : [root@ipadc1 cacerts]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" -w "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net" "objectclass=*" dn: cn=Users,dc=test,dc=mycompany,dc=net objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=test,DC=mycompany,DC=net instanceType: 4 whenCreated: 20150515024307.0Z whenChanged: 20150515024307.0Z uSNCreated: 5696 uSNChanged: 5696 showInAdvancedViewOnly: FALSE name: Users objectGUID:: V9KaoufynkWbJpSo2PjxiA== systemFlags: -1946157056 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=test,DC=mycompany,DC=net isCriticalSystemObject: TRUE dSCorePropagationData: 20150515025646.0Z dSCorePropagationData: 16010101000001.0Z [root@ipadc1 cacerts]# LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" -w "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net" "objectclass=*" dn: cn=Users,dc=test,dc=mycompany,dc=net objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=test,DC=mycompany,DC=net instanceType: 4 whenCreated: 20150515024307.0Z whenChanged: 20150515024307.0Z uSNCreated: 5696 uSNChanged: 5696 showInAdvancedViewOnly: FALSE name: Users objectGUID:: V9KaoufynkWbJpSo2PjxiA== systemFlags: -1946157056 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=test,DC=mycompany,DC=net isCriticalSystemObject: TRUE dSCorePropagationData: 20150515025646.0Z dSCorePropagationData: 16010101000001.0Z -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
