Re: Password Sync Error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From what I remember, you must install Certificate Services on the AD server in order to enable LDAP over SSL. It was part of the email that I sent to you yesterday. You can confirm SSL communication by querying the address book on the AD server on port 636 (http://support.microsoft.com/kb/238007/EN-US/). You can also run 'netstat -an | more' and look for 0.0.0.0:636, this means that the AD server is listening on the secure LDAP port. You then need to export the AD certificate and import it into the FDS server (below). After that, you can test communication by running an ldapsearch from the FDS server to the AD server. There is an example below, something like this:
cd /opt/fedora-ds/alias ; ldapsearch -Z -P . -h hostname.of.ad.server -p 636 -D "cn=Administrator,cn=Users,dc=server,dc=example.dc=com" -W -s base -b "cn=Users,dc=server,dc=example,dc=com" "cn=*"
It's been a while, but I think that I have this right. Someone please correct me if I'm wrong. 

Good luck

---From last post---
3. Retrieve the Certificate Authority Certificate
      1. Open a Web browser on the AD machine
      2. Go to http://localhost/certsrv/
      3. Select the task Retrieve the CA certificate or certificate
         revocation list.
      4. Click Next.
      5. The next page automatically highlights the CA certificate.
         Click Download CA certificate.
      6. A new download window opens. Save the file to the hard drive.
   Save in DER mode

Copy file to FDS server, convert to PEM format

openssl x509 -inform DER -in ad-cert.der -outform PEM -out ad-cert.pem

Import AD CA cert into FDS

certutil -A -d . -P slapd-instance- -t "CT,CT,CT" -a -i ad-cert.pem

check certs ( from /opt/fedora-ds/alias)
certutil -L -d . -P slapd-instance

Check ldapsearch from FDS to AD
ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port> -D "<sync manager user> -w < sync manager password> -s <scope> -b "<AD base>" "<filter>" 



Jeffrey Jamisola wrote:

Hi Jeff,

Thanks for the reply.

Can I have the following instruction if it is available:

1. How to install Certificate Services, then Enterprise root CA

2. How to enable SSL on AD

Since my AD is Windows Server 2003


Thank you,
Jeffrey
------------------------------------------------------------------------
*Create and Share your own Video Clip Playlist in minutes at Lycos MIX (_http://mix.lycos.com_ <http://mix.lycos.com/?if_Event=MAILmixtagline>)* 
------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux