Friday, 28 November 2014

Free IPA Active Directory Integration

Free IPA / ADS Users & Password Sync Document

IPA Server (ipaserver.gai.local) : DNS1: 6
ADS Server (ad1.gai.local) : DNS: Windows 2008 R2

Step 1# Install IPA Server
    # ipa-server-install
  1. Enter the hostname. This is determined automatically using reverse DNS.
    Server host name [ipaserver.gai.local]:
  2. Enter the domain name. This is determined automatically based on the hostname.
    Please confirm the domain name [gai.local]:
  3. The script then reprints the hostname, IP address, and domain name.
    The IPA Master Server will be configured with
    Hostname: ipaserver.gai.local
    IP address:
    Domain name: gai.local
  4. Enter the new Kerberos realm name. This is usually based on the domain name.
    Please provide a realm name [gai.local]:
  5. Enter the password for the Directory Server superuser, cn=Directory Manager. There are password strength requirements for this password, including a minimum password length.
    Directory Manager password:
    Password (confirm):
  6. Enter the password for the FreeIPA system user account, admin. This user is created on the machine.
    IPA admin password:
    Password (confirm):
  7. After that, the script configures all of the associated services for FreeIPA, with task counts and progress bars.
    Configuring ntpd
    [1/4]: stopping ntpd
    done configuring ntpd.
    Configuring directory server for the CA: Estimated time 30 seconds
    [1/3]: creating directory server user
    done configuring pkids.
    Configuring certificate server: Estimated time 6 minutes
    [1/17]: creating certificate server user
    done configuring pki-cad.
    Configuring directory server: Estimated time 1 minute
    [1/32]: creating directory server user
    done configuring dirsrv.
    Configuring Kerberos KDC: Estimated time 30 seconds
    [1/14]: setting KDC account password
    done configuring krb5kdc.
    Configuring ipa_kpasswd
    [1/2]: starting ipa_kpasswd
    [2/2]: configuring ipa_kpasswd to start on boot
    done configuring ipa_kpasswd.
    Configuring the web interface: Estimated time 1 minute
    [1/12]: disabling mod_ssl in httpd
    done configuring httpd.
    Setting the certificate subject base
    restarting certificate server
    Applying LDAP updates
    Restarting the directory server
    Restarting the KDC
    Restarting the web server
    Sample zone file for bind has been created in /tmp/
    Setup complete
  8. Restart the SSH service to retrieve the Kerberos principal and to refresh the name server switch (NSS) configuration file:
    # service sshd restart
  9. Authenticate to the Kerberos realm using the admin user's credentials to ensure that the user is properly configured and the Kerberos realm is accessible.
    # kinit admin
    Password for admin@gai.local:
  10. Test the FreeIPA configuration by running a command like ipa user-find. For example:
    # ipa user-find admin
    1 user matched
    User login: admin
    Last name: Administrator
    Home directory: /home/admin
    Login shell: /bin/bash
    Account disabled: False
    Member of groups: admins
    Number of entries returned 1
Step 2# Install ADS Server

Hostname: ad1.gai.local

IP : (IP Should be static)

Domain Name: gai.local

Step 2.1# ADS Installation

Start-->Server Manager-->Roles-->Add Roles--> Select Active Directory Domain Services --> Next --> Next (Intro for ADS)-->Install

Step 2.2# Reboot
Reboot Server After Installation

Step 2.3# ADS configuration

Start--> dcpromo.exe --> Enter--> Next (Welcome ADS Wizard) --> Next(OS compatibily) -->Select Create a new domain in new forest -->Next -->Enter domain as “gai.local” -->Next-->Select Forest functional level as “Windows Server 2008” --> Next--> Ticket DNS Server --> Next-->A delegation prompt will come click YES-->Next (for c:\windows\ directory location)->enter password for ads administrator account --> Next --> Next (Summary)

Step 2.4# Reboot
Reboot Server After dcpromo Configuration

Step 2.5# Creating CA Certificate for ADS

Start-->Server Manager-->Roles-->Add Roles-->Active Directoy Certificate Services -->Next-->Next-->Select Certificate Authoriy-->Next-->Select Enterprise-->Next-->Select Root CA-->Next-->Create a new private key-->Next(algorithm selection)-->10 Years -->Next-->Next-->Install

Step 2.6# Reboot
Reboot Server After dcpromo Configuration

Step 2.7# Export ADS CA
Start-->Certificate Authority-->Select AD1.gai.local CA -->Right Click-->Properties-->View Certificate-->Details-->Copy to File-->Next(export Wizard)-->Select Base-64 encoded x.509(.CER)-->Next-->Browse (give any file location with file name example: c:\temp\ADCA) -->Next-->Save-->

Step 2.8# Install IPA (.crt) Certificate in ADS

Copy IPA:/etc/ipa/ca.crt to ADS:c\tmp\
Go to ADS:c:\tmp\ Right Click on ca.crt-->Install Certificate-->Next-->Select Place all certificates in the following store-->Browse-->Select Trusted Root Certification Authorities-->Ok-->Next-->Finish-->Yes-->Ok (Import was successfull)

Step 2.8# Tranfer AD CA to IPA
copy ADS:c:\temp\ADCA.cer to IPA:/etc/openldap/cacerts (mkdir /etc/openldap/cacerts if not exists)
copy IPA:/etc/ipa/ca.crt to to IPA:/etc/openldap/cacerts
#cacertdir_rehash /etc/openldap/cacerts
#vim /etc/openldap/ldap.conf

#Add the below line
TLS_CACERTDIR /etc/openldap/cacerts

Step 2.9 # DNS Resolve

From ADS# ping ipaserver.gai.local should ping successfully (
From ADS# ping ad1.gai.local should ping successfully (
From IPA# ping ipaserver.gai.local should ping successfully (
From IPA# ping ad1.gai.local should ping successfully (

Step 2.10 # Search ADS Ldap users from IPA (so that the we can confirm the connection from IPA to ADS)

ldapsearch -x -D "cn=administrator,cn=users,dc=gai,dc=local" -h ad1.gai.local -W -b dc=gai,dc=local
Enter LDAP Password: (Enter ADS administrator password)

#Connection check via TLS (-ZZ)
ldapsearch -x -D "cn=administrator,cn=users,dc=gai,dc=local" -h ad1.gai.local -W -b dc=gai,dc=local -ZZ
Enter LDAP Password: (Enter ADS administrator password)

Step 3# Creating Users in ADS before sync
ADS: Go to -->Active Directory Users & Computers --> Go to Users --> Rightclick --> New--> User -- > Create User here (Please note that First Name & Last Name should be entered because IPA Will replicate only First Name & Last Name present users only from ADS)

Step 4# Start Replication between IPA & AD

#ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=gai,dc=local --bindpw Desk13@ga! --passsync secretpwd --cacert /etc/openldap/cacerts/ADCA.cer ad1.gai.local -v

Added CA certificate /etc/openldap/cacerts/ADCA.cer to certificate database for ipaserver.gai.local
ipa: INFO: AD Suffix is: DC=gai,DC=
The user for the Windows PassSync service is
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
Connected 'ipa
server.gai.local' to 'ad1.gai.local'

Note: Note above –passsync password which is useful when doing password sync setup in ADS & user for the Windows PassSync service. Both highlighted in Red Color

Step 5# Check the above Created ADS User is replicated to IPA or not

#ipa user-show username_above_created

Step 6# Trust the IPA ca.crt certificate in ADS Password Sync services

Start-->cmd-->Open as administrator
Go to below location cd “C:\Program Files\Red Hat Directory Password Synchronization\”
C:\Program Files\Red Hat Directory Password Synchronization> certutil.exe -A -d . -i “c:\tmp\ca.crt” -n “IPA CA” -t CT,,

To list the certificate: certutil.exe -L -d .

Passsync log file: C:\Program Files\Red Hat Directory Password Synchronization\Passsync.txt

Step 6.1# Install RedHat-PassSync-1.1.5-x86_64.msi in ADS and start the Password Sync Service
Install the RedHat-PassSync-1.1.5-x86_64.msi 
1. Host Name: Give IPA Server hostname
2. Port : 636
3. User Name: You should find this from ipa-replica-mange command result and paste it here directly
4. Password: Password is secretpwd which you give above ipa-replica-mange command –passsync 'secretpwd'
5. Cert Token : Leave blank
6. Search Base: Use as above cn=users,cn=accounts,dc=gai,dc=local

Step 6.2 # Reboot the ADS Server

Step 7 # Reset the Password in ADS and check it via login IPA client

Configure IPA client in one linux machine and login it via IPA username/password then change the password for the same user in ADS, then again login the ipa client with new password.


1 comment:

  1. I have similar setup while testing IPA however unable to see AD users after setting up replication, can you please help how to find AD user? I used ldapadmin tool to browse the tree however do not see any replicated users there, replication status is successful