As <persona, e.g. admin> , I want <what?> so that <why?>.
When I run ipa-replica-manage connect --winsync --passsync ** --cacert /etc/openldap/cacerts/ad-ca.cer --binddn "CN=Administrator,CN=Users,DC=domain,DC=com" --bindpw **** -v ad_server
the system gives me the following error
Added CA certificate /etc/openldap/cacerts/ad-ca.cer to certificate database for freeipa.channelvas.prv ipa: INFO: Failed to connect to AD server master-ad.channelvas.prv ipa: INFO: The error was: {'desc': 'Server is unavailable', 'info': '00000000: LdapErr: DSID-0C091377, comment: Error initializing SSL/TLS, data 0, v4563'} Failed to setup winsync replication
We have followed the following guide to sync AD with FreeIPA https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/managing-sync-agmt
1. 2. 3.
(what happens)
(what do you expect to happen)
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64 ipa-client-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64 389-ds-base-1.4.2.4-8.module_el8.2.0+366+71e3276f.x86_64 pki-ca-10.8.3-2.module_el8.2.0+371+f5726439.noarch krb5-server-1.17-18.el8.x86_64
Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.
Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting
Hi, can you check if the AD server is able to answer to startTLS requests on port 389, from the IPA node freeipa.channelvas.prv: openssl s_client -starttls ldap -CAfile /etc/openldap/cacerts/ad-ca.cer -connect master-ad.channelvas.prv:389 < /dev/null
Now we have the following issue
Added CA certificate /root/adOffice.pem to certificate database for freeipa.domain.com ipa: INFO: Failed to connect to AD server ipa: INFO: The error was: {'desc': 'Connect error', 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)'} Failed to setup winsync replication
Hi, this error happens if you provide a wrong certificate file, for instance the AD server certificate instead of AD CA certificate. What is the output of:
Do you see only one certificate or multiple certificates below "Certificate chain"? Is the subject identical to the issuer (s: and i: fields)? If you have multiple certificates in the chain, you need to find the root certificate and provide this root certificate to the tool ipa-replica-manage with the --cacert option.
Hi issue solved. Thanks
Metadata Update from @ntrip: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.