[Fedora-directory-users] AD problem

Wed Nov 22 13:03:29 UTC 2006

A am fairly new to FDS, I am using fedora-ds-1.0.2-1.RHEL4 and my goal 
is to setup a syncronisation against a W2K3 based active directory 
domain controller. I've followed the Howto:SSL to setup SSL on the 
fedora server which works correctly and i've also followed the "Enabling 
SSL with Active Directory" section in Howto:WindowsSync using the TinyCA 
method.

On the AD server I've imported the CA cert and AD server cert i created 
following the instructions in the howto. I've used ldp (running on the 
AD server) to query the AD system using SSL and it works after i create 
a connection on port 636, bind and run a search.

Before complicating matters with PassSync i wanted to try remotely 
querying the server over SSL to see if that works (non-SSL queries work 
fine), so i can be sure that the standard sync agreement between FDS and 
AD will work. I've tried a number of methods, but i always get 
"ldap_bind: Can't contact LDAP server (-1)". On the system i'm making 
queries from, i've installed the my CA cert in /etc/openssl/cacerts and 
configured the following /etc/openldap/ldap.conf with:

TLS_CACERTDIR   /etc/openldap/cacerts/
TLS_REQCERT     allow

I'd be very grateful for some advice, it's driving me nutty... output of 
command below -

ldapsearch -v -b dc=tech -s sub -H ldaps://w2k3virtual01.tech -x -W -LLL 
'(objectclass=user)' -D winsync at tech -d 9
ldap_initialize( ldaps://w2k3virtual01.tech )
ldap_create
ldap_url_parse_ext(ldaps://w2k3virtual01.tech)
Enter LDAP Password:
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP w2k3virtual01.tech:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.103.20.50:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: 
/C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga 
Certificate Authority/emailAddress=sysadmin at quadriga.com, issuer: 
/C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga 
Certificate Authority/emailAddress=sysadmin at quadriga.com
TLS certificate verification: depth: 0, err: 0, subject: 
/C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=w2k3virtual01.tech, 
issuer: 
/C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga 
Certificate Authority/emailAddress=sysadmin at quadriga.com
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)

This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential.  Any dissemination, copying or distribution of this message or any attachments is strictly prohibited.

If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.

Messages sent to and from Quadriga may be monitored.

Quadriga cannot guarantee any message delivery method is secure or error-free.  Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.

We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission.

You should carry out your own virus checks before opening any attachment.

Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga.