Hi Sebastian,
Thanks for your reply.
We’ve created the CA and Server certificates on Red Hat
Directory Server
(like described in: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_certutil.html
)
And created a server certificate on the Windows Server (http://support.microsoft.com/kb/931351)
The CA and Server certificates are exchanged between the both
Servers and are trusted, like the certutil output shows:
On the Red Hat Directory (rhds.grep):
#
certutil -L -d .
Certificate Nickname
Trust Attributes
SSL,S/MIME,JAR/XPI
rhds_ds_ca_cert
CTu,u,u
parijs_server_cert
,,
rhds_server_cert
u,u,u
parijs_ca_cert
CT,,
on the Windows Active Directory (parijs.gem):
C:\Program
Files\Red Hat Directory Password Synchronization>certutil -L -d .
rhds_ds_ca_cert
CT,C,C
rhds_ds_server_cert
Pu,Pu,Pu
And the ldapsearch in the command line from the Red Hat server over
SSL works with the use of the certificate database, the following command returns
entries of Windows Active Directory:
/usr/lib64/mozldap/ldapsearch
-Z -P /etc/dirsrv/slapd-rhds/cert8.db -h adsync.parijs.gem -p 636 -D
"CN=Administrator,CN=Users,DC=parijs,DC=gem" -w - -s base -b
"dc=parijs,dc=gem" "objectclass=top"
Note that I’m using a Red Hat Enterprise 64 bits version
and a Windows 2003 32bits.
Do you’ve got any suggestions why there are no outgoing
tcp/ip packages from the Red hat Directory Server when the new Windows Sync
Agreement is configured and the message is shown that the Red Hat server is unable
to contact Active Directory server?
Mathijs.
From:
fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Sebastian
Tabarce
Sent: donderdag 7 augustus 2008 15:03
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Unable to SSL with Windows Sync
Agreement
Mathisj, From: Groot, Mathijs de (IDT
Competence Java) <math.de.groot@logica.com> Hello
everyone, I
can use some help with setting up the Windows Sync. Ill
give some context first, im trying to sync user, groups and passwords from a
Windows 2003 server with Active Directory with a Red Hat enterprise 5, Red
Hat Directory Server 8.0. It
is a test environment with where I can access and configure the servers
easily. But
ive got some problems setting a new Windows Sync Agreement. It
comes down to the following: I
can’t get an SSL connection with the a new Windows Sync
Agreement, from the Red Hat DS to the Windows AD server. In
the Windows Sync Server info screen I get the following message when clicking
on next: "unable
to contact Active Directory server, continue" (Windows
Sync Server info screen located In the Directory Server Console ->
Configuration tab -> Replication -> userRoot -> highlight the
database -> Object -> New Windows Sync Agreement -> The second
screen reads Windows Sync Server Info) But
when I uncheck the checkbox “Using encrypted SSL connection” the
connection works and the Windows AD server is reached. So
this concludes (and ive tested) that the Windows Server and domain is
reachable and the Bind DN is valid, and entered values are correct. The
SSL connection seems to be setup correctly, the checks (ldapsearch query)
described by the fedora manual outputs the correct result. Following: “ http://directory.fedoraproject.org/wiki/Howto:WindowsSync
Testing
your Configuration Test
to make sure you can talk SSL from Fedora Directory to AD This
is how you test to verify that the Windows side SSL is enabled properly: ldapsearch
-Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port>
-D "<sync manager user>” -w < sync manager password>
-s <scope> -b "<AD base>" "<filter>" “ My
ldapsearch query: /usr/lib64/mozldap/dapsearch
-Z -P /etc/dirsrv/slapd-<instance>/cert8.db -h compute.domain.com -p
636 -D "CN=Administrator,CN=Users,DC=domain,DC=com" -w
<pwd> -s base -b "dc=domain,dc=com"
"objectclass=top" But
strangely enough there is not network traffic at all when the SSL
connection is checked! (when
clicking on next and the message "unable to contact Active Directory
server, continue" appears) Ive
done the following actions to make to monitor it: First
I’ve disabled SELinux, in case that blocks something (just for
testing). watch
the tcp ip traffic with: tcpdump
-nn -p port not ssh and ip host <Red Hat IP number> Here
I can see that, when I don’t use the SSL connection, there is traffic
towards my Widows AD, but when ive check the SSL option, there is no traffic
at all, nothing. As
well when I look at the iptables: added
an extra line: iptables -I OUTPUT 1 -d <Windows AD IP number> -j
ACCEPT watch
-d iptables -L –nv I
see the same result, traffic when I don’t use the SSL option and no
traffic at all when the SSL option is checked. How
can I get the message "unable to contact Active Directory server,
continue" when there is no outgoing request from my Red Hat server. Ive
made certificates at both sides (Windows and Red Hat) and exported and
imported these certificated to the other server. Please
advice on following steps I can take, what the problem can be and how it is
possible that there is no traffic at all. Thanks
in advanced. Matt Mathijs A. de Groot Logica -
Releasing your potential George Hintzenweg 89
-- |