Hello Glenn and everyone from the list,
Glenn wrote:
Hello Andre,
It seems your certificates are not set up correctly. You should have the
same CA certificate in the database in both FDS and AD. Also, the server
certs in each database should be issued by the same certificate authority.
Ok, since then I did it and still I have no luck getting the
synchronization to work. I installed FDS 1.0.4 and used the setup-ssl.sh
script which was made available from
http://directory.fedoraproject.org/download/setupssl.sh .
It correctly set up SSL in FDS and I also have SSL working in AD as
I can use "ldp.exe" and establish a SSL connection to AD with no
problems at all.
After using the setussl.sh script, I generated a server cert for AD
in /opt/fedora-ds/alias using the following command :
[EMAIL PROTECTED] alias]# /opt/fedora-ds/shared/bin/certutil -S -n "AD server"
-s "cn=adserver.aw2.local,ou=Fedora Directory Server" -c "CA
certificate" -t "u,u,u" -m 1003 -v 120 -d . -P slapd-fds- -z noise.txt
-f pwdfile.txt
After doing this and adjusting the trust attributes I have the
following scenario in FDS :
[EMAIL PROTECTED] ~]# cd /opt/fedora-ds/alias/
[EMAIL PROTECTED] alias]#
[EMAIL PROTECTED] alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds-
-L
server-cert u,u,u
CA certificate CTu,Cu,Cu
Server-Cert Pu,Pu,Pu
AD server Pu,Pu,Pu
[EMAIL PROTECTED] alias]#
Legend :
"AD server" = Active Directory certificate
"Server-Cert" = FDS server
"CA certificate" = The CA certificate
"server-cert" = The admin-server (not the slapd) certificate
It seems to be right. The certificates are all valid according to
certutil :
[EMAIL PROTECTED] alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds-
-V -n Server-Cert -u C
certutil-bin: certificate is valid
[EMAIL PROTECTED] alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds-
-V -n Server-Cert -u V
certutil-bin: certificate is valid
[EMAIL PROTECTED] alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds-
-V -n "AD server" -u C
certutil-bin: certificate is valid
[EMAIL PROTECTED] alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds-
-V -n "AD server" -u V
certutil-bin: certificate is valid
[EMAIL PROTECTED] alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds-
-V -n "CA certificate" -u C
certutil-bin: certificate is valid
[EMAIL PROTECTED] alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds-
-V -n "CA certificate" -u V
certutil-bin: certificate is valid
[EMAIL PROTECTED] alias]#
Also, I imported the certificates into the AD certificate DB and
currently I have the following scenario in AD certificate DB :
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe
-d . -L
CA certificate CT,C,C
Server-Cert Pu,Pu,Pu
AD server Pu,Pu,Pu
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe
-d . -V -n Server-Cert -u C
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe
-d . -V -n Server-Cert -u V
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe
-d . -V -n "AD server" -u C
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe
-d . -V -n "AD server" -u V
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe
-d . -V -n "CA certificate" -u C
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe
-d . -V -n "CA certificate" -u V
certutil.exe: certificate is valid
However, I'm still seeing the same errors on
/opt/fedora-ds/slapd-<instance>/logs/errors :
[28/May/2007:13:13:29 -0300] NSMMReplicationPlugin - agmt="cn=winsync"
(adserver:636): Simple bind failed, LDAP sdk error 81 (Can't contact
LDAP server), Netscape Portable Runtime error -8179 (Peer's Certificate
issuer is not recognized.)
If I create a sync agreement which doesn't use SSL, using port 389
directly, I can do synchronization in both ways (to and from AD and to
and from FDS), but I have no user's passwords synchronized and this is
crucial for me get working.
Any ideas on what I should be looking at or on where the problem is
hiding itself ?
Regards,
--
André Luís Lopes
[EMAIL PROTECTED]
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
