All,

After my education on what IPA/AD trusts can and can't do, I decided to
give the IPA-AD sync option a try. After finally finding what I think is
the proper software to install on the AD DC (389-PassSync-1.1.6-x86_64.exe
from the Fedora site), I believe I have the settings correct, but the
Password Synchronization software refuses to connect. After changing the
Log Level option to 1, I get the below in the log file, which doesn't
really tell me much of anything.

02/17/15 13:18:20: Backoff time expired. Attempting sync
02/17/15 13:18:20: Password list has 1 entries
02/17/15 13:18:20: Ldap bind error in Connect
81: Can't contact LDAP server
02/17/15 13:18:20: Attempting to sync password for ADSERVER$
02/17/15 13:18:20: Searching for (ntuserdomainid=ADSERVER$)
02/17/15 13:18:20: Ldap error in QueryUsername
81: Can't contact LDAP server
02/17/15 13:18:20: Deferring password change for ADSERVER$
02/17/15 13:18:20: Backing off for 256000ms
The credentials are definitely correct and IPA is set up to do LDAPS as, on
the same AD server, I can connect and bind using ldp.exe with the same
settings/credentials and I'm able to browse the LDAP tree. I've done a
wireshark capture and it looks like it's failing in the TLS negotiation. I
can see this entry in the capture:

TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Protocol Version (70)

I added the IPA CA cert to the cert files in the 389 passsynch directory
and I can confirm that as below.

C:\Program Files\389 Directory Password Synchronization>certutil -d . -L
Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI
IPA CA cert CT,,


When I list that specific certificate, I can see the below in the output.

Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Object Signing Flags:



Any pointers/ideas?

Thanks in advance,

Hugh