From what I remember, you must install Certificate Services on the AD server in order to enable LDAP over SSL. It was part of the email that I sent to you yesterday. You can confirm SSL communication by querying the address book on the AD server on port 636 (http://support.microsoft.com/kb/238007/EN-US/). You can also run 'netstat -an | more' and look for 0.0.0.0:636, this means that the AD server is listening on the secure LDAP port. You then need to export the AD certificate and import it into the FDS server (below). After that, you can test communication by running an ldapsearch from the FDS server to the AD server. There is an example below, something like this: cd /opt/fedora-ds/alias ; ldapsearch -Z -P . -h hostname.of.ad.server -p 636 -D "cn=Administrator,cn=Users,dc=server,dc=example.dc=com" -W -s base -b "cn=Users,dc=server,dc=example,dc=com" "cn=*" It's been a while, but I think that I have this right. Someone please correct me if I'm wrong. Good luck ---From last post--- 3. Retrieve the Certificate Authority Certificate 1. Open a Web browser on the AD machine 2. Go to http://localhost/certsrv/ 3. Select the task Retrieve the CA certificate or certificate revocation list. 4. Click Next. 5. The next page automatically highlights the CA certificate. Click Download CA certificate. 6. A new download window opens. Save the file to the hard drive. Save in DER mode Copy file to FDS server, convert to PEM format openssl x509 -inform DER -in ad-cert.der -outform PEM -out ad-cert.pem Import AD CA cert into FDS certutil -A -d . -P slapd-instance- -t "CT,CT,CT" -a -i ad-cert.pem check certs ( from /opt/fedora-ds/alias) certutil -L -d . -P slapd-instance Check ldapsearch from FDS to AD ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port> -D "<sync manager user> -w < sync manager password> -s <scope> -b "<AD base>" "<filter>" Jeffrey Jamisola wrote: > Hi Jeff, > > Thanks for the reply. > > Can I have the following instruction if it is available: > > 1. How to install Certificate Services, then Enterprise root CA > > 2. How to enable SSL on AD > > Since my AD is Windows Server 2003 > > > Thank you, > Jeffrey > ------------------------------------------------------------------------ > > *Create and Share your own Video Clip Playlist in minutes at Lycos MIX > (_http://mix.lycos.com_ <http://mix.lycos.com/?if_Event=MAILmixtagline>)* > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783
