Hide Forgot
Created attachment 523647 [details] active directory 1. Download the attachment. 2. Make sure tack changes is turned on. Edit > Changes > Record. 3. Make any changes to the doc. 4. Attach the file to the bug. 5. Reassign the bug to me (dlackey). I care about accuracy, completeness, clarity, and organization. Thanks!
Deon, thanks for the document. There are few things missing from it. Luckily, they are covered elsewhere so gathering them together is easier. 1. In 7.2 after step 5 (reboot the Windows machine) you need to add a step for transferring IPA CA certificate to Password Sync. This is described in http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Enabling_SSL_for_PassSync 1.1 Export IPA CA Certificate: realm=IPA.EXAMPLE.COM certutil -d /etc/dirsrv/slapd-`echo $realm|sed 's/\./-/g'` -L "$realm IPA CA" -a >ipaca.crt 1.2. Transfer it to Windows server. 1.3. On windows server: cd "C:\Program Files\389 Directory Password Synchronization" certutil.exe -d . -A -n "IPA.EXAMPLE.COM IPA CA" -t CT,, -a -i ipaca.crt With current Password Sync versions this should be enough to enable Password Sync to talk SSL to IPA directory server. 2. In 7.4.2, before you can create synchronization agreements, you need to import both IPA CA and AD CA to IPA server so that ldap clients could talk to IPA directory server and Active Directory server using SSL. 2.1. Copy AD certificate to /etc/openldap/cacerts/ 2.2. Copy IPA CA certificate to /etc/openldap/cacerts/ 2.3. Run cacertdir_rehash /etc/openldap/cacerts/ 2.4. Modify /etc/openldap/ldap.conf, and add if they do not exist: TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow With these changes one can now run ipa-replica-manage connect --winsync. ipa-replica-manage connect --winsync \ --binddn cn=Administrator,cn=users,dc=ad,dc=example,dc=com \ --bindpw secret --passsync secretpw \ --cacert /etc/openldap/cacerts/ad.cer \ ad.example.com -v For some reason, specifying DM password as commandline option did not work for me, I had to force it to be entered. 3. In the above --binddn points to a user in Active Directory that has enough privileges. Note that in internationalized versions of Windows, CNs of the system users are translated as well. For example, in Russian version of Windows Server 2008 R2, CN=Administrator is really CN=Администратор. One has to take this into account or Active Directory server will respond with cryptic error messages about incorrect credentials. Same cryptic will be shown if AD CA certificate is not available to LDAP clients via the configuration in /etc/openldap/ldap.conf.
Setting to ON_QA for review for 6.2. This is a bulk change, so I'm not providing links at this time. If you need help finding the info, ping sunny-dee on #docs or email me. Thanks!