RE: Unable to SSL with Windows Sync Agreement

"Groot, Mathijs de (IDT Competence Java)" <math.de.groot@xxxxxxxxxx> · Thu, 7 Aug 2008 16:19:48 +0200

Hi Sebastian,

Thanks for your reply.

We’ve created the CA and Server certificates on Red Hat
Directory Server

(like described in: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_certutil.html
)   

And created a server certificate on the Windows Server (http://support.microsoft.com/kb/931351)

The CA and Server certificates are exchanged between the both
Servers and are trusted, like the certutil output shows:

On the Red Hat Directory (rhds.grep):

#
certutil -L -d .

Certificate Nickname

Trust Attributes

SSL,S/MIME,JAR/XPI

rhds_ds_ca_cert         
      CTu,u,u

parijs_server_cert            
,,

rhds_server_cert        
      u,u,u

parijs_ca_cert                
CT,,

on the Windows Active Directory (parijs.gem):

C:\Program
Files\Red Hat Directory Password Synchronization>certutil -L -d .

rhds_ds_ca_cert                                       
CT,C,C

rhds_ds_server_cert                        
           Pu,Pu,Pu

And the ldapsearch in the command line from the Red Hat server over
SSL works with the use of the certificate database, the following command returns
entries of Windows Active Directory:

/usr/lib64/mozldap/ldapsearch
-Z -P /etc/dirsrv/slapd-rhds/cert8.db -h adsync.parijs.gem -p 636 -D
"CN=Administrator,CN=Users,DC=parijs,DC=gem"  -w - -s base -b
"dc=parijs,dc=gem" "objectclass=top"

Note that I’m using a Red Hat Enterprise 64 bits version
and a Windows 2003 32bits.

Do you’ve got any suggestions why there are no outgoing
tcp/ip packages from the Red hat Directory Server when the  new Windows Sync 
Agreement is configured and the message is shown that the Red Hat server is unable
to contact Active Directory server?

Mathijs.

From:
fedora-directory-users-bounces@xxxxxxxxxx
[mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Sebastian
Tabarce

Sent: donderdag 7 augustus 2008 15:03

To: General discussion list for the Fedora Directory server project.

Subject: Re:  Unable to SSL with Windows Sync
Agreement

  Mathisj,

  If I'm not mistaking, in order for the two servers to be able to talk with
  each other, they need to have certificates signed by Certificate Authorities
  recognized by the two servers (meaning, the certificates of these root CAs
  must be installed on the two servers). Even more straightforward is to
  generate certificate requests for both servers and get them signed by the
  same root CA.

  --- On Thu, 7/31/08, Groot, Mathijs de (IDT Competence Java) <math.de.groot@xxxxxxxxxx>
  wrote:
  From: Groot, Mathijs de (IDT
  Competence Java) <math.de.groot@xxxxxxxxxx>

  Subject:  Unable to SSL with Windows Sync Agreement

  To: fedora-directory-users@xxxxxxxxxx

  Date: Thursday, July 31, 2008, 12:18 PM

  Hello
  everyone,

  I
  can use some help with setting up the Windows Sync.

  Ill
  give some context first, im trying to sync user, groups and passwords from a
  Windows 2003 server with Active Directory with a Red Hat enterprise 5, Red
  Hat Directory Server 8.0.
  It
  is a test environment with where I can access and configure the servers
  easily.

  But
  ive got some problems setting a new Windows Sync Agreement.

  It
  comes down to the following:
  I
  can’t get an SSL connection  with the a new  Windows Sync
  Agreement, from the Red Hat DS to the Windows AD server.

  In
  the Windows Sync Server info screen I get the following message when clicking
  on next:  
  "unable
  to contact Active Directory server, continue"
  (Windows
  Sync Server info screen located In the Directory Server Console -> 
  Configuration tab ->  Replication -> userRoot -> highlight the
  database -> Object -> New Windows Sync Agreement -> The second
  screen reads Windows Sync Server Info)

  But
  when I uncheck the checkbox “Using encrypted SSL connection” the
  connection works and the Windows AD server is reached.
  So
  this concludes (and ive tested) that the Windows Server and domain is
  reachable and the Bind DN is valid, and entered values are correct.

  The
  SSL connection seems to be setup correctly, the checks (ldapsearch query)
  described by the fedora manual outputs the correct result. Following:
  “
  http://directory.fedoraproject.org/wiki/Howto:WindowsSync

  Testing
  your Configuration
  Test
  to make sure you can talk SSL from Fedora Directory to AD
  This
  is how you test to verify that the Windows side SSL is enabled properly:
  ldapsearch
  -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port>
  -D "<sync manager user>” -w < sync manager password>
  -s <scope> -b "<AD base>" "<filter>"
  “
  My
  ldapsearch query:
  /usr/lib64/mozldap/dapsearch
  -Z -P /etc/dirsrv/slapd-<instance>/cert8.db -h compute.domain.com -p
  636 -D "CN=Administrator,CN=Users,DC=domain,DC=com"  -w
  <pwd> -s base -b "dc=domain,dc=com"
  "objectclass=top"

  But
  strangely enough there is not network traffic at all when the SSL 
  connection is checked!
  (when
  clicking on next and the message "unable to contact Active Directory
  server, continue" appears)

  Ive
  done the following actions to make to monitor it:

  First
  I’ve disabled SELinux, in case that blocks something (just for
  testing).

  watch
  the tcp ip traffic with:
  tcpdump
  -nn -p port not ssh and ip host <Red Hat IP number>
  Here
  I can see that, when I don’t use the SSL connection, there is traffic
  towards my Widows AD, but when ive check the SSL option, there is no traffic
  at all, nothing.

  As
  well when I look at the iptables:
  added
  an extra line: iptables -I OUTPUT  1 -d <Windows AD IP number> -j
  ACCEPT 
  watch
  -d iptables -L –nv

  I
  see the same result, traffic when I don’t use the SSL option and no
  traffic at all when the SSL option is checked.

  How
  can I get the message "unable to contact Active Directory server,
  continue" when there is no outgoing request from my Red Hat server.

  Ive
  made certificates at both sides (Windows and Red Hat) and exported and
  imported these certificated to the other server.

  Please
  advice on following steps I can take, what the problem can be and how it is
  possible that there is no traffic at all.

  Thanks
  in advanced.

  Matt

  Mathijs A. de Groot

  Consultant - Software Engineer

  _________________________________________ 
  Logica -
  Releasing your potential 
  George Hintzenweg 89

  3068 AX Rotterdam

  Postbus 8566

  3009 AN Rotterdam

  Nederland

  T:  +31 (0) 10 253 7000

  D:   +31(0) 70 37 56627

  E: math.de.groot@xxxxxxxxxx

  www.logica.com

  Logica Nederland B.V.

  Registered office in
  Amstelveen, The Netherlands

  Registration Number Chamber of Commerce: 33136004

  This e-mail and any attachment is for authorised use by the intended
  recipient(s) only. It may contain proprietary material, confidential
  information and/or be subject to legal privilege. It should not be copied,
  disclosed to, retained or used by, any other party. If you are not an
  intended recipient then please promptly delete this e-mail and any attachment
  and all copies and inform the sender. Thank you. 

  --

Fedora-directory-users mailing list

Fedora-directory-users@xxxxxxxxxx

https://www.redhat.com/mailman/listinfo/fedora-directory-users

 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users