<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <meta name=Generator content="Microsoft Word 12 (filtered medium)"> <style>  </style>  </head> <body lang=EN-US link=blue vlink=purple> <div class=Section1> Hello everyone,<o:p></o:p> <o:p> </o:p> I can use some help with setting up the Windows Sync.<o:p></o:p> <o:p> </o:p> Ill give some context first, im trying to sync user, groups and passwords from a Windows 2003 server with Active Directory with a Red Hat enterprise 5, Red Hat Directory Server 8.0.<o:p></o:p> It is a test environment with where I can access and configure the servers easily.<o:p></o:p> <o:p> </o:p> But ive got some problems setting a new Windows Sync Agreement.<o:p></o:p> <o:p> </o:p> It comes down to the following:<o:p></o:p> I can’t get an SSL connection with the a new Windows Sync Agreement, from the Red Hat DS to the Windows AD server.<o:p></o:p> <o:p> </o:p> In the Windows Sync Server info screen I get the following message when clicking on next: <o:p></o:p> "unable to contact Active Directory server, continue"<o:p></o:p> (Windows Sync Server info screen located In the Directory Server Console -> Configuration tab -> Replication -> userRoot -> highlight the database -> Object -> New Windows Sync Agreement -> The second screen reads Windows Sync Server Info)<o:p></o:p> <o:p> </o:p> But when I uncheck the checkbox “Using encrypted SSL connection” the connection works and the Windows AD server is reached.<o:p></o:p> So this concludes (and ive tested) that the Windows Server and domain is reachable and the Bind DN is valid, and entered values are correct.<o:p></o:p> <o:p></o:p> The SSL connection seems to be setup correctly, the checks (ldapsearch query) described by the fedora manual outputs the correct result. Following:<o:p></o:p> “<o:p></o:p> <a href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync">http://directory.fedoraproject.org/wiki/Howto:WindowsSync</a> <o:p></o:p> Testing your Configuration<o:p></o:p> Test to make sure you can talk SSL from Fedora Directory to AD<o:p></o:p> This is how you test to verify that the Windows side SSL is enabled properly:<o:p></o:p> ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port> -D "<sync manager user>” -w < sync manager password> -s <scope> -b "<AD base>" "<filter>"<o:p></o:p> “<o:p></o:p> My ldapsearch query:<o:p></o:p> /usr/lib64/mozldap/dapsearch -Z -P /etc/dirsrv/slapd-<instance>/cert8.db -h compute.domain.com -p 636 -D "CN=Administrator,CN=Users,DC=domain,DC=com" -w <pwd> -s base -b "dc=domain,dc=com" "objectclass=top"<o:p></o:p> <o:p> </o:p> But strangely enough there is not network traffic at all when the SSL connection is checked!<o:p></o:p> (when clicking on next and the message "unable to contact Active Directory server, continue" appears)<o:p></o:p> <o:p> </o:p> Ive done the following actions to make to monitor it:<o:p></o:p> <o:p> </o:p> First I’ve disabled SELinux, in case that blocks something (just for testing).<o:p></o:p> <o:p> </o:p> watch the tcp ip traffic with:<o:p></o:p> tcpdump -nn -p port not ssh and ip host <Red Hat IP number><o:p></o:p> Here I can see that, when I don’t use the SSL connection, there is traffic towards my Widows AD, but when ive check the SSL option, there is no traffic at all, nothing.<o:p></o:p> <o:p> </o:p> As well when I look at the iptables:<o:p></o:p> added an extra line: iptables -I OUTPUT 1 -d <Windows AD IP number> -j ACCEPT <o:p></o:p> watch -d iptables -L –nv<o:p></o:p> <o:p> </o:p> I see the same result, traffic when I don’t use the SSL option and no traffic at all when the SSL option is checked.<o:p></o:p> <o:p> </o:p> How can I get the message "unable to contact Active Directory server, continue" when there is no outgoing request from my Red Hat server.<o:p></o:p> <o:p> </o:p> Ive made certificates at both sides (Windows and Red Hat) and exported and imported these certificated to the other server.<o:p></o:p> <o:p> </o:p> Please advice on following steps I can take, what the problem can be and how it is possible that there is no traffic at all.<o:p></o:p> <o:p> </o:p> Thanks in advanced.<o:p></o:p> <o:p> </o:p> Matt<o:p></o:p> <o:p> </o:p> <o:p> </o:p> Mathijs A. de Groot Consultant - Software Engineer _________________________________________ <o:p></o:p> Logica - Releasing your potential <o:p></o:p> George Hintzenweg 89 3068 AX Rotterdam Postbus 8566 3009 AN Rotterdam Nederland T: +31 (0) 10 253 7000 D: +31(0) 70 37 56627 E: <a href="mailto:math.de.groot@logica.com">math.de.groot@logica.com</a> <a href="http://www.logica.com/">www.logica.com</a> Logica Nederland B.V. Registered office in Amstelveen, The Netherlands Registration Number Chamber of Commerce: 33136004<o:p></o:p> <o:p> </o:p> </div> This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. </body> </html>