On Tuesday August 2 2005 10:32 am, David Boreham wrote: > Dimitri Yioulos wrote: > >Hello to all. > > > >I recently installed FDS on a CentOS 3 box. My network authenticates to a > >win2k3 AD box. I'd like to use the Winsync feature of FDS to keep it > >automatically updated. > > > >Firstly, FDS does work, to the extent that I populated ou=People, and can > > see and use those entries in Kmail. I've followed the Admin manual > > regarding installation and configuration of Winsync on both the FDS and > > AD boxes, but I can't get it to work. I receive an error "81- LDAP > > error: can't contact LDAP server". By now, it's entirely probable that > > I've munged up the configuration, having tried so many tweaks. > > > >I'm really not sure where to begin in terms of providing info to you so > > that you can help me out. With your kind indulgence, it might be better > > for you to ask me questions about my setup, and we can go from there (I > > realize that's a bassackwards way to ask for help, but ...). > > > >Here, at least, are some basics: I obtained server and CA certs from > >CACert.org, and plugged those into FDS. I created the user Admin on both > > the FDS and ADS boxes. I created a Replica Agreement. I ran the Winsync > > utility on the ADS box. I'm trying to use port 636. > > One tip: try to get the thing working without SSL first. > SSL is only _required_ to propagate password changes > from FDS to AD (without SSL everything else will work > but password changes themselves will fail). It will be much > (much !) easier to diagnose your configuration once you > know that everything is correct except SSL is not enabled. > You can then proceed to do battle with SSL alone. > > >I do have a couple of questions: what's the proper way to specify a > > Supplier DN, and should I use "SSL client authentication" or simple > > authentication" in the Replica Agreement? > > I think you can use either, but unless you know why you need client > auth, just use simple auth. > > The supplier DN isn't actually used in winsync, so you can give any DN > (or the DN > that you'd use for any other replication that you are doing : the > supplier DNs are > a property of the server in general, not winsync). The UI does force you > to enter > something before it will enable the replica. > > Some other ideas: enable replication logging to get more verbose messages > from the server as to what it thinks its doing in winsync. Use a sniffer > such as > ethereal or tcpdump to see if the server is connecting to AD (it sounds > like it is not at present, but that might be due to an SSL config issue). > Again, disabling SSL makes sniffing the traffic much easier. > > Thanks, David. Skipping SSL for the time being makes perfect sense. But now, I'm confused. I use synchronization, right? Now, I'm getting the following error: The comsumer initialization has unseccessfully completed. The error received by the replica is: '49 - LDAP error - invalid credentials' Wher am I going wrong? Dimitri
