[389-users] win sync error

Rich Megginson rmeggins at redhat.com
Tue Jun 21 18:51:06 UTC 2011 

On 06/21/2011 11:52 AM, solarflow99 wrote:
> On Tue, Jun 21, 2011 at 1:39 PM, Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     On 06/21/2011 11:23 AM, solarflow99 wrote:
>>>     I'm using self signed certs, did I miss something?
>>
>>         Probably.  There are many steps involved in getting winsync
>>         to use TLS/SSL to talk to AD, and getting AD PassSync to use
>>         TLS/SSL to talk to DS.  Which
>>
>>
>>     From the Docs listed online:
>>     http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html
>>
>     The 8.2 docs are better
>     http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync
>
>
>>     and I went over everything else I could possibly find too.  It
>>     seems in the case of self signed certificates,
>     Are you talking about self signed certs for 389 or for AD?
>
>
> I guess that would be both.  This is all internal so no servers need 
> real third party signed certificates, just trying to get it to work.
Ok, I'm confused.  The RHDS 8.2 Admin Guide talks about setting up AD 
for TLS/SSL by installing the MS CA in Enterprise Root CA mode, creating 
a cert request, and using MS CA to issue the AD server cert.  It doesn't 
say anything about creating self signed certs for AD.
>
>
>>     the windows CA has to exported as a .cer file, and imported in
>>     389 with:  certutil -d . -A -n "AD Cert" -t "CTu,u,u" -i ad-cert.cer
>     Yes, that is correct.  So what's the problem?
>
>
> It wasn't mentioned anywhere, so once I guessed what had to be done, 
> now i'm getting a different error:
>
>
> # /usr/lib64/mozldap/ldapsearch -v -Z -P 
> /etc/dirsrv/slapd-ldapserver/cert8.db -h 10.10.10.210 -p 636 -D 
> "cn=administrator" -w mypassword -b 
> "cn=users,dc=389testdomain,dc=local" "objectclass=*"
> ldapsearch: started Tue Jun 21 08:41:15 2011
>
> ldap_init( 10.10.10.210, 636 )
> ldaptool_getcertpath -- /etc/dirsrv/slapd-ldapserver/cert8.db
> ldaptool_getkeypath -- /etc/dirsrv/slapd-ldapserver/cert8.db
> ldaptool_getmodpath -- (null)
> ldaptool_getdonglefilename -- (null)
> ldap_simple_bind: Invalid credentials
> ldap_simple_bind: additional info: 80090308: LdapErr: DSID-0C0903A9, 
> comment: AcceptSecurityContext error, data 52e, v1db1
-D "cn=administrator"
You have to use the full DN - something like -D 
"cn=administrator,cn=users,dc=389testdomain,dc=local"
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110621/38f39bcd/attachment.html>

More information about the 389-users mailing list