Thanks. Yes, I understand that. >From what I understand, the FDS (client, certutil db) is trying to talk to the AD (server, Microsoft CA) and the PassSync cert db just has the trusted FDS server certs (for synchronization). Do I need to import the FDS server certs into AD, or export the AD certs into the FDS server? Thanks again for your help. > > One thing to note, in case it isn't already clear : > > The SSL connection setup between FDS and AD is entirely > orthogonal to the SSL connection from PassSync running on Win2k > and FDS. > > From your e-mail it isn't clear to me that you're aware of this. > > e.g. the certutil command you're running on Windows will relate > only to the certs that PassSync will use to contact FDS. That has > nothing to do with the SSL connection from FDS to AD > (which will use the certs configured in FDS on one end, > and the cert configuration in AD on the Windows end -- > entirely separate from the aforementioned PassSync > cert config). > > > Jeff Gamsby wrote: > >> Please help me, I cannot get this to work. It's driving me crazy. >> >> This is what I did: >> >> Setup FDS over SSL using certutil. >> >> Windows 2000 AD server with "Enterprise Certificate Authority" >> >> Can search AD over SSL ( using ldp.exe, people search over ssl, and >> openldap ldapsearch over ssl -H ldaps://) >> >> Installed PassSync ( used FDS host, port 636, FDS Manager account >> cn=Manager, FDS cert db password, FDS base ) >> >> Exported FDS certs ( per howto:ssl ) and imported them into AD ( >> certutil databases on windows side ) >> >> Setup changelog ( default ) and single master replication >> >> Setup windows sync agreement ( bind as AD administrator account >> cn=administrator,cn=users,....) >> >> Then I test SSL connection from FDS to AD: >> >> ../shared/bin/ldapsearch -X -h ad-host -p 636 -D >> "cn=administrator,cn=users,... -w - -s base -b "" "objectclass=*" >> >> ldap_init( ad.server.xxx.xxx, 636 ) >> ldaptool_getcertpath -- . >> ldaptool_getkeypath -- . >> ldaptool_getmodpath -- (null) >> ldaptool_getdonglefilename -- (null) >> ldap_simple_bind: Can't contact LDAP server >> SSL error -8179 (Peer's Certificate issuer is not recognized.) >> >> OpenLDAP ldapsearch >> ldapsearch -x -H ldaps://ad-host works >> >> On Windows Machine: >> certutil -L -d . >> CA certificate CT,C,C >> Server-Cert Pu,Pu,Pu >> >> On FDS server (FC4): >> # ../shared/bin/certutil -L -d . >> CA certificate CTu,u,u >> Server-Cert u,u,u >> >> I have no idea what to try next. Please help >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
