[Fedora-directory-users] AD problem

Nicholas Byrne nicholas.byrne at quadriga.com
Wed Nov 22 18:48:38 UTC 2006 

Just for the record, i still haven't got command line query to work 
against AD over SSL/port 636 however the good news is that i used the 
"New Windows Sync Agreement" in FDS and successfully syncronised over 
SSL and port 636 with a windows 2003 active directory server.

Now for password sync!

Nick

Nicholas Byrne wrote:
> I also attempted to use the ldp utility on another PC running windows 
> XP to query the AD server using ldaps. But no luck here either. Since 
> i can connect using ldp util when it is running on the AD server over 
> ssl port 636 something must  be stopping remote queries on that port, 
> any ideas?
>
> Thanks
> Nick
>
> Nicholas Byrne wrote:
>> A am fairly new to FDS, I am using fedora-ds-1.0.2-1.RHEL4 and my 
>> goal is to setup a syncronisation against a W2K3 based active 
>> directory domain controller. I've followed the Howto:SSL to setup SSL 
>> on the fedora server which works correctly and i've also followed the 
>> "Enabling SSL with Active Directory" section in Howto:WindowsSync 
>> using the TinyCA method.
>>
>> On the AD server I've imported the CA cert and AD server cert i 
>> created following the instructions in the howto. I've used ldp 
>> (running on the AD server) to query the AD system using SSL and it 
>> works after i create a connection on port 636, bind and run a search.
>>
>> Before complicating matters with PassSync i wanted to try remotely 
>> querying the server over SSL to see if that works (non-SSL queries 
>> work fine), so i can be sure that the standard sync agreement between 
>> FDS and AD will work. I've tried a number of methods, but i always 
>> get "ldap_bind: Can't contact LDAP server (-1)". On the system i'm 
>> making queries from, i've installed the my CA cert in 
>> /etc/openssl/cacerts and configured the following 
>> /etc/openldap/ldap.conf with:
>>
>> TLS_CACERTDIR   /etc/openldap/cacerts/
>> TLS_REQCERT     allow
>>
>> I'd be very grateful for some advice, it's driving me nutty... output 
>> of command below -
>>
>> ldapsearch -v -b dc=tech -s sub -H ldaps://w2k3virtual01.tech -x -W 
>> -LLL '(objectclass=user)' -D winsync at tech -d 9
>> ldap_initialize( ldaps://w2k3virtual01.tech )
>> ldap_create
>> ldap_url_parse_ext(ldaps://w2k3virtual01.tech)
>> Enter LDAP Password:
>> ldap_bind
>> ldap_simple_bind
>> ldap_sasl_bind
>> ldap_send_initial_request
>> ldap_new_connection 1 1 0
>> ldap_int_open_connection
>> ldap_connect_to_host: TCP w2k3virtual01.tech:636
>> ldap_new_socket: 3
>> ldap_prepare_socket: 3
>> ldap_connect_to_host: Trying 10.103.20.50:636
>> ldap_connect_timeout: fd: 3 tm: -1 async: 0
>> TLS trace: SSL_connect:before/connect initialization
>> TLS trace: SSL_connect:SSLv2/v3 write client hello A
>> TLS trace: SSL_connect:SSLv3 read server hello A
>> TLS certificate verification: depth: 1, err: 0, subject: 
>> /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga 
>> Certificate Authority/emailAddress=sysadmin at quadriga.com, issuer: 
>> /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga 
>> Certificate Authority/emailAddress=sysadmin at quadriga.com
>> TLS certificate verification: depth: 0, err: 0, subject: 
>> /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=w2k3virtual01.tech, 
>> issuer: 
>> /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga 
>> Certificate Authority/emailAddress=sysadmin at quadriga.com
>> TLS trace: SSL_connect:SSLv3 read server certificate A
>> TLS trace: SSL_connect:SSLv3 read server certificate request A
>> TLS trace: SSL_connect:SSLv3 read server done A
>> TLS trace: SSL_connect:SSLv3 write client certificate A
>> TLS trace: SSL_connect:SSLv3 write client key exchange A
>> TLS trace: SSL_connect:SSLv3 write change cipher spec A
>> TLS trace: SSL_connect:SSLv3 write finished A
>> TLS trace: SSL_connect:SSLv3 flush data
>> TLS trace: SSL_connect:failed in SSLv3 read finished A
>> TLS: can't connect.
>> ldap_perror
>> ldap_bind: Can't contact LDAP server (-1)
>>
>>
>>
>>
>> This e-mail is the property of Quadriga Worldwide Ltd, intended for 
>> the addressee only and confidential.  Any dissemination, copying or 
>> distribution of this message or any attachments is strictly prohibited.
>>
>> If you have received this message in error, please notify us 
>> immediately by replying to the message and deleting it from your 
>> computer.
>>
>> Messages sent to and from Quadriga may be monitored.
>>
>> Quadriga cannot guarantee any message delivery method is secure or 
>> error-free.  Information could be intercepted, corrupted, lost, 
>> destroyed, arrive late or incomplete, or contain viruses.
>>
>> We do not accept responsibility for any errors or omissions in this 
>> message and/or attachment that arise as a result of transmission.
>>
>> You should carry out your own virus checks before opening any 
>> attachment.
>>
>> Any views or opinions presented are solely those of the author and do 
>> not necessarily represent those of Quadriga.
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
>
>
> This e-mail is the property of Quadriga Worldwide Ltd, intended for 
> the addressee only and confidential.  Any dissemination, copying or 
> distribution of this message or any attachments is strictly prohibited.
>
> If you have received this message in error, please notify us 
> immediately by replying to the message and deleting it from your 
> computer.
>
> Messages sent to and from Quadriga may be monitored.
>
> Quadriga cannot guarantee any message delivery method is secure or 
> error-free.  Information could be intercepted, corrupted, lost, 
> destroyed, arrive late or incomplete, or contain viruses.
>
> We do not accept responsibility for any errors or omissions in this 
> message and/or attachment that arise as a result of transmission.
>
> You should carry out your own virus checks before opening any attachment.
>
> Any views or opinions presented are solely those of the author and do 
> not necessarily represent those of Quadriga.
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>



This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential.  Any dissemination, copying or distribution of this message or any attachments is strictly prohibited.

If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.

Messages sent to and from Quadriga may be monitored.

Quadriga cannot guarantee any message delivery method is secure or error-free.  Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.

We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission.

You should carry out your own virus checks before opening any attachment.

Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga.

More information about the 389-users mailing list