Re: [389-users] win sync error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/21/2011 11:52 AM, solarflow99 wrote:
On Tue, Jun 21, 2011 at 1:39 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:
On 06/21/2011 11:23 AM, solarflow99 wrote:
I'm using self signed certs, did I miss something?
Probably.  There are many steps involved in getting winsync to use TLS/SSL to talk to AD, and getting AD PassSync to use TLS/SSL to talk to DS.  Which

From the Docs listed online: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html

The 8.2 docs are better
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync

and I went over everything else I could possibly find too.  It seems in the case of self signed certificates,
Are you talking about self signed certs for 389 or for AD? 

I guess that would be both.  This is all internal so no servers need real third party signed certificates, just trying to get it to work.
Ok, I'm confused.  The RHDS 8.2 Admin Guide talks about setting up AD for TLS/SSL by installing the MS CA in Enterprise Root CA mode, creating a cert request, and using MS CA to issue the AD server cert.  It doesn't say anything about creating self signed certs for AD.

  
the windows CA has to exported as a .cer file, and imported in 389 with:  certutil -d . -A -n "AD Cert" -t "CTu,u,u" -i ad-cert.cer
Yes, that is correct.  So what's the problem?

It wasn't mentioned anywhere, so once I guessed what had to be done, now i'm getting a different error:


# /usr/lib64/mozldap/ldapsearch -v -Z -P /etc/dirsrv/slapd-ldapserver/cert8.db -h 10.10.10.210 -p 636 -D "cn=administrator" -w mypassword -b "cn=users,dc=389testdomain,dc=local" "objectclass=*"
ldapsearch: started Tue Jun 21 08:41:15 2011

ldap_init( 10.10.10.210, 636 )
ldaptool_getcertpath -- /etc/dirsrv/slapd-ldapserver/cert8.db
ldaptool_getkeypath -- /etc/dirsrv/slapd-ldapserver/cert8.db
ldaptool_getmodpath -- (null)
ldaptool_getdonglefilename -- (null)
ldap_simple_bind: Invalid credentials
ldap_simple_bind: additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
-D "cn=administrator"
You have to use the full DN - something like -D "cn=administrator,cn=users,dc=389testdomain,dc=local"


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux