Re: Windows Sync using SSL : Peer's Certificate issuer is not recognized

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Glenn and everyone from the list,

Glenn wrote:

Hello Andre,
It seems your certificates are not set up correctly. You should have the same CA certificate in the database in both FDS and AD. Also, the server certs in each database should be issued by the same certificate authority.
Ok, since then I did it and still I have no luck getting the synchronization to work. I installed FDS 1.0.4 and used the setup-ssl.sh script which was made available from http://directory.fedoraproject.org/download/setupssl.sh .
It correctly set up SSL in FDS and I also have SSL working in AD as I can use "ldp.exe" and establish a SSL connection to AD with no problems at all.
After using the setussl.sh script, I generated a server cert for AD in /opt/fedora-ds/alias using the following command :
[root@fds alias]# /opt/fedora-ds/shared/bin/certutil -S -n "AD server" -s "cn=adserver.aw2.local,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1003 -v 120 -d . -P slapd-fds- -z noise.txt -f pwdfile.txt
After doing this and adjusting the trust attributes I have the following scenario in FDS : 

[root@fds ~]# cd /opt/fedora-ds/alias/
[root@fds alias]#
[root@fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -L
server-cert                                                  u,u,u
CA certificate                                               CTu,Cu,Cu
Server-Cert                                                  Pu,Pu,Pu
AD server                                                    Pu,Pu,Pu
[root@fds alias]#

   Legend :

   "AD server" = Active Directory certificate
   "Server-Cert" = FDS server
   "CA certificate" = The CA certificate
   "server-cert" = The admin-server (not the slapd) certificate
It seems to be right. The certificates are all valid according to certutil :
[root@fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -V -n Server-Cert -u C 
certutil-bin: certificate is valid
[root@fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -V -n Server-Cert -u V 
certutil-bin: certificate is valid
[root@fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -V -n "AD server" -u C 
certutil-bin: certificate is valid
[root@fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -V -n "AD server" -u V 
certutil-bin: certificate is valid
[root@fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -V -n "CA certificate" -u C 
certutil-bin: certificate is valid
[root@fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -V -n "CA certificate" -u V 
certutil-bin: certificate is valid
[root@fds alias]#
Also, I imported the certificates into the AD certificate DB and currently I have the following scenario in AD certificate DB :
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -L 

CA certificate				CT,C,C
Server-Cert                             Pu,Pu,Pu
AD server                               Pu,Pu,Pu
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -V -n Server-Cert -u C 
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -V -n Server-Cert -u V 
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -V -n "AD server" -u C 
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -V -n "AD server" -u V 
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -V -n "CA certificate" -u C 
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -V -n "CA certificate" -u V 
certutil.exe: certificate is valid
However, I'm still seeing the same errors on /opt/fedora-ds/slapd-<instance>/logs/errors :
[28/May/2007:13:13:29 -0300] NSMMReplicationPlugin - agmt="cn=winsync" (adserver:636): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -8179 (Peer's Certificate issuer is not recognized.)
If I create a sync agreement which doesn't use SSL, using port 389 directly, I can do synchronization in both ways (to and from AD and to and from FDS), but I have no user's passwords synchronized and this is crucial for me get working.
Any ideas on what I should be looking at or on where the problem is hiding itself ? 

Regards,

--
André Luís Lopes
andrelop@xxxxxxxxxxxxx

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux