Unable to SSL with Windows Sync Agreement

[math.de.groot at logica.com (Groot, Mathijs de (IDT Competence Java))]

Hi Sebastian,

 

Thanks for your suggestion.

 

I'm assuming that when the CA is trusted for Server and Client
certificates (CT) the server certificates signed by that CA are
automatically trusted peer as well.

I have made the trust changes to the certificates and imported the third
windows certificate as well, my (clean installed) windows Server has
three certificates, the last one added is the domain certificate. the CA
and Server certificates should be sufficient according to the manual.


Red Hat Directory Server (gemeente.grep)

# certutil -L -d .

Certificate Nickname       Trust Attributes

                           SSL,S/MIME,JAR/XPI

 

gemeente_ds_ca_cert        CTu,u,u

gemeente_ds_server_cert    u,u,u

parijs_ca_cert             CT,,

parijs_domain_cert         P,P,P

parijs_server_cert         P,P,P

 

 

Windows Active Directory (parijs.gem) unchanged
C:\Program Files\Red Hat Directory Password Synchronization>certutil -L
-d .
rhds_ds_ca_cert               CT,C,C
rhds_ds_server_cert           Pu,Pu,Pu

 

In the mean while, I've run some extra test to check the connectivity
between the Red Hat and Windows Server, but all of the following test
outputs the expected result of the query

These search queries are executed from the Red Hat Directory Server.

 

#/usr/lib64/mozldap/dapsearch -Z -P /etc/dirsrv/slapd-rhds/cert8.db -h
adsync.parijs.gem -p 636 -D "CN=Administrator,CN=Users,DC=parijs,DC=gem"
-w <pwd> -s base -b "dc=parijs,dc=gem" "objectclass=top"

#/usr/lib64/mozldap/ldapsearch -x -ZZ -b 'dc=gemeente,dc=grep' -D
"cn=Directory Manager" -w <pwd> '(objectclass=*)'

# /usr/lib64/mozldap/ldapsearch -x -ZZ -h adsync.parijs.gem -b
'dc=parijs,dc=gem' -D "CN=Administrator,CN=Users,DC=parijs,DC=gem" -w
<pwd> '(objectclass=*)'

 

 

But there are still no outgoing tcp/ip packages from the Red Hat
Directory Server when the  new Windows Sync  Agreement is configured and
the message is shown that the Red Hat server is unable to contact Active
Directory server.

 

Problem summary:

I can't get an SSL connection  with the a new  Windows Sync Agreement,
from the Red Hat DS to the Windows AD server.

Ldapsearch queries over SSL seems to work fine,  But strangely enough
there is not network traffic at all when the SSL  connection is checked!

(when clicking on next and the message "unable to contact Active
Directory server, continue" appears). See emails below for more
information.

 

 

Does anyone has a suggestion how to trouble shoot this problem?

 

 

Mathijs de Groot

 

 

From: Sebastian Tabarce [mailto:blue_moon_ro at yahoo.com] 
Sent: donderdag 7 augustus 2008 20:23
To: Groot, Mathijs de (IDT Competence Java)
Subject: RE: Unable to SSL with Windows Sync
Agreement

 

Hi Mathijs,

>From what you showed us, it seems that while RHDS is a trusted peer of
Active Directory, Active Directory is not a trusted peer of RHDS. This
might be a reason for RHDS to not even try to establish a sync with AD.
Other then this, I have no other ideas for now. I'm not an experimented
RHDS admin, but maybe others will be of more help.

Good luck,
Sebastian

--- On Thu, 8/7/08, Groot, Mathijs de (IDT Competence Java)
<math.de.groot at logica.com> wrote:

From: Groot, Mathijs de (IDT Competence Java) <math.de.groot at logica.com>
Subject: RE: Unable to SSL with Windows Sync
Agreement
To: blue_moon_ro at yahoo.com, "General discussion list for the Fedora
Directory server project." <fedora-directory-users at redhat.com>
Date: Thursday, August 7, 2008, 5:19 PM

Hi Sebastian,

 

Thanks for your reply.

 

We've created the CA and Server certificates on Red Hat Directory Server

(like described in:
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_
certutil.html
<http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using
_certutil.html>  )   

And created a server certificate on the Windows Server
(http://support.microsoft.com/kb/931351
<http://support.microsoft.com/kb/931351> )

 

The CA and Server certificates are exchanged between the both Servers
and are trusted, like the certutil output shows:

 

On the Red Hat Directory (rhds.grep):

# certutil -L -d .

                               Certificate Nickname

                               Trust Attributes

                               SSL,S/MIME,JAR/XPI

rhds_ds_ca_cert                CTu,u,u

parijs_server_cert             ,,

rhds_server_cert               u,u,u

parijs_ca_cert                 CT,,

 

on the Windows Active Directory (parijs.gem):

C:\Program Files\Red Hat Directory Password Synchronization>certutil -L
-d .

rhds_ds_ca_cert                                        CT,C,C

rhds_ds_server_cert                                    Pu,Pu,Pu

 

And the ldapsearch in the command line from the Red Hat server over SSL
works with the use of the certificate database, the following command
returns entries of Windows Active Directory:

/usr/lib64/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-rhds/cert8.db -h
adsync.parijs.gem -p 636 -D "CN=Administrator,CN=Users,DC=parijs,DC=gem"
-w - -s base -b "dc=parijs,dc=gem" "objectclass=top"

 

Note that I'm using a Red Hat Enterprise 64 bits version and a Windows
2003 32bits.

 

Do you've got any suggestions why there are no outgoing tcp/ip packages
from the Red hat Directory Server when the  new Windows Sync  Agreement
is configured and the message is shown that the Red Hat server is unable
to contact Active Directory server?

 

Mathijs

 

 

From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of
Sebastian Tabarce
Sent: donderdag 7 augustus 2008 15:03
To: General discussion list for the Fedora Directory server project.
Subject: Re: Unable to SSL with Windows Sync
Agreement

 

Mathisj,

If I'm not mistaking, in order for the two servers to be able to talk
with each other, they need to have certificates signed by Certificate
Authorities recognized by the two servers (meaning, the certificates of
these root CAs must be installed on the two servers). Even more
straightforward is to generate certificate requests for both servers and
get them signed by the same root CA.


--- On Thu, 7/31/08, Groot, Mathijs de (IDT Competence Java)
<math.de.groot at logica.com> wrote:

From: Groot, Mathijs de (IDT Competence Java) <math.de.groot at logica.com>
Subject: Unable to SSL with Windows Sync
Agreement
To: fedora-directory-users at redhat.com
Date: Thursday, July 31, 2008, 12:18 PM

Hello everyone,

 

I can use some help with setting up the Windows Sync.

 

Ill give some context first, im trying to sync user, groups and
passwords from a Windows 2003 server with Active Directory with a Red
Hat enterprise 5, Red Hat Directory Server 8.0.

It is a test environment with where I can access and configure the
servers easily.

 

But ive got some problems setting a new Windows Sync Agreement.

 

It comes down to the following:

I can't get an SSL connection  with the a new  Windows Sync Agreement,
from the Red Hat DS to the Windows AD server.

 

In the Windows Sync Server info screen I get the following message when
clicking on next:  

"unable to contact Active Directory server, continue"

(Windows Sync Server info screen located In the Directory Server Console
->  Configuration tab ->  Replication -> userRoot -> highlight the
database -> Object -> New Windows Sync Agreement -> The second screen
reads Windows Sync Server Info)

 

But when I uncheck the checkbox "Using encrypted SSL connection" the
connection works and the Windows AD server is reached.

So this concludes (and ive tested) that the Windows Server and domain is
reachable and the Bind DN is valid, and entered values are correct.

 

The SSL connection seems to be setup correctly, the checks (ldapsearch
query) described by the fedora manual outputs the correct result.
Following:

"

http://directory.fedoraproject.org/wiki/Howto:WindowsSync 

Testing your Configuration

Test to make sure you can talk SSL from Fedora Directory to AD

This is how you test to verify that the Windows side SSL is enabled
properly:

ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port> -D
"<sync manager user>" -w < sync manager password> -s <scope> -b "<AD
base>" "<filter>"

"

My ldapsearch query:

/usr/lib64/mozldap/dapsearch -Z -P /etc/dirsrv/slapd-<instance>/cert8.db
-h compute.domain.com -p 636 -D
"CN=Administrator,CN=Users,DC=domain,DC=com"  -w <pwd> -s base -b
"dc=domain,dc=com" "objectclass=top"

 

But strangely enough there is not network traffic at all when the SSL
connection is checked!

(when clicking on next and the message "unable to contact Active
Directory server, continue" appears)

 

Ive done the following actions to make to monitor it:

 

First I've disabled SELinux, in case that blocks something (just for
testing).

 

watch the tcp ip traffic with:

tcpdump -nn -p port not ssh and ip host <Red Hat IP number>

Here I can see that, when I don't use the SSL connection, there is
traffic towards my Widows AD, but when ive check the SSL option, there
is no traffic at all, nothing.

 

As well when I look at the iptables:

added an extra line: iptables -I OUTPUT  1 -d <Windows AD IP number> -j
ACCEPT 

watch -d iptables -L -nv

 

I see the same result, traffic when I don't use the SSL option and no
traffic at all when the SSL option is checked.

 

How can I get the message "unable to contact Active Directory server,
continue" when there is no outgoing request from my Red Hat server.

 

Ive made certificates at both sides (Windows and Red Hat) and exported
and imported these certificated to the other server.

 

Please advice on following steps I can take, what the problem can be and
how it is possible that there is no traffic at all.

 

Thanks in advanced.

 

Matt

 

 

Mathijs A. de Groot
Consultant - Software Engineer
_________________________________________ 

Logica - Releasing your potential 

George Hintzenweg 89
3068 AX Rotterdam
Postbus 8566
3009 AN Rotterdam
Nederland
T:  +31 (0) 10 253 7000
D:   +31(0) 70 37 56627
E: math.de.groot at logica.com <mailto:math.de.groot at logica.com> 
www.logica.com <http://www.logica.com/> 

Logica Nederland B.V.
Registered office in Amstelveen, The Netherlands
Registration Number Chamber of Commerce: 33136004

 


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you. 

--

    

Fedora-directory-users mailing list

    

Fedora-directory-users at redhat.com

    

https://www.redhat.com/mailman/listinfo/fedora-directory-users

 


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you. 

 



This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20080808/30c21659/attachment.html