RE: Unable to SSL with Windows Sync Agreement

"Groot, Mathijs de (IDT Competence Java)" <math.de.groot@xxxxxxxxxx> · Fri, 8 Aug 2008 11:29:06 +0200

Hi Sebastian,

Thanks for your suggestion.

I’m assuming that when the CA is trusted for Server and Client
certificates (CT) the server certificates signed by that CA are automatically
trusted peer as well.

I have made the trust changes to the certificates and imported the
third windows certificate as well, my (clean installed) windows Server has
three certificates, the last one added is the domain certificate. the CA and
Server certificates should be sufficient according to the manual.

Red Hat Directory Server (gemeente.grep)

#
certutil -L -d .

Certificate
Nickname       Trust Attributes

      SSL,S/MIME,JAR/XPI

gemeente_ds_ca_cert       
CTu,u,u

gemeente_ds_server_cert   
u,u,u

parijs_ca_cert            
CT,,

parijs_domain_cert        
P,P,P

parijs_server_cert        
P,P,P

Windows Active Directory (parijs.gem) unchanged

C:\Program
Files\Red Hat Directory Password Synchronization>certutil -L -d .

rhds_ds_ca_cert               CT,C,C

rhds_ds_server_cert           Pu,Pu,Pu

In the mean while, I’ve run some extra test to check the connectivity
between the Red Hat and Windows Server, but all of the following test outputs
the expected result of the query

These search queries are executed from the Red Hat Directory
Server.

#/usr/lib64/mozldap/dapsearch
-Z -P /etc/dirsrv/slapd-rhds/cert8.db -h adsync.parijs.gem -p 636 -D
"CN=Administrator,CN=Users,DC=parijs,DC=gem"  -w <pwd> -s
base -b "dc=parijs,dc=gem" "objectclass=top"

#/usr/lib64/mozldap/ldapsearch
-x -ZZ -b 'dc=gemeente,dc=grep' -D "cn=Directory Manager" –w <pwd>
'(objectclass=*)'

#
/usr/lib64/mozldap/ldapsearch -x -ZZ -h adsync.parijs.gem -b 'dc=parijs,dc=gem'
-D "CN=Administrator,CN=Users,DC=parijs,DC=gem" -w <pwd> '(objectclass=*)'

But there are still no outgoing tcp/ip packages from the Red Hat
Directory Server when the  new Windows Sync  Agreement is configured
and the message is shown that the Red Hat server is unable to contact Active
Directory server.

Problem summary:

I can’t get an SSL connection  with the a new 
Windows Sync Agreement, from the Red Hat DS to the Windows AD server.

Ldapsearch queries over SSL seems to work fine,  But
strangely enough there is not network traffic at all when the SSL 
connection is checked!

(when clicking on next and the message "unable to contact
Active Directory server, continue" appears). See emails below for more
information.

Does anyone has a suggestion how to trouble shoot this problem?

Mathijs de Groot

From: Sebastian Tabarce
[mailto:blue_moon_ro@xxxxxxxxx] 

Sent: donderdag 7 augustus 2008 20:23

To: Groot, Mathijs de (IDT Competence Java)

Subject: RE:  Unable to SSL with Windows Sync
Agreement

  Hi Mathijs,

  From what you showed us, it seems that while RHDS is a trusted peer of Active
  Directory, Active Directory is not a trusted peer of RHDS. This might be a
  reason for RHDS to not even try to establish a sync with AD. Other then this,
  I have no other ideas for now. I'm not an experimented RHDS admin, but maybe
  others will be of more help.

  Good luck,

  Sebastian

  --- On Thu, 8/7/08, Groot, Mathijs de (IDT Competence Java) <math.de.groot@xxxxxxxxxx>
  wrote:
  From: Groot, Mathijs de (IDT
  Competence Java) <math.de.groot@xxxxxxxxxx>

  Subject: RE:  Unable to SSL with Windows Sync
  Agreement

  To: blue_moon_ro@xxxxxxxxx, "General discussion list for the Fedora
  Directory server project." <fedora-directory-users@xxxxxxxxxx>

  Date: Thursday, August 7, 2008, 5:19 PM

  Hi
  Sebastian,

  Thanks
  for your reply.

  We’ve
  created the CA and Server certificates on Red Hat Directory Server
  (like
  described in: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_certutil.html
  )   
  And
  created a server certificate on the Windows Server (http://support.microsoft.com/kb/931351)

  The
  CA and Server certificates are exchanged between the both Servers and are
  trusted, like the certutil output shows:

  On
  the Red Hat Directory (rhds.grep):
  # certutil -L -d .

  Certificate Nickname

  Trust Attributes

  SSL,S/MIME,JAR/XPI
  rhds_ds_ca_cert         
        CTu,u,u
  parijs_server_cert            
  ,,
  rhds_server_cert        
        u,u,u
  parijs_ca_cert                
  CT,,

  on
  the Windows Active Directory (parijs.gem):
  C:\Program Files\Red Hat
  Directory Password Synchronization>certutil -L -d .
  rhds_ds_ca_cert                                       
  CT,C,C
  rhds_ds_server_cert                        
             Pu,Pu,Pu

  And
  the ldapsearch in the command line from the Red Hat server over SSL works
  with the use of the certificate database, the following command returns
  entries of Windows Active Directory:
  /usr/lib64/mozldap/ldapsearch
  -Z -P /etc/dirsrv/slapd-rhds/cert8.db -h adsync.parijs.gem -p 636 -D
  "CN=Administrator,CN=Users,DC=parijs,DC=gem"  -w - -s base -b
  "dc=parijs,dc=gem" "objectclass=top"

  Note
  that I’m using a Red Hat Enterprise 64 bits version and a Windows 2003
  32bits.

  Do
  you’ve got any suggestions why there are no outgoing tcp/ip packages
  from the Red hat Directory Server when the  new Windows Sync 
  Agreement is configured and the message is shown that the Red Hat server is
  unable to contact Active Directory server?

  Mathijs

  From:
  fedora-directory-users-bounces@xxxxxxxxxx
  [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Sebastian
  Tabarce

  Sent: donderdag 7 augustus 2008 15:03

  To: General discussion list for the Fedora Directory server project.

  Subject: Re:  Unable to SSL with Windows Sync
  Agreement

    Mathisj,

    If I'm not mistaking, in order for the two servers to be able to talk with
    each other, they need to have certificates signed by Certificate
    Authorities recognized by the two servers (meaning, the certificates of
    these root CAs must be installed on the two servers). Even more
    straightforward is to generate certificate requests for both servers and
    get them signed by the same root CA.

    --- On Thu, 7/31/08, Groot, Mathijs de (IDT Competence Java) <math.de.groot@xxxxxxxxxx>
    wrote:
    From:
    Groot, Mathijs de (IDT Competence Java) <math.de.groot@xxxxxxxxxx>

    Subject:  Unable to SSL with Windows Sync Agreement

    To: fedora-directory-users@xxxxxxxxxx

    Date: Thursday, July 31, 2008, 12:18 PM

    Hello everyone,

    I can use some help with setting up the Windows Sync.

    Ill give some context first, im trying to sync user, groups and
    passwords from a Windows 2003 server with Active Directory with a Red Hat
    enterprise 5, Red Hat Directory Server 8.0.
    It is a test environment with where I can access and configure the
    servers easily.

    But ive got some problems setting a new Windows Sync Agreement.

    It comes down to the following:
    I can’t get an SSL connection  with the a new 
    Windows Sync Agreement, from the Red Hat DS to the Windows AD server.

    In the Windows Sync Server info screen I get the following message
    when clicking on next:  
    "unable to contact Active Directory server, continue"
    (Windows Sync Server info screen located In the Directory Server
    Console ->  Configuration tab ->  Replication ->
    userRoot -> highlight the database -> Object -> New Windows Sync
    Agreement -> The second screen reads Windows Sync Server Info)

    But when I uncheck the checkbox “Using encrypted SSL
    connection” the connection works and the Windows AD server is
    reached.
    So this concludes (and ive tested) that the Windows Server and domain
    is reachable and the Bind DN is valid, and entered values are correct.

    The SSL connection seems to be setup correctly, the checks
    (ldapsearch query) described by the fedora manual outputs the correct
    result. Following:
    “
    http://directory.fedoraproject.org/wiki/Howto:WindowsSync

    Testing your Configuration
    Test to make sure you can talk SSL from Fedora Directory to AD
    This is how you test to verify that the Windows side SSL is enabled
    properly:
    ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p
    <AD SSL port> -D "<sync manager user>” -w < sync
    manager password> -s <scope> -b "<AD base>"
    "<filter>"
    “
    My ldapsearch query:
    /usr/lib64/mozldap/dapsearch -Z -P
    /etc/dirsrv/slapd-<instance>/cert8.db -h compute.domain.com -p 636 -D
    "CN=Administrator,CN=Users,DC=domain,DC=com"  -w <pwd>
    -s base -b "dc=domain,dc=com" "objectclass=top"

    But strangely enough there is not network traffic at all when the
    SSL  connection is checked!
    (when clicking on next and the message "unable to contact Active
    Directory server, continue" appears)

    Ive done the following actions to make to monitor it:

    First I’ve disabled SELinux, in case that blocks something
    (just for testing).

    watch the tcp ip traffic with:
    tcpdump -nn -p port not ssh and ip host <Red Hat IP number>
    Here I can see that, when I don’t use the SSL connection, there
    is traffic towards my Widows AD, but when ive check the SSL option, there
    is no traffic at all, nothing.

    As well when I look at the iptables:
    added an extra line: iptables -I OUTPUT  1 -d <Windows AD IP
    number> -j ACCEPT 
    watch -d iptables -L –nv

    I see the same result, traffic when I don’t use the SSL option
    and no traffic at all when the SSL option is checked.

    How can I get the message "unable to contact Active Directory
    server, continue" when there is no outgoing request from my Red Hat
    server.

    Ive made certificates at both sides (Windows and Red Hat) and
    exported and imported these certificated to the other server.

    Please advice on following steps I can take, what the problem can be
    and how it is possible that there is no traffic at all.

    Thanks in advanced.

    Matt

    Mathijs
    A. de Groot

    Consultant - Software Engineer

    _________________________________________ 
    Logica -
    Releasing your potential 
    George
    Hintzenweg 89

    3068 AX Rotterdam

    Postbus 8566

    3009 AN Rotterdam

    Nederland

    T:  +31 (0) 10 253 7000

    D:   +31(0) 70 37 56627

    E: math.de.groot@xxxxxxxxxx

    www.logica.com

    Logica Nederland B.V.

    Registered office in
    Amstelveen, The Netherlands

    Registration Number Chamber of Commerce: 33136004

    This e-mail and any attachment is for authorised use by the intended
    recipient(s) only. It may contain proprietary material, confidential
    information and/or be subject to legal privilege. It should not be copied,
    disclosed to, retained or used by, any other party. If you are not an
    intended recipient then please promptly delete this e-mail and any
    attachment and all copies and inform the sender. Thank you. 

    --

Fedora-directory-users mailing list

Fedora-directory-users@xxxxxxxxxx

https://www.redhat.com/mailman/listinfo/fedora-directory-users

  This e-mail and any attachment is for authorised use by the intended
  recipient(s) only. It may contain proprietary material, confidential
  information and/or be subject to legal privilege. It should not be copied,
  disclosed to, retained or used by, any other party. If you are not an
  intended recipient then please promptly delete this e-mail and any attachment
  and all copies and inform the sender. Thank you. 

 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users