A am fairly new to FDS, I am using fedora-ds-1.0.2-1.RHEL4 and my goal
is to setup a syncronisation against a W2K3 based active directory
domain controller. I've followed the Howto:SSL to setup SSL on the
fedora server which works correctly and i've also followed the "Enabling
SSL with Active Directory" section in Howto:WindowsSync using the TinyCA
method.
On the AD server I've imported the CA cert and AD server cert i created
following the instructions in the howto. I've used ldp (running on the
AD server) to query the AD system using SSL and it works after i create
a connection on port 636, bind and run a search.
Before complicating matters with PassSync i wanted to try remotely
querying the server over SSL to see if that works (non-SSL queries work
fine), so i can be sure that the standard sync agreement between FDS and
AD will work. I've tried a number of methods, but i always get
"ldap_bind: Can't contact LDAP server (-1)". On the system i'm making
queries from, i've installed the my CA cert in /etc/openssl/cacerts and
configured the following /etc/openldap/ldap.conf with:
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow
I'd be very grateful for some advice, it's driving me nutty... output of
command below -
ldapsearch -v -b dc=tech -s sub -H ldaps://w2k3virtual01.tech -x -W -LLL
'(objectclass=user)' -D winsync@tech -d 9
ldap_initialize( ldaps://w2k3virtual01.tech )
ldap_create
ldap_url_parse_ext(ldaps://w2k3virtual01.tech)
Enter LDAP Password:
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP w2k3virtual01.tech:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.103.20.50:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga
Certificate Authority/emailAddress=sysadmin@xxxxxxxxxxxx, issuer:
/C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga
Certificate Authority/emailAddress=sysadmin@xxxxxxxxxxxx
TLS certificate verification: depth: 0, err: 0, subject:
/C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=w2k3virtual01.tech,
issuer:
/C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga
Certificate Authority/emailAddress=sysadmin@xxxxxxxxxxxx
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited.
If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.
Messages sent to and from Quadriga may be monitored.
Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission.
You should carry out your own virus checks before opening any attachment.
Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
