Hello,
First of all, I would like to tell you all that that this is my very
first message to this mailing list so please be patient with me for a
while and sorry for the possibly dull questions.
Also, it's important to let you guys know that I already learnt a
lot only by searching the list archives. Thanks :-) I tried each and
every bit I found online (be it by reading the enormous amount of
documentation under http://directory.fedoraproject.org/ or by reading
the mailing list archives) and couldn't get Windows Sync using SSL to
work yet.
What I have now :
1) Fedora Directory Server 1.0.4 running under a REd Hat Enterprise
Linux 4 Advanced Server Update 5, installed from the
fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm package. This host is named
fds.aw2.local.
2) Windows Server 2003 Enterprise Edition running a locally Active
Directory set up only for testing. This host is named adserver.aw2.local.
I already installed PassSync (from
http://directory.fedoraproject.org/download/PassSync-20060330.msi) in
the Windows Server 2003 and already have it configured to use the
following information :
Host name : fds.aw2.local
Port number : 636
User name : uid=replication, cn=config
Password : 123456
Cert Token : 123456
Search base : dc=aw2, dc=local
uid=replication is a user I added to FDS, under cn=config. Cert
token is the correct certificate token and search base is the correct
search base as well.
I can create a Windows Sync Agreement and have it doing
synchronization both from AD to FDS and from FDS to AD, but only when
using a non-SSL connection. But, in this case, as you all know, I don't
get users passwords sychronized.
I thin I got both AD and FDS SSL setup right as I can use "Active
Directory Administration Tool (ldp.exe)" to connect to AD on port 636
(SSL) correctly and I can use an ldapsearch from the FDS machine to the
FDS directory using SSL correctly as well.
The only problem I'm getting is whenever I try to set up a Windows
Sync Agreement using SSL I get the following error message on my FDS
LDAP error log (/opt/fedora-ds/slapd-fds/logs/error, in my case) :
[18/May/2007:08:52:40 -0300] NSMMReplicationPlugin - agmt="cn=sync"
(adserver:636): Simple bind failed, LDAP sdk error 81 (Can't contact
LDAP server), Netscape Portable Runtime error -8179 (Peer's Certificate
issuer is not recognized.)
I have the following configured regarding certificates in the AD
host ("certutil.exe -d . -L" output running from C:\Program Files\Red
Hat Directory Password Synchronization\) :
CA certificate CT,C,C
Server-Cert Pu,Pu,Pu
Isn't this certificate database the one which is being used when a
Windows Sync Agreement is set up ? Anyway, I already also tried the
following :
1) Import the FDS certificate using :
cd /opt/fedora-ds/alias
/opt/fedora-ds/shared/bin/pk12util -d . -P slapd-fds- -o servercert.pfx
-n Server-Cert
2) Import it into AD certificate snap-in in Windows Microsoft Management
Console and reboot.
No luck with this also. I have read and re-read every single bit of
documentation I could find about the topic and I have no problem reading
more if you guys ask me to RTFM. Just point me to the "fine" manual :-)
Regards,
--
Andr? Lu?s Lopes
andrelop at aw2net.com.br
