Re: Windows Active Directory sync Help!

[Rich Megginson <rmeggins@xxxxxxxxxx>]

kiran madala wrote:
> Also the console give me thsi error when Icick on manage certificates on the DS server and never opens up. It works fine on AS server
>   
Looks like a bug.  Are you using the IcedTea java on Fedora 8?
> Exception during event dispatch:
> java.lang.NullPointerException
>    at com.netscape.management.client.security.CertificateDialog.(Unknown Source)
>    at com.netscape.management.client.security.CertificateDialog.(Unknown Source)
>    at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source)
>    at com.netscape.management.client.TaskModel.actionObjectRun(Unknown Source)
>    at com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown Source)
>    at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh)
>    at java.awt.Component.processMouseEvent(libgcj.so.7rh)
>    at java.awt.Component.processEvent(libgcj.so.7rh)
>    at java.awt.Container.processEvent(libgcj.so.7rh)
>    at java.awt.Component.dispatchEventImpl(libgcj.so.7rh)
>    at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>    at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>    at java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh)
>    at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh)
>    at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>    at java.awt.Window.dispatchEventImpl(libgcj.so.7rh)
>    at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>    at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh)
>    at java.awt.EventDispatchThread.run(libgcj.so.7rh)
> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/"; java.lang.NullPointerException
>    at com.netscape.management.client.comm.HttpChannel.run(Unknown Source)
>    at java.lang.Thread.run(libgcj.so.7rh)
> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/"; java.lang.NullPointerException
>    at com.netscape.management.client.comm.HttpChannel.run(Unknown Source)
>    at java.lang.Thread.run(libgcj.so.7rh)
>
>
>
> ----------------------------------------
>   
> > From: kirankmadala@xxxxxxxxxxx
> > To: fedora-directory-users@xxxxxxxxxx
> > Subject: RE:  Windows Active Directory sync Help!
> > Date: Wed, 9 Jan 2008 17:03:18 -0400
> >
> >
> > I keep getting these errors when trying to initiate sync 
> >
> > [09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function argument.)
> > [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL client authentication failed: LDAP error -1 (Unknown error)
> >
> > The LDAP search is not installed on my machine so i could not do a search
> > ----------------------------------------
> >     
> > > Date: Wed, 9 Jan 2008 11:43:49 -0700
> > > From: rmeggins@xxxxxxxxxx
> > > To: fedora-directory-users@xxxxxxxxxx
> > > Subject: Re:  Windows Active Directory sync Help!
> > >
> > > kiran madala wrote:
> > >       
> > > > Sorry here is the error log for DS server
> > > >
> > > > [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.)
> > > >
> > > > It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. 
> > > >   
> > > >         
> > > Did you configure the agreement to use SSL?  Error 91 means some sort of 
> > > connection problem, or invalid argument to the LDAP API e.g. you are 
> > > attempting to use LDAP on the secure port instead of LDAPS.
> > >
> > > You can verify that TLS/SSL is working by using ldapsearch from the 
> > > command line.  On the directory server machine:
> > > /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P 
> > > /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*"
> > >
> > > Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
> > >       
> > > > ----------------------------------------
> > > >   
> > > >         
> > > > > Date: Wed, 9 Jan 2008 11:09:54 -0700
> > > > > From: rmeggins@xxxxxxxxxx
> > > > > To: fedora-directory-users@xxxxxxxxxx
> > > > > Subject: Re:  Windows Active Directory sync Help!
> > > > >
> > > > > kiran madala wrote:
> > > > >     
> > > > >           
> > > > > > I am using  Fedora 1.1 on Fedora 6 x86 machine.  When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?".  Also in the domain controller host field can I specify the IP address of the machine?. 
> > > > > >
> > > > > > The error log for DS server is below. The IP is the windows xp machine on whcih I am  runnign the remote DS console.
> > > > > >
> > > > > > [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
> > > > > > <snip<
> > > > > >   
> > > > > >       
> > > > > >             
> > > > > Actually, this is the error log for the admin server.  The error log for 
> > > > > the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance 
> > > > > is your instance name.
> > > > >
> > > > > The console might be failing to connect to AD because the console has a 
> > > > > separate key/cert db under ~/.fedora-idm-console (in 1.1).  You may need 
> > > > > to add the CA cert in this directory too:
> > > > >
> > > > > certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc
> > > > >
> > > > >     
> > > > >           
> > > > > > ----------------------------------------
> > > > > >   
> > > > > >       
> > > > > >             
> > > > > > > Date: Wed, 9 Jan 2008 10:52:05 -0700
> > > > > > > From: rmeggins@xxxxxxxxxx
> > > > > > > To: fedora-directory-users@xxxxxxxxxx
> > > > > > > Subject: Re:  Windows Active Directory sync Help!
> > > > > > >
> > > > > > > kiran madala wrote:
> > > > > > >     
> > > > > > >         
> > > > > > >               
> > > > > > > > As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges.  But I have other issues now.
> > > > > > > >
> > > > > > > > The DS server is unable to connect to my AD.
> > > > > > > >       
> > > > > > > >           
> > > > > > > >                 
> > > > > > > What error messages are you getting?  Check the error log.
> > > > > > >
> > > > > > > You can also try using ldapsearch.  Are you using Fedora DS 1.1 or 
> > > > > > > 1.0.4?  What OS?
> > > > > > >     
> > > > > > >         
> > > > > > >               
> > > > > > > > I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine?
> > > > > > > >   
> > > > > > > >       
> > > > > > > >           
> > > > > > > >                 
> > > > > > > You don't need to use cert based client auth.  You can use regular 
> > > > > > > username/password auth over TLS/SSL.
> > > > > > >     
> > > > > > >         
> > > > > > >               
> > > > > > > > My currents certificates are as follows.
> > > > > > > >
> > > > > > > > DS has its own server certificate
> > > > > > > > AD has its own server  certificate
> > > > > > > > ALL 3 servers AS,DS and AD have the same CA root certificate
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > ----------------------------------------
> > > > > > > >   
> > > > > > > >       
> > > > > > > >           
> > > > > > > >                 
> > > > > > > > > From: kirankmadala@xxxxxxxxxxx
> > > > > > > > > To: fedora-directory-users@xxxxxxxxxx
> > > > > > > > > Date: Wed, 9 Jan 2008 10:35:00 -0400
> > > > > > > > > Subject:  Windows Active Directory sync Help!
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Hello,
> > > > > > > > >
> > > > > > > > > I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions.
> > > > > > > > >
> > > > > > > > > I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL?
> > > > > > > > >
> > > > > > > > > In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD?
> > > > > > > > >
> > > > > > > > > When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS?
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell.
> > > > > > > > >
> > > > > > > > > Thanks in advance
> > > > > > > > > _________________________________________________________________
> > > > > > > > > Exercise your brain! Try Flexicon!
> > > > > > > > > http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
> > > > > > > > >     
> > > > > > > > >         
> > > > > > > > >             
> > > > > > > > >                   
> > > > > > > > _________________________________________________________________
> > > > > > > > Use fowl language with Chicktionary. Click here to start playing!
> > > > > > > > http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
> > > > > > > >
> > > > > > > > --
> > > > > > > > Fedora-directory-users mailing list
> > > > > > > > Fedora-directory-users@xxxxxxxxxx
> > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > > > >   
> > > > > > > >       
> > > > > > > >           
> > > > > > > >                 
> > > > > > _________________________________________________________________
> > > > > > Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com!
> > > > > > http://asksantaclaus.spaces.live.com/
> > > > > >
> > > > > > --
> > > > > > Fedora-directory-users mailing list
> > > > > > Fedora-directory-users@xxxxxxxxxx
> > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > >   
> > > > > >       
> > > > > >             
> > > > _________________________________________________________________
> > > > Introducing the City @ Live! Take a tour!
> > > > http://getyourliveid.ca/?icid=LIVEIDENCA006
> > > >
> > > > --
> > > > Fedora-directory-users mailing list
> > > > Fedora-directory-users@xxxxxxxxxx
> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > >   
> > > >         
> > _________________________________________________________________
> > Express yourself instantly with MSN Messenger! Download today it's FREE!
> > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >     
>
> _________________________________________________________________
> Exercise your brain! Try Flexicon!
> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

<<attachment: smime.p7s>>

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users