> On 05/14/2015 11:33 PM, [email protected] wrote: >>>> [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn >>>> "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw >>>> supersecretpassword --passsync supersecretpassword --cacert >>>> /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v >>>> Directory Manager password: >>>> >>>> Added CA certificate /etc/openldap/cacerts/addc2-test.cer to >>>> certificate >>>> database for ipadc1.ipadomain.net >>>> ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net >>>> The user for the Windows PassSync service is >>>> uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net >>>> Windows PassSync system account exists, not resetting password >>>> ipa: INFO: Added new sync agreement, waiting for it to become ready . >>>> . >>>> . >>>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP >>>> error: Connect error: start: 0: end: 0 >>>> ipa: INFO: Agreement is ready, starting replication . . . >>>> Starting replication, please wait until this has completed. >>>> >>>> [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP >>>> error: >>>> Connect error] >>> Have you tried using ldapsearch to verify the connection? >>> >>> # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ >>> -h >>> addc2.test.mycompany.net -D "cn=ad >>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w >>> "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net" >>> "objectclass=*" >>> >>> and/or >>> >>> # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL >>> -ZZ -h addc2.test.mycompany.net -D "cn=ad >>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w >>> "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net" >>> "objectclass=*" >>> >> Both commands give the same successful result. I don't think it's a >> problem with the credentials because I was able to generate different >> error messages during the attempted sync setup if I intentionally gave a >> bad password or username. > > Ok. Have you tried enabling the replication log level? > > http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
Ok, that helped a lot. I got this fixed now. Because the manual tells you to export the cert using a way that doesn't work on newer versions of windows, I tried to improvise and my first attempt exported the wrong cert. The correct way is to go to mmc.exe and add the certificates snap-in. Then go to personal certificates store for the machine account and export the one that has -CA at the end of it in the issued to column. Now that the correct certificate was exported, replication succeeded. The docs should be updated though to reflect the proper way to export. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
