I am attempting to integrate FreeIPA with Active Directory to provide single-sign-on for Windows and Linux users by following this guide.
I have successfully created the 'winsync' agreement and loaded the AD data into FreeIPA but I am struggling to setup the Windows Password Synchronization from this part of the guide.
When a user changes their password, I see the following in the 389 PassSync plugin log on the Domain Controller:
06/17/16 08:47:32: Backoff time expired. Attempting sync
06/17/16 08:47:32: Password list has 1 entries
06/17/16 08:47:32: Attempting to sync password for some.user
06/17/16 08:47:32: Searching for (ntuserdomainid=some.user)
06/17/16 08:47:32: Ldap error in QueryUsername
34: Invalid DN syntax
06/17/16 08:47:32: Deferring password change for some.user
06/17/16 08:47:32: Backing off for 1024000ms
When I run the query from the CLI, using the same user and password used by the PassSync plugin, it is successful:
$ ldapsearch -x -h ldaps://localhost -p 636 -D 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 'password' -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' '(ntuserdomainid=some.user)'
Can anyone point out what I doing wrong?
Best Answer
I figured this out, I'll post my findings to help anyone else that has a similar issue.
On the IPA server, I found the 389-ds log:
/var/log/dirsrv/slapd-HOSTNAME/accessLooking at the entries in the log I noticed some extra characters in the DN that corresponds to "Search Base". I got the Windows admin to share his RDP session to the DC and had a look at the registry in
HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync.Here I noticed the same characters in the "Search Base" key. I think these extra characters were accidentally copy-pasted from the documentation.
Removing them and restarting the service has resolved the problem.