Hi Sebastian,
Thanks for your suggestion.
I’m assuming that when the CA is trusted for Server and Client
certificates (CT) the server certificates signed by that CA are automatically
trusted peer as well.
I have made the trust changes to the certificates and imported the
third windows certificate as well, my (clean installed) windows Server has
three certificates, the last one added is the domain certificate. the CA and
Server certificates should be sufficient according to the manual.
Red Hat Directory Server (gemeente.grep)
#
certutil -L -d .
Certificate
Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
gemeente_ds_ca_cert
CTu,u,u
gemeente_ds_server_cert
u,u,u
parijs_ca_cert
CT,,
parijs_domain_cert
P,P,P
parijs_server_cert
P,P,P
Windows Active Directory (parijs.gem) unchanged
C:\Program
Files\Red Hat Directory Password Synchronization>certutil -L -d .
rhds_ds_ca_cert CT,C,C
rhds_ds_server_cert Pu,Pu,Pu
In the mean while, I’ve run some extra test to check the connectivity
between the Red Hat and Windows Server, but all of the following test outputs
the expected result of the query
These search queries are executed from the Red Hat Directory
Server.
#/usr/lib64/mozldap/dapsearch
-Z -P /etc/dirsrv/slapd-rhds/cert8.db -h adsync.parijs.gem -p 636 -D
"CN=Administrator,CN=Users,DC=parijs,DC=gem" -w <pwd> -s
base -b "dc=parijs,dc=gem" "objectclass=top"
#/usr/lib64/mozldap/ldapsearch
-x -ZZ -b 'dc=gemeente,dc=grep' -D "cn=Directory Manager" –w <pwd>
'(objectclass=*)'
#
/usr/lib64/mozldap/ldapsearch -x -ZZ -h adsync.parijs.gem -b 'dc=parijs,dc=gem'
-D "CN=Administrator,CN=Users,DC=parijs,DC=gem" -w <pwd> '(objectclass=*)'
But there are still no outgoing tcp/ip packages from the Red Hat
Directory Server when the new Windows Sync Agreement is configured
and the message is shown that the Red Hat server is unable to contact Active
Directory server.
Problem summary:
I can’t get an SSL connection with the a new
Windows Sync Agreement, from the Red Hat DS to the Windows AD server.
Ldapsearch queries over SSL seems to work fine, But
strangely enough there is not network traffic at all when the SSL
connection is checked!
(when clicking on next and the message "unable to contact
Active Directory server, continue" appears). See emails below for more
information.
Does anyone has a suggestion how to trouble shoot this problem?
Mathijs de Groot
From: Sebastian Tabarce
[mailto:blue_moon_ro@yahoo.com]
Sent: donderdag 7 augustus 2008 20:23
To: Groot, Mathijs de (IDT Competence Java)
Subject: RE: [Fedora-directory-users] Unable to SSL with Windows Sync
Agreement
Hi Mathijs, From: Groot, Mathijs de (IDT
Competence Java) <math.de.groot@logica.com> Hi
Sebastian, Thanks
for your reply. We’ve
created the CA and Server certificates on Red Hat Directory Server (like
described in: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_certutil.html
) And
created a server certificate on the Windows Server (http://support.microsoft.com/kb/931351) The
CA and Server certificates are exchanged between the both Servers and are
trusted, like the certutil output shows: On
the Red Hat Directory (rhds.grep): # certutil -L -d .
Certificate Nickname
Trust Attributes
SSL,S/MIME,JAR/XPI rhds_ds_ca_cert
CTu,u,u parijs_server_cert
,, rhds_server_cert
u,u,u parijs_ca_cert
CT,, on
the Windows Active Directory (parijs.gem): C:\Program Files\Red Hat
Directory Password Synchronization>certutil -L -d . rhds_ds_ca_cert
CT,C,C rhds_ds_server_cert
Pu,Pu,Pu And
the ldapsearch in the command line from the Red Hat server over SSL works
with the use of the certificate database, the following command returns
entries of Windows Active Directory: /usr/lib64/mozldap/ldapsearch
-Z -P /etc/dirsrv/slapd-rhds/cert8.db -h adsync.parijs.gem -p 636 -D
"CN=Administrator,CN=Users,DC=parijs,DC=gem" -w - -s base -b
"dc=parijs,dc=gem" "objectclass=top" Note
that I’m using a Red Hat Enterprise 64 bits version and a Windows 2003
32bits. Do
you’ve got any suggestions why there are no outgoing tcp/ip packages
from the Red hat Directory Server when the new Windows Sync
Agreement is configured and the message is shown that the Red Hat server is
unable to contact Active Directory server? Mathijs From:
fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Sebastian
Tabarce
|