> On 05/14/2015 11:33 PM, [email protected] wrote: >>>> [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn >>>> "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw >>>> supersecretpassword --passsync supersecretpassword --cacert >>>> /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v >>>> Directory Manager password: >>>> >>>> Added CA certificate /etc/openldap/cacerts/addc2-test.cer to >>>> certificate >>>> database for ipadc1.ipadomain.net >>>> ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net >>>> The user for the Windows PassSync service is >>>> uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net >>>> Windows PassSync system account exists, not resetting password >>>> ipa: INFO: Added new sync agreement, waiting for it to become ready . >>>> . >>>> . >>>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP >>>> error: Connect error: start: 0: end: 0 >>>> ipa: INFO: Agreement is ready, starting replication . . . >>>> Starting replication, please wait until this has completed. >>>> >>>> [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP >>>> error: >>>> Connect error] >>> Have you tried using ldapsearch to verify the connection? >>> >>> # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ >>> -h >>> addc2.test.mycompany.net -D "cn=ad >>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w >>> "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net" >>> "objectclass=*" >>> >>> and/or >>> >>> # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL >>> -ZZ -h addc2.test.mycompany.net -D "cn=ad >>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w >>> "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net" >>> "objectclass=*" >>> >> Both commands give the same successful result. I don't think it's a >> problem with the credentials because I was able to generate different >> error messages during the attempted sync setup if I intentionally gave a >> bad password or username. > > Ok. Have you tried enabling the replication log level? > > http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting >
After doing that and poking around in /var/log/dirsrv/slapd-IPADOMAIN-NET/errors I found this : [15/May/2015:20:27:17 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [15/May/2015:20:27:17 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meToaddc2.test.mycompany.net" (addc2:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8179:Peer's Certificate issuer is not recognized.) So it's complaining that it doesn't recognize the certificate that was signed by my AD certificate authority as suggested in here : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html#ad-ca-req I copied the certificate to my server though and created the hashes just like the manual said. The only issue I had was the directions here : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/managing-sync-agmt.html tell you to go to my network places but that didn't exist on my server. I did it through start menu -> administrative tools -> certification authority. The rest of double clicking on the cert and going to the details tab and copy to file was the same though. So how do I get FreeIPA to not choke up on the self signed cert? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
