Hello Andre,
It seems your certificates are not set up correctly. You should have the
same CA certificate in the database in both FDS and AD. Also, the server
certs in each database should be issued by the same certificate authority.
It is convenient to use the Certificate Authority included with recent
Microsoft Windows servers to create a CA certificate to import into both
databases. You can then create server certificates using the MSCA and import
them into their respective databases.
You may also need to import the server certificate from FDS into the database
on AD and vice-versa. Once this is done, you should review and possibly
modify the trust attributes on all the certs. As you can see from my
examples, I used a scatter-gun approach.
You will need to use certutil for all import and modify operations on the
certificate databases. "certutil -H" gives a nice reference.
Examples:
sibelius=FD
boccherini=AD
TWCA=CA
[root@sibelius alias]# ./certutil -L -d . -P slapd-sibelius-
TWCA CT,c,c
boccherini P,P,P
server-cert CTu,cu,cu
C:\Program Files\RHD Password Sync>certutil -L -d .
TWCA CT,C,C
server-cert Pu,Pu,Pu
boccherini P,P,P
Remember to restart FDS and PassSync after making changes. Also, note that
although it is rumored that the FDS bind user for replication can be created
by the administrator, no one has explained in detail how to make it work.
You might use cn=Directory Manager for your bind user who will bind to the
FDS for replication, at least while testing.
The "fine" manual is here:
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/adminTOC.html
Hope this helps. -G.
---------- Original Message -----------
From: André Luís Lopes <andrelop(a)aw2net.com.br>
To: fedora-directory-users(a)redhat.com
Sent: Fri, 18 May 2007 09:43:39 -0300
Subject: [Fedora-directory-users] Windows Sync using SSL : Peer's Certificate
issuer is not recognized
Hello,
First of all, I would like to tell you all that that this is my
very first message to this mailing list so please be patient with me
for a while and sorry for the possibly dull questions.
Also, it's important to let you guys know that I already learnt
a lot only by searching the list archives. Thanks :-) I tried each
and every bit I found online (be it by reading the enormous amount
of documentation under
http://directory.fedoraproject.org/ or by
reading the mailing list archives) and couldn't get Windows Sync
using SSL to work yet.
What I have now :
1) Fedora Directory Server 1.0.4 running under a REd Hat Enterprise
Linux 4 Advanced Server Update 5, installed from the
fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm package. This host is named
fds.aw2.local.
2) Windows Server 2003 Enterprise Edition running a locally Active
Directory set up only for testing. This host is named adserver.aw2.local.
I already installed PassSync (from
http://directory.fedoraproject.org/download/PassSync-20060330.msi)
in the Windows Server 2003 and already have it configured to use the
following information :
Host name : fds.aw2.local
Port number : 636
User name : uid=replication, cn=config
Password : 123456
Cert Token : 123456
Search base : dc=aw2, dc=local
uid=replication is a user I added to FDS, under cn=config. Cert
token is the correct certificate token and search base is the
correct search base as well.
I can create a Windows Sync Agreement and have it doing
synchronization both from AD to FDS and from FDS to AD, but only
when using a non-SSL connection. But, in this case, as you all know,
I don't get users passwords sychronized.
I thin I got both AD and FDS SSL setup right as I can use
"Active Directory Administration Tool (ldp.exe)" to connect to AD on
port 636
(SSL) correctly and I can use an ldapsearch from the FDS machine to
the FDS directory using SSL correctly as well.
The only problem I'm getting is whenever I try to set up a
Windows Sync Agreement using SSL I get the following error message
on my FDS LDAP error log (/opt/fedora-ds/slapd-fds/logs/error, in my
case) :
[18/May/2007:08:52:40 -0300] NSMMReplicationPlugin - agmt="cn=sync"
(adserver:636): Simple bind failed, LDAP sdk error 81 (Can't contact
LDAP server), Netscape Portable Runtime error -8179 (Peer's
Certificate issuer is not recognized.)
I have the following configured regarding certificates in the AD
host ("certutil.exe -d . -L" output running from C:\Program
Files\Red Hat Directory Password Synchronization\) :
CA certificate CT,C,C
Server-Cert Pu,Pu,Pu
Isn't this certificate database the one which is being used when
a Windows Sync Agreement is set up ? Anyway, I already also tried
the following :
1) Import the FDS certificate using :
cd /opt/fedora-ds/alias
/opt/fedora-ds/shared/bin/pk12util -d . -P slapd-fds- -o
servercert.pfx -n Server-Cert
2) Import it into AD certificate snap-in in Windows Microsoft
Management Console and reboot.
No luck with this also. I have read and re-read every single bit
of documentation I could find about the topic and I have no problem
reading more if you guys ask me to RTFM. Just point me to the "fine"
manual :-)
Regards,
--
André Luís Lopes
andrelop(a)aw2net.com.br
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of
Original Message -------