Hello,
just to explain why I'm in confusion, I saw this line on redhat procedure: "Import the CA certificate from Directory Server into Active Directory. Click *Trusted Root CA*, then *Import*, and browse for the Directory Server CA certificate."
and this one on a website: "#This exports the server-cert which you will need on the windows AD pk12util -d . -o servercert.p12 -n Server-Cert"
So I check, and I don't have any "servercert.p12" in my directory server (/etc/dirsrv/slapd-389/)
I go to install the Password Sync in my Domain Controller, hope it works ;)
Thanks of the community.
2013/3/27 alexandre axel0felix@gmail.com
Yes you're right, I was speaking for my domain controller (it have automatically on the trusted root certification authorithy... And I made a webenrollment request from my 38ds and install the CA cert on my 389ds...
thanks Le 27 mars 2013 17:51, "Rich Megginson" rmeggins@redhat.com a écrit :
On 03/27/2013 10:32 AM, alexandre wrote:
My CA is on my domain controller.
Then it is not going to be in the list of "Trusted Root Certification Authorities" on the 389 machine unless you install it.
Le 27 mars 2013 17:11, "Rich Megginson" rmeggins@redhat.com a écrit :
On 03/27/2013 10:07 AM, alexandre wrote:
Ok now I know where my confusion come from. So just to check, in my case the CA cert that issued the 389DS server cert is automatically in my "Trusted Root Certification Authorities" because my authority is on my domain controller !?
I don't know. What is the CA?
Thanks ! Alex
2013/3/27 Rich Megginson rmeggins@redhat.com
On 03/27/2013 09:53 AM, alexandre wrote:
Yes I understand that.
To resume, I have a server-cert and a CA cert in my 389DS. I have a CA cert in my active directory.
So I need server cert in my AD !?
No. AD only needs the CA cert of the CA that issued the 389DS server cert.
I don't really understand "But you must generate cert for DS on AD CA", if I did a request by web-enrollment from my 389DS, and install it on my 389DS, it's good like that ?
Yes. But PassSync doesn't use the Windows/AD Trusted Cert store, so you still have to export that CA cert and install it using certutil, as described in the documentation for setting up PassSync.
Thanks a lot ! Alex
2013/3/27 Grzegorz Dwornicki gd1100@gmail.com
Yes and that button allows you to install server cert (again generated in your case on AD CA) . CA tab allows you to install CA cert.
Greg. 27 mar 2013 16:33, "alexandre" axel0felix@gmail.com napisał(a):
Sorry my capture is not on the mail, it's the point 12.2.1.
4.c.Go to the *CA Certs* tab, and click *Install* at the bottom of the window. On this link: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/...
Thanks
2013/3/27 alexandre axel0felix@gmail.com
> Thanks for the new Link ! > > @Rich Megginson "It's not the 389DS server certificate, but the > CA certificate for the CA that issued the 389DS server certificate, that > you need for PassSync" > > @Grzegorz Dwornicki "But you must generate cert for DS on AD CA. > Then you need to import this cert with AD CA cert on DS" > > Sorry I don't understand "CA certificate for the CA that issued > the 389DS server certificate", I have to export this one below to the AD? > (it's empty on this capture, but with CA certificate on my directory > server): > > > > @Grzegorz Dwornicki --> do you have a procedure to do that ? I > don't find in redhat documentation. (when you said AD CA, do you considerthat AD CA = Authority installed on my AD ?) > > Many thanks, for your answers. And your patience about my > translation problems. > > Best regards, > Alex > > > > > 2013/3/27 Grzegorz Dwornicki gd1100@gmail.com > >> I had missunderstood you im this case. No you don't need to create >> second CA. But you must generate cert for DS on AD CA. Then you need to >> import this cert with AD CA cert on DS >> >> Greg. >> 27 mar 2013 15:41, "alexandre" axel0felix@gmail.com napisał(a): >> >> I'm really impressed by the reactivity of this list !!! >>> >>> Sorry my understanding is not perfect because i'm french, so I >>> don't have any CA in my DS, I have one CA (installed on my domain >>> controller). >>> >>> Do I need to install a CA in my DS ? (when I write CA for me it >>> means a Authority). >>> >>> >>> Alex >>> >>> >>> 2013/3/27 Grzegorz Dwornicki gd1100@gmail.com >>> >>>> If you have diferent CA in AD vs DS then you need to do this >>>> import. >>>> >>>> AD by default don't use LDAPS or STARTSSL soo you need to install >>>> ms cert CA stuff. >>>> >>>> Greg. >>>> 27 mar 2013 15:07, "alexandre" axel0felix@gmail.com napisał(a): >>>> >>>>> Hello, >>>>> >>>>> I try to follow this procedure : >>>>> >>>>> >>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/... >>>>> >>>>> Everything works fine, except I don't understand right this >>>>> line: >>>>> >>>>> "Import the CA certificate from Directory Server into Active >>>>> Directory. Click *Trusted Root CA*, then *Import*, and browse >>>>> for the Directory Server CA certificate." >>>>> >>>>> For me CA certificate, it's a certificate from the Authority, >>>>> so in my Active Directory the certificate from the authority is already >>>>> know in the Trusted Root CA. >>>>> >>>>> So, do I need to import 389DS server certificate in my active >>>>> directory ? >>>>> >>>>> And finally, there is no indication to do that, someone can >>>>> help me to pass through ? >>>>> >>>>> Thanks in advance. >>>>> >>>>> Best regards, >>>>> Alex >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@lists.fedoraproject.org >>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>> >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users@lists.fedoraproject.org >>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>> >>> >>> >>> -- >>> 389 users mailing list >>> 389-users@lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> >> >> -- >> 389 users mailing list >> 389-users@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> > >
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org