FreeIPA and AD password synchronisation

Question

I am attempting to integrate FreeIPA with Active Directory to provide single-sign-on for Windows and Linux users by following this guide.

I have successfully created the 'winsync' agreement and loaded the AD data into FreeIPA but I am struggling to setup the Windows Password Synchronization from this part of the guide.

When a user changes their password, I see the following in the 389 PassSync plugin log on the Domain Controller:

06/17/16 08:47:32: Backoff time expired.  Attempting sync
06/17/16 08:47:32: Password list has 1 entries
06/17/16 08:47:32: Attempting to sync password for some.user
06/17/16 08:47:32: Searching for (ntuserdomainid=some.user)
06/17/16 08:47:32: Ldap error in QueryUsername
34: Invalid DN syntax
06/17/16 08:47:32: Deferring password change for some.user
06/17/16 08:47:32: Backing off for 1024000ms

When I run the query from the CLI, using the same user and password used by the PassSync plugin, it is successful:

$ ldapsearch -x -h ldaps://localhost -p 636 -D 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 'password'  -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' '(ntuserdomainid=some.user)'

Can anyone point out what I doing wrong?

Answer 1

I figured this out, I'll post my findings to help anyone else that has a similar issue.

On the IPA server, I found the 389-ds log: /var/log/dirsrv/slapd-HOSTNAME/access

Looking at the entries in the log I noticed some extra characters in the DN that corresponds to "Search Base". I got the Windows admin to share his RDP session to the DC and had a look at the registry in HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync.

Here I noticed the same characters in the "Search Base" key. I think these extra characters were accidentally copy-pasted from the documentation.

Removing them and restarting the service has resolved the problem.