Re: [Fedora-directory-devel] [Fwd: FDS over SSL with PassSync -- How I did it]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Rob Crittenden wrote:
Is this something that should be translated into a FAQ or How-to on the wiki? 
Sure.
I'd be happy to write it up I just don't have the means to test whether his method works in general.
Ok, that's fine. As long as we get the general idea down, we can always iterate on the details later. 

rob

-------- Original Message --------
Subject: [Fedora-directory-users] FDS over SSL with PassSync -- How I did it 
Date: Thu, 08 Jun 2006 11:33:39 -0700
From: Jeff Gamsby <JFGamsby@xxxxxxx>
Reply-To: General discussion list for the Fedora Directory server project. <fedora-directory-users@xxxxxxxxxx> To: General discussion list for the Fedora Directory server project. <fedora-directory-users@xxxxxxxxxx> 

Thanks to everyone who helped me.

Since it was a struggle for me, I thought that I would post how I did it
in case others have the same problems that I had. Maybe it will help
someone else.

My Setup:

Fedora Core 4
Fedora Directory Server 1.0.2
Windows 2000 Server

Install FDS ( or reinstall: rpm -qa | grep fedora-ds | xargs rpm -e; rm
-rf /opt/fedora-ds ; rpm -i fedora-ds-1.0.2 )
create certificates, etc..
I used this simple script that I wrote: (cd to /opt/fedora-ds/alias)
-----------------------------------------------------------------------

echo -n "Creating password and noise file..."

echo "8904859034905834-580943502385430958430958049385" >
/opt/fedora-ds/alias/pwdfile.txt

echo "8374893jkhsdfjkhdjksfah89dskjfkdghkjdfhguiert9348khkfhgkjfd79" >
/opt/fedora-ds/alias/noise.txt

echo -n "Creating Databases..."

$serverroot/shared/bin/certutil -N -d . -f pwdfile.txt

echo -n "Generating encryption key..."

$serverroot/shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt

echo -n "Generating self-signed certificate..."

$serverroot/shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x
-t "CT,," -m 1000 -v 120  -d . -z noise.txt -f pwdfile.txt

echo -n "Generating server certificate.."

$serverroot/shared/bin/certutil -S -n "Server-Cert" -s
"cn=msas.msd.lbl.gov" -c "CA certificate" -t "u,u,u" -m 1001 -v 120  -d
. -z noise.txt -f pwdfile.txt

mv key3.db slapd-msas-key3.db

mv cert8.db slapd-msas-cert8.db

ln -s slapd-msas-key3.db key3.db

ln -s slapd-msas-cert8.db cert8.db

echo -n "Setting permissions.."

chown nobody.nobody /opt/fedora-ds/alias/slapd-msas*

echo -n "Exporting certificate.."
$serverroot/shared/bin/certutil -L -d . -n "CA certificate" -r > cacert.der 

echo "Converting certificate.."

openssl x509 -inform DER -in cacert.der -outform PEM -out cacert.pem

echo "Copying cacert.pem to /etc/openldap/cacerts.."

cp cacert.pem /etc/openldap/cacerts/

echo -n "Enabling SSL in FDS"

echo ""

echo -n "Please enter Manager password..(twice)"

ldapmodify -x -D cn=Manager -W -f /tmp/ssl_enable.ldif

ldapmodify -x -D cn=Manager -W -a -f /tmp/addRSA.ldif

---------------------------------------------------------

restart FDS

Test SSL connections and ldapsearch
netstat -an | grep 636

Install Active Directory on Windows Server

Install Certificate Services --> Enterprise root CA
reboot
Enable SSL on AD

  1. Install Certificate Services on Windows 2000 Server and an
     Enterprise Certificate Authority in the Active Directory Domain.
     Make sure you install an Enterprise Certificate Authority.
  2. Create a Security (Group) Policy to direct Domain Controllers to
     get an SSL certificate from the Certificate Authority (CA).
        1. Open the Active Directory Users and Computers Administrative
           tool.
        2. Under the domain, right-click on Domain Controllers.
        3. Select Properties.
        4. In the Group Policy tab, click to edit the Default Domain
           Controllers Policy.
        5. Go to Computer Configuration->Windows Settings->Security
           Settings->Public Key Policies.
        6. Right click Automatic Certificate Request Settings.
        7. Select New.
        8. Select Automatic Certificate Request.
        9. Run the wizard. Select the Certificate Template for a Domain
           Controller.
       10. Select your Enterprise Certificate Authority as the CA.
           Selecting a third-party CA works as well.
       11. Complete the wizard.
       12. All Domain Controllers now automatically request a
certificate from the CA, and support LDAP using SSL on port 636. 
  3. Retrieve the Certificate Authority Certificate
        1. Open a Web browser on the AD machine
        2. Go to http://localhost/certsrv/
        3. Select the task Retrieve the CA certificate or certificate
           revocation list.
        4. Click Next.
        5. The next page automatically highlights the CA certificate.
           Click Download CA certificate.
        6. A new download window opens. Save the file to the hard drive.
     Save in DER mode

Copy file to FDS server, convert to PEM format

openssl x509 -inform DER -in ad-cert.der -outform PEM -out ad-cert.pem

Import AD CA cert into FDS

certutil -A -d . -P slapd-instance- -t "CT,CT,CT" -a -i ad-cert.pem

check certs ( from /opt/fedora-ds/alias)
certutil -L -d . -P slapd-instance

Check ldapsearch from FDS to AD

ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port>
-D "<sync manager user> -w < sync manager password> -s <scope>
-b "<AD base>" "<filter>"

Install PassSync on Windows machine.
Follow directions from Howto:WindowsSync (certificate creation)
restart AD server

Enable Replication in Directory Server Console:

Go to configuration tab --> Replication --> enable changelog --> default
Expand Replication, click UserRoot
Check "Enable Replica" Single-master

Right Click UserRoot --> Create new windows sync agreement

Up log level in FDS:

dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 8192

ldapmodify -x -D "cn=directory manager" -a -f repl_log.ldif

restart FDS

right click win sync agreement --> Initiate Full Sync

check error logs (/opt/fedora/slapd-instance/logs/errors)

In order for users to be created on the Windows side, users must have
certain attributes.

e.g.
dn: uid=TBird,ou=People, dc=server,dc=com
givenName: Tweetie
ntUserCreateNewAccount: true
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: ntuser
objectClass: posixAccount
facsimileTelephoneNumber: 510-555-5555
uid: TBird
mail: tbird@xxxxxxxxxx
uidNumber: 71209
cn: Tweetie Bird
ntUserComment: Tweetie Bird User Account
telephoneNumber: 510-555-5555
loginShell: /bin/bash
ntUserDomainId: tbird
gidNumber: 5000
ntUserDeleteAccount: true
gecos: Tweetie Bird
homeDirectory: /home/tbird
sn: Bird
userPassword::

I hope that I have this right.








--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------

--
Fedora-directory-devel mailing list
Fedora-directory-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux