Have you tried connecting on port 636 using the FQDN of the directory server rather than the IP address?

Did you export the Windows cert and import it into the Directory Server?

This is how I did it, first on Windows 2000 server then on 2003 server.

My Setup:

Fedora Core 4 Fedora Directory Server 1.0.2 Windows 2000 Server

Install FDS ( or reinstall: rpm -qa | grep fedora-ds | xargs rpm -e; rm -rf /opt/fedora-ds ; rpm -i fedora-ds-1.0.2 )

create certificates, etc.. I used this simple script that I wrote: (cd to /opt/fedora-ds/alias) -----------------------------------------------------------------------

echo -n "Creating password and noise file..."

echo "8904859034905834-580943502385430958430958049385" > /opt/fedora-ds/alias/pwdfile.txt echo "8374893jkhsdfjkhdjksfah89dskjfkdghkjdfhguiert9348khkfhgkjfd79" > /opt/fedora-ds/alias/noise.txt

echo -n "Creating Databases..."

$serverroot/shared/bin/certutil -N -d . -f pwdfile.txt

echo -n "Generating encryption key..."

$serverroot/shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt

echo -n "Generating self-signed certificate..."

$serverroot/shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt

echo -n "Generating server certificate.."

$serverroot/shared/bin/certutil -S -n "Server-Cert" -s "cn=hostname.of.fds" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt

mv key3.db slapd-host-key3.db

mv cert8.db slapd-host-cert8.db

ln -s slapd-host-key3.db key3.db

ln -s slapd-host-cert8.db cert8.db

echo -n "Setting permissions.."

chown nobody.nobody /opt/fedora-ds/alias/slapd-name*

echo -n "Exporting certificate.."

$serverroot/shared/bin/certutil -L -d . -n "CA certificate" -r > cacert.der

echo "Converting certificate.."

openssl x509 -inform DER -in cacert.der -outform PEM -out cacert.pem

echo "Copying cacert.pem to /etc/openldap/cacerts.."

cp cacert.pem /etc/openldap/cacerts/

echo -n "Enabling SSL in FDS"

echo ""

echo -n "Please enter Manager password..(twice)"

ldapmodify -x -D cn=Manager -W -f /tmp/ssl_enable.ldif

ldapmodify -x -D cn=Manager -W -a -f /tmp/addRSA.ldif

---------------------------------------------------------

restart FDS

Test SSL connections and ldapsearch netstat -an | grep 636

Install Active Directory on Windows Server

Install Certificate Services --> Enterprise root CA reboot Enable SSL on AD

1. Install Certificate Services on Windows 2000 Server and an

Enterprise Certificate Authority in the Active Directory Domain. Make sure you install an Enterprise Certificate Authority.

2. Create a Security (Group) Policy to direct Domain Controllers to get an SSL certificate from the Certificate Authority (CA). 1. Open the Active Directory Users and Computers Administrative tool. 2. Under the domain, right-click on Domain Controllers. 3. Select Properties. 4. In the Group Policy tab, click to edit the Default Domain Controllers Policy. 5. Go to Computer Configuration->Windows Settings->Security Settings->Public Key Policies. 6. Right click Automatic Certificate Request Settings. 7. Select New. 8. Select Automatic Certificate Request. 9. Run the wizard. Select the Certificate Template for a Domain Controller. 10. Select your Enterprise Certificate Authority as the CA. Selecting a third-party CA works as well. 11. Complete the wizard. 12. All Domain Controllers now automatically request a certificate from the CA, and support LDAP using SSL on port 636. 3. Retrieve the Certificate Authority Certificate 1. Open a Web browser on the AD machine 2. Go to http://localhost/certsrv/ 3. Select the task Retrieve the CA certificate or certificate revocation list. 4. Click Next. 5. The next page automatically highlights the CA certificate. Click Download CA certificate. 6. A new download window opens. Save the file to the hard drive. Save in DER mode

Copy file to FDS server, convert to PEM format

openssl x509 -inform DER -in ad-cert.der -outform PEM -out ad-cert.pem

Import AD CA cert into FDS

certutil -A -d . -P slapd-instance- -t "CT,CT,CT" -a -i ad-cert.pem

check certs ( from /opt/fedora-ds/alias) certutil -L -d . -P slapd-instance

Check ldapsearch from FDS to AD

ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port> -D "<sync manager user> -w < sync manager password> -s <scope> -b "<AD base>" "<filter>"

Install PassSync on Windows machine. Follow directions from Howto:WindowsSync (certificate creation) restart AD server

Enable Replication in Directory Server Console:

Go to configuration tab --> Replication --> enable changelog --> default Expand Replication, click UserRoot Check "Enable Replica" Single-master

Right Click UserRoot --> Create new windows sync agreement

Up log level in FDS:

dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level: 8192

ldapmodify -x -D "cn=directory manager" -a -f repl_log.ldif

restart FDS

right click win sync agreement --> Initiate Full Sync

check error logs (/opt/fedora/slapd-instance/logs/errors)

In order for users to be created on the Windows side, users must have certain attributes.

e.g. dn: uid=TBird,ou=People, dc=server,dc=com givenName: Tweetie ntUserCreateNewAccount: true objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser objectClass: posixAccount facsimileTelephoneNumber: 510-555-5555 uid: TBird mail: tbird server com uidNumber: 71209 cn: Tweetie Bird ntUserComment: Tweetie Bird User Account telephoneNumber: 510-555-5555 loginShell: /bin/bash ntUserDomainId: tbird gidNumber: 5000 ntUserDeleteAccount: true gecos: Tweetie Bird homeDirectory: /home/tbird sn: Bird userPassword::

Jeffrey Jamisola wrote:

Yes, Ive already tried to add port 389 and 636 on iptables and restart the iptables service, same error result. Then tried to disable firewall on linux server, same error:

"Can not connect to ldap server in syncPasswords"

Ive use a tool called LdapAdmin.exe to connect to Directory Server PC from Active Directory PC, using credentials below:

Host: 192.36.253.152 Port Number: 389 or 636 User Name: Directory Manager Password: Directory Manager password Base: ou=People,dc=example,dc=com

It successfully connect to the Directory Server. Yet during password sync, it cannot contact the directory server.

Are there some other way?

Jeffrey Jamisola wrote:

Synchronization of users between active directory and directory server is already done. However, I am trying to synchronize password for redhat directory server & windows 2003

active directory.

Installed Password Sync for active directory with the following:

Host Name: 192.36.253.152 Port Number: 389 User Name: Directory Manager Password: Cert Token: Search Base: ou=People,dc=example,dc=com

Checking the password sync log file, found this error:

---

02/09/07 19:18:32 : Ldap bind error in Connect 81:Can't connect to LDAP Server 02/09/07 19:18:32 : Can not connect to ldap server in syncPasswords

Firewall?

---

does anyone know how to solve this problem?

---

*Create and Share your own Video Clip Playlist in minutes at Lycos MIX (_http://mix.lycos.com_ http://mix.lycos.com/?if_Event=MAILmixtagline)*

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users