Windows Sync using SSL : Peer's Certificate issuer is not recognized

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Glenn and everyone from the list,

Glenn wrote:
> Hello Andre,
> 
> It seems your certificates are not set up correctly.  You should have the 
> same CA certificate in the database in both FDS and AD.  Also, the server 
> certs in each database should be issued by the same certificate authority.

    Ok, since then I did it and still I have no luck getting the 
synchronization to work. I installed FDS 1.0.4 and used the setup-ssl.sh 
script which was made available from 
http://directory.fedoraproject.org/download/setupssl.sh .

    It correctly set up SSL in FDS and I also have SSL working in AD as 
I can use "ldp.exe" and establish a SSL connection to AD with no 
problems at all.

    After using the setussl.sh script, I generated a server cert for AD 
in /opt/fedora-ds/alias using the following command :

[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -S -n "AD server" 
-s "cn=adserver.aw2.local,ou=Fedora Directory Server" -c "CA 
certificate" -t "u,u,u" -m 1003 -v 120 -d . -P slapd-fds- -z noise.txt 
-f pwdfile.txt

    After doing this and adjusting the trust attributes I have the 
following scenario in FDS :

[root at fds ~]# cd /opt/fedora-ds/alias/
[root at fds alias]#
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -L
server-cert                                                  u,u,u
CA certificate                                               CTu,Cu,Cu
Server-Cert                                                  Pu,Pu,Pu
AD server                                                    Pu,Pu,Pu
[root at fds alias]#

    Legend :

    "AD server" = Active Directory certificate
    "Server-Cert" = FDS server
    "CA certificate" = The CA certificate
    "server-cert" = The admin-server (not the slapd) certificate

    It seems to be right. The certificates are all valid according to 
certutil :

[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- 
-V -n Server-Cert -u C
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- 
-V -n Server-Cert -u V
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- 
-V -n "AD server" -u C
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- 
-V -n "AD server" -u V
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- 
-V -n "CA certificate" -u C
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- 
-V -n "CA certificate" -u V
certutil-bin: certificate is valid
[root at fds alias]#

    Also, I imported the certificates into the AD certificate DB and 
currently I have the following scenario in AD certificate DB :

C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe 
-d . -L

CA certificate				CT,C,C
Server-Cert                             Pu,Pu,Pu
AD server                               Pu,Pu,Pu

C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe 
-d . -V -n Server-Cert -u C
certutil.exe: certificate is valid

C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe 
-d . -V -n Server-Cert -u V
certutil.exe: certificate is valid

C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe 
-d . -V -n "AD server" -u C
certutil.exe: certificate is valid

C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe 
-d . -V -n "AD server" -u V
certutil.exe: certificate is valid

C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe 
-d . -V -n "CA certificate" -u C
certutil.exe: certificate is valid

C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe 
-d . -V -n "CA certificate" -u V
certutil.exe: certificate is valid

    However, I'm still seeing the same errors on 
/opt/fedora-ds/slapd-<instance>/logs/errors :

[28/May/2007:13:13:29 -0300] NSMMReplicationPlugin - agmt="cn=winsync" 
(adserver:636): Simple bind failed, LDAP sdk error 81 (Can't contact 
LDAP server), Netscape Portable Runtime error -8179 (Peer's Certificate 
issuer is not recognized.)

    If I create a sync agreement which doesn't use SSL, using port 389 
directly, I can do synchronization in both ways (to and from AD and to 
and from FDS), but I have no user's passwords synchronized and this is 
crucial for me get working.

    Any ideas on what I should be looking at or on where the problem is 
hiding itself ?

Regards,

-- 
Andr? Lu?s Lopes
andrelop at aw2net.com.br
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux