As domain admin , I want to replicate freeipa users in active directory.
Replica agreement won't set up.
Added CA certificate /home/akimov/ca-win.cer to certificate database for ipa.ats.lo ipa: INFO: Failed to connect to AD server ats-sharepoint0.sp.atsaero.ru ipa: INFO: The error was: option error Failed to setup winsync replication
Create replica agreement
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.6.8-5.el7.centos.7.x86_64 ipa-client-4.6.8-5.el7.centos.7.x86_64 389-ds-base-1.3.10.2-12.el7_9.x86_64 pki-ca-10.5.18-16.el7_9.noarch krb5-server-1.15.1-37.el7_7.2.x86_64
Certificate chain are valid. openssl s_client -connect ad_ip:389 -starttls ldap CONNECTED(00000003) depth=1 DC = ru, DC = atsaero, DC = sp, CN = sp-ATS-SHAREPOINT0-CA verify return:1 depth=0 verify return:1
Certificate chain 0 s: i:/DC=ru/DC=atsaero/DC=sp/CN=sp-ATS-SHAREPOINT0-CA
Yes, it is self-signed but added to trusts on both hosts
Hi, based on the message "option error" I can only guess, but are there specific LDAP client settings on your machine (in /etc/openldap/ldap.conf for instance) that could be refused by the AD server?
Hi, do you need an our ldap.conf ?
@akimov On a standard install, I have the following ldap.conf:
TLS_CACERTDIR /etc/openldap/cacerts SASL_NOCANON on URI ldaps://server.domain.com BASE dc=domain,dc=com TLS_CACERT /etc/ipa/ca.crt SASL_MECH GSSAPI
I would be interested if your settings differ (note that the settings can also be read from other sources, such as $HOME/.ldaprc $HOME/ldaprc etc...)
@frenaud
TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT allow
SASL_NOCANON on URI ldaps://ipa.ats.lo BASE dc=ats,dc=lo TLS_CACERT /etc/ipa/ca.crt
Login to comment on this ticket.