<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;"><b><span style="font-size: 10pt; font-family: "Arial","sans-serif";"></span></b>Mathisj,<br><br>If I'm not mistaking, in order for the two servers to be able to talk with each other, they need to have certificates signed by Certificate Authorities recognized by the two servers (meaning, the certificates of these root CAs must be installed on the two servers). Even more straightforward is to generate certificate requests for both servers and get them signed by the same root CA.<br><br><br>--- On <b>Thu, 7/31/08, Groot, Mathijs de (IDT Competence Java) <i><math.de.groot@logica.com></i></b> wrote:<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;">From: Groot, Mathijs de (IDT Competence Java) <math.de.groot@logica.com><br>Subject: [Fedora-directory-users] Unable to SSL with Windows
Sync Agreement<br>To: fedora-directory-users@redhat.com<br>Date: Thursday, July 31, 2008, 12:18 PM<br><br><div id="yiv365534948">
<style>
<!--#yiv365534948
_filtered #yiv365534948 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}
#yiv365534948
#yiv365534948 p.MsoNormal, #yiv365534948 li.MsoNormal, #yiv365534948 div.MsoNormal
{margin:0cm;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri", "sans-serif";}
#yiv365534948 a:link, #yiv365534948 span.MsoHyperlink
{color:blue;text-decoration:underline;}
#yiv365534948 a:visited, #yiv365534948 span.MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
#yiv365534948 span.EmailStyle17
{font-family:"Calibri", "sans-serif";color:windowtext;}
#yiv365534948 .MsoChpDefault
{}
_filtered #yiv365534948 {margin:72.0pt 72.0pt 72.0pt 72.0pt;}
#yiv365534948 div.Section1
{}
-->
</style>
<div class="Section1">
<p class="MsoNormal">Hello everyone,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I can use some help with setting up the Windows Sync.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Ill give some context first, im trying to sync user, groups
and passwords from a Windows 2003 server with Active Directory with a Red Hat
enterprise 5, Red Hat Directory Server 8.0.</p>
<p class="MsoNormal">It is a test environment with where I can access and
configure the servers easily.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">But ive got some problems setting a new Windows Sync
Agreement.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">It comes down to the following:</p>
<p class="MsoNormal">I can’t get an SSL connection with the a new Windows
Sync Agreement, from the Red Hat DS to the Windows AD server.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">In the Windows Sync Server info screen I get the following
message when clicking on next: </p>
<p class="MsoNormal">"unable to contact Active Directory server,
continue"</p>
<p class="MsoNormal">(Windows Sync Server info screen located In the Directory
Server Console -> Configuration tab -> Replication -> userRoot ->
highlight the database -> Object -> New Windows Sync Agreement -> The
second screen reads Windows Sync Server Info)</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">But when I uncheck the checkbox “Using encrypted SSL
connection” the connection works and the Windows AD server is reached.</p>
<p class="MsoNormal">So this concludes (and ive tested) that the Windows Server
and domain is reachable and the Bind DN is valid, and entered values are
correct.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The SSL connection seems to be setup correctly, the checks
(ldapsearch query) described by the fedora manual outputs the correct result.
Following:</p>
<p class="MsoNormal">“</p>
<p class="MsoNormal"><a rel="nofollow" target="_blank" href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync">http://directory.fedoraproject.org/wiki/Howto:WindowsSync</a>
</p>
<p class="MsoNormal">Testing your Configuration</p>
<p class="MsoNormal">Test to make sure you can talk SSL from Fedora Directory to
AD</p>
<p class="MsoNormal">This is how you test to verify that the Windows side SSL is
enabled properly:</p>
<p class="MsoNormal">ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT
Hostname> -p <AD SSL port> -D "<sync manager user>”
-w < sync manager password> -s <scope> -b "<AD
base>" "<filter>"</p>
<p class="MsoNormal">“</p>
<p class="MsoNormal">My ldapsearch query:</p>
<p class="MsoNormal">/usr/lib64/mozldap/dapsearch -Z -P
/etc/dirsrv/slapd-<instance>/cert8.db -h compute.domain.com -p 636 -D
"CN=Administrator,CN=Users,DC=domain,DC=com" -w <pwd> -s base
-b "dc=domain,dc=com" "objectclass=top"</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">But strangely enough there is not network traffic at all
when the SSL connection is checked!</p>
<p class="MsoNormal">(when clicking on next and the message "unable to
contact Active Directory server, continue" appears)</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Ive done the following actions to make to monitor it:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">First I’ve disabled SELinux, in case that blocks
something (just for testing).</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">watch the tcp ip traffic with:</p>
<p class="MsoNormal">tcpdump -nn -p port not ssh and ip host <Red Hat IP
number></p>
<p class="MsoNormal">Here I can see that, when I don’t use the SSL
connection, there is traffic towards my Widows AD, but when ive check the SSL
option, there is no traffic at all, nothing.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">As well when I look at the iptables:</p>
<p class="MsoNormal">added an extra line: iptables -I OUTPUT 1 -d <Windows AD
IP number> -j ACCEPT </p>
<p class="MsoNormal">watch -d iptables -L –nv</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I see the same result, traffic when I don’t use the
SSL option and no traffic at all when the SSL option is checked.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">How can I get the message "unable to contact Active
Directory server, continue" when there is no outgoing request from my Red
Hat server.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Ive made certificates at both sides (Windows and Red Hat)
and exported and imported these certificated to the other server.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Please advice on following steps I can take, what the
problem can be and how it is possible that there is no traffic at all.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thanks in advanced.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Matt</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><b><span style="font-size: 10pt; font-family: "Arial","sans-serif";">Mathijs
A. de Groot</span></b><span style="font-size: 10pt; font-family: "Arial","sans-serif";"><br>
Consultant - Software Engineer<br>
_________________________________________ </span></p>
<p class="MsoNormal" style=""><b><span style="font-size: 10pt; font-family: "Arial","sans-serif";">Logica</span></b><span style="font-size: 10pt; font-family: "Arial","sans-serif";"> </span><b><span style="font-size: 7pt; font-family: "Arial","sans-serif"; color: rgb(125, 125, 125);">-
Releasing your potential</span></b><span style="font-size: 10pt; font-family: "Arial","sans-serif";"> </span></p>
<p class="MsoNormal" style=""><span style="font-size: 8pt; font-family: "Arial","sans-serif";">George Hintzenweg 89<br>
3068 AX Rotterdam<br>
Postbus 8566<br>
3009 AN Rotterdam<br>
Nederland<br>
T: +31 (0) 10 253 7000<br>
D: +31(0) 70 37 56627<br>
E: </span><a rel="nofollow" target="_blank" href="mailto:math.de.groot@logica.com"><span style="font-size: 8pt; font-family: "Arial","sans-serif"; color: blue;">math.de.groot@logica.com</span></a><span style="font-size: 8pt; font-family: "Arial","sans-serif";"><br>
</span><a rel="nofollow" target="_blank" href="http://www.logica.com/"><span style="font-size: 8pt; font-family: "Arial","sans-serif"; color: blue;">www.logica.com</span></a><span style="font-size: 8pt; font-family: "Arial","sans-serif";"><br>
<br>
</span><span style="color: black;">Logica Nederland B.V.</span><span style="font-size: 8pt; color: navy;"><br>
</span><span style="font-size: 8pt; color: black;">Registered office in
Amstelveen, The Netherlands<br>
Registration Number Chamber of Commerce: 33136004</span><span style="font-size: 8pt; font-family: "Arial","sans-serif";"></span></p>
<p class="MsoNormal"> </p>
</div>
<br clear="all"> This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
</div><pre>--<br>Fedora-directory-users mailing list<br>Fedora-directory-users@redhat.com<br>https://www.redhat.com/mailman/listinfo/fedora-directory-users<br></pre></blockquote></td></tr></table><br>