[Fedora-directory-users] PassSync setup still not working

Jeff Gamsby JFGamsby at lbl.gov
Thu Jun 8 00:50:08 UTC 2006 

Thanks. Yes, I understand that.

>From what I understand, the FDS (client, certutil db) is trying to talk to
the AD (server, Microsoft CA) and the PassSync cert db just has the
trusted FDS server certs (for synchronization).

Do I need to import the FDS server certs into AD, or export the AD certs
into the FDS server?

Thanks again for your help.

>
> One thing to note, in case it isn't already clear :
>
> The SSL connection setup between FDS and AD is entirely
> orthogonal to the SSL connection from PassSync running on  Win2k
> and FDS.
>
>  From your e-mail it isn't clear to me that you're aware of this.
>
> e.g. the certutil command you're running on Windows will relate
> only to the certs that PassSync will use to contact FDS. That has
> nothing to do with the SSL connection from FDS to AD
> (which will use the certs configured in FDS on one end,
> and the cert configuration in AD on the Windows end --
> entirely separate from the aforementioned PassSync
> cert config).
>
>
> Jeff Gamsby wrote:
>
>> Please help me, I cannot get this to work. It's driving me crazy.
>>
>> This is what I did:
>>
>> Setup FDS over SSL using certutil.
>>
>> Windows 2000 AD server with "Enterprise Certificate Authority"
>>
>> Can search AD over SSL ( using ldp.exe, people search over ssl, and
>> openldap ldapsearch over ssl -H ldaps://)
>>
>> Installed PassSync ( used FDS host, port 636, FDS Manager account
>> cn=Manager, FDS cert db password, FDS base )
>>
>> Exported FDS certs ( per howto:ssl ) and imported them into AD (
>> certutil databases on windows side )
>>
>> Setup changelog ( default ) and single master replication
>>
>> Setup windows sync agreement ( bind as AD administrator account
>> cn=administrator,cn=users,....)
>>
>> Then I test SSL connection from FDS to AD:
>>
>> ../shared/bin/ldapsearch -X -h ad-host -p 636 -D
>> "cn=administrator,cn=users,... -w - -s base -b "" "objectclass=*"
>>
>> ldap_init( ad.server.xxx.xxx, 636 )
>> ldaptool_getcertpath -- .
>> ldaptool_getkeypath -- .
>> ldaptool_getmodpath -- (null)
>> ldaptool_getdonglefilename -- (null)
>> ldap_simple_bind: Can't contact LDAP server
>>        SSL error -8179 (Peer's Certificate issuer is not recognized.)
>>
>> OpenLDAP ldapsearch
>> ldapsearch -x -H ldaps://ad-host  works
>>
>> On Windows Machine:
>> certutil -L -d .
>> CA certificate    CT,C,C
>> Server-Cert       Pu,Pu,Pu
>>
>> On FDS server (FC4):
>> # ../shared/bin/certutil -L -d .
>> CA certificate                                               CTu,u,u
>> Server-Cert                                                  u,u,u
>>
>> I have no idea what to try next. Please help
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the 389-users mailing list