<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.emailstyle171
{mso-style-name:emailstyle171;}
span.htmlpreformattedchar0
{mso-style-name:htmlpreformattedchar;}
span.emailstyle21
{mso-style-name:emailstyle21;}
span.emailstyle1711
{mso-style-name:emailstyle1711;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.htmlpreformattedchar1
{mso-style-name:htmlpreformattedchar1;
font-family:Consolas;}
span.emailstyle211
{mso-style-name:emailstyle211;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hi Sebastian,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Thanks for your suggestion.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I’m assuming that when the CA is trusted for Server and Client
certificates (CT) the server certificates signed by that CA are automatically
trusted peer as well.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I have made the trust changes to the certificates and imported the
third windows certificate as well, my (clean installed) windows Server has
three certificates, the last one added is the domain certificate. the CA and
Server certificates should be sufficient according to the manual.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><br>
Red Hat Directory Server (gemeente.grep)<o:p></o:p></span></p>
<p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Courier New"'>#
certutil -L -d .<o:p></o:p></span></i></p>
<p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Courier New"'>Certificate
Nickname Trust Attributes<o:p></o:p></span></i></p>
<p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Courier New"'>
SSL,S/MIME,JAR/XPI<o:p></o:p></span></i></p>
<p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></i></p>
<p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Courier New"'>gemeente_ds_ca_cert
CTu,u,u<o:p></o:p></span></i></p>
<p class=MsoNormal><i><span lang=NL style='font-size:10.0pt;font-family:"Courier New"'>gemeente_ds_server_cert
u,u,u<o:p></o:p></span></i></p>
<p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Courier New"'>parijs_ca_cert
CT,,<o:p></o:p></span></i></p>
<p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Courier New"'>parijs_domain_cert
P,P,P<o:p></o:p></span></i></p>
<p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Courier New"'>parijs_server_cert
P,P,P<o:p></o:p></span></i></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Windows Active Directory (parijs.gem) unchanged<br>
</span><i><span style='font-size:10.0pt;font-family:"Courier New"'>C:\Program
Files\Red Hat Directory Password Synchronization>certutil -L -d .</span></i><span
style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><br>
</span><i><span style='font-size:10.0pt;font-family:"Courier New"'>rhds_ds_ca_cert CT,C,C</span></i><span
style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><br>
</span><i><span style='font-size:10.0pt;font-family:"Courier New"'>rhds_ds_server_cert Pu,Pu,Pu</span></i><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In the mean while, I’ve run some extra test to check the connectivity
between the Red Hat and Windows Server, but all of the following test outputs
the expected result of the query<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>These search queries are executed from the Red Hat Directory
Server.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>#/usr/lib64/mozldap/dapsearch
-Z -P /etc/dirsrv/slapd-rhds/cert8.db -h adsync.parijs.gem -p 636 -D
"CN=Administrator,CN=Users,DC=parijs,DC=gem" -w <pwd> -s
base -b "dc=parijs,dc=gem" "objectclass=top"<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>#/usr/lib64/mozldap/ldapsearch
-x -ZZ -b 'dc=gemeente,dc=grep' -D "cn=Directory Manager" –w <pwd>
'(objectclass=*)'<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>#
/usr/lib64/mozldap/ldapsearch -x -ZZ -h adsync.parijs.gem -b 'dc=parijs,dc=gem'
-D "CN=Administrator,CN=Users,DC=parijs,DC=gem" -w <pwd> '(objectclass=*)'<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>But there are still no outgoing tcp/ip packages from the Red Hat
Directory Server when the new Windows Sync Agreement is configured
and the message is shown that the Red Hat server is unable to contact Active
Directory server.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Problem summary:<o:p></o:p></span></b></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I can’t get an SSL connection with the a new
Windows Sync Agreement, from the Red Hat DS to the Windows AD server.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Ldapsearch queries over SSL seems to work fine, But
strangely enough there is not network traffic at all when the SSL
connection is checked!<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>(when clicking on next and the message "unable to contact
Active Directory server, continue" appears). See emails below for more
information.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Does anyone has a suggestion how to trouble shoot this problem?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Mathijs de Groot<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Sebastian Tabarce
[mailto:blue_moon_ro@yahoo.com] <br>
<b>Sent:</b> donderdag 7 augustus 2008 20:23<br>
<b>To:</b> Groot, Mathijs de (IDT Competence Java)<br>
<b>Subject:</b> RE: [Fedora-directory-users] Unable to SSL with Windows Sync
Agreement<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0>
<tr>
<td valign=top style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal>Hi Mathijs,<br>
<br>
From what you showed us, it seems that while RHDS is a trusted peer of Active
Directory, Active Directory is not a trusted peer of RHDS. This might be a
reason for RHDS to not even try to establish a sync with AD. Other then this,
I have no other ideas for now. I'm not an experimented RHDS admin, but maybe
others will be of more help.<br>
<br>
Good luck,<br>
Sebastian<br>
<br>
--- On <b>Thu, 8/7/08, Groot, Mathijs de (IDT Competence Java) <i><math.de.groot@logica.com></i></b>
wrote:<o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>From: Groot, Mathijs de (IDT
Competence Java) <math.de.groot@logica.com><br>
Subject: RE: [Fedora-directory-users] Unable to SSL with Windows Sync
Agreement<br>
To: blue_moon_ro@yahoo.com, "General discussion list for the Fedora
Directory server project." <fedora-directory-users@redhat.com><br>
Date: Thursday, August 7, 2008, 5:19 PM<o:p></o:p></p>
<div id=yiv1657460339>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi
Sebastian,</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks
for your reply.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>We’ve
created the CA and Server certificates on Red Hat Directory Server</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>(like
described in: <a
href="http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_certutil.html"
target="_blank"><span style='color:windowtext'>http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_certutil.html</span></a>
) </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>And
created a server certificate on the Windows Server (<a
href="http://support.microsoft.com/kb/931351" target="_blank"><span
style='color:windowtext'>http://support.microsoft.com/kb/931351</span></a>)</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The
CA and Server certificates are exchanged between the both Servers and are
trusted, like the certutil output shows:</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>On
the Red Hat Directory (rhds.grep):</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Courier New"'># certutil -L -d .</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span
style='font-size:10.0pt;font-family:"Courier New"'>
Certificate Nickname</span></i><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span
style='font-size:10.0pt;font-family:"Courier New"'>
Trust Attributes</span></i><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span
style='font-size:10.0pt;font-family:"Courier New"'>
</span></i><i><span lang=NL style='font-size:10.0pt;font-family:"Courier New"'>SSL,S/MIME,JAR/XPI</span></i><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span
lang=NL style='font-size:10.0pt;font-family:"Courier New"'>rhds_ds_ca_cert
CTu,u,u</span></i><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span
lang=NL style='font-size:10.0pt;font-family:"Courier New"'>parijs_server_cert
,,</span></i><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span
lang=NL style='font-size:10.0pt;font-family:"Courier New"'>rhds_server_cert
u,u,u</span></i><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span
lang=NL style='font-size:10.0pt;font-family:"Courier New"'>parijs_ca_cert
CT,,</span></i><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
lang=NL style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>on
the Windows Active Directory (parijs.gem):</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span
style='font-size:10.0pt;font-family:"Courier New"'>C:\Program Files\Red Hat
Directory Password Synchronization>certutil -L -d .</span></i><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span
style='font-size:10.0pt;font-family:"Courier New"'>rhds_ds_ca_cert
CT,C,C</span></i><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span
style='font-size:10.0pt;font-family:"Courier New"'>rhds_ds_server_cert
Pu,Pu,Pu</span></i><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>And
the ldapsearch in the command line from the Red Hat server over SSL works
with the use of the certificate database, the following command returns
entries of Windows Active Directory:</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span
style='font-size:10.0pt;font-family:"Courier New"'>/usr/lib64/mozldap/ldapsearch
-Z -P /etc/dirsrv/slapd-rhds/cert8.db -h adsync.parijs.gem -p 636 -D
"CN=Administrator,CN=Users,DC=parijs,DC=gem" -w - -s base -b
"dc=parijs,dc=gem" "objectclass=top"</span></i><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Note
that I’m using a Red Hat Enterprise 64 bits version and a Windows 2003
32bits.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Do
you’ve got any suggestions why there are no outgoing tcp/ip packages
from the Red hat Directory Server when the new Windows Sync
Agreement is configured and the message is shown that the Red Hat server is
unable to contact Active Directory server?</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Mathijs</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm 0cm;
border-color:-moz-use-text-color -moz-use-text-color'>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] <b>On Behalf Of </b>Sebastian
Tabarce<br>
<b>Sent:</b> donderdag 7 augustus 2008 15:03<br>
<b>To:</b> General discussion list for the Fedora Directory server project.<br>
<b>Subject:</b> Re: [Fedora-directory-users] Unable to SSL with Windows Sync
Agreement</span><o:p></o:p></p>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0>
<tr>
<td valign=top style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>Mathisj,<br>
<br>
If I'm not mistaking, in order for the two servers to be able to talk with
each other, they need to have certificates signed by Certificate
Authorities recognized by the two servers (meaning, the certificates of
these root CAs must be installed on the two servers). Even more
straightforward is to generate certificate requests for both servers and
get them signed by the same root CA.<br>
<br>
<br>
--- On <b>Thu, 7/31/08, Groot, Mathijs de (IDT Competence Java) <i><math.de.groot@logica.com></i></b>
wrote:<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>From:
Groot, Mathijs de (IDT Competence Java) <math.de.groot@logica.com><br>
Subject: [Fedora-directory-users] Unable to SSL with Windows Sync Agreement<br>
To: fedora-directory-users@redhat.com<br>
Date: Thursday, July 31, 2008, 12:18 PM<o:p></o:p></p>
<div id=yiv365534948>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>Hello everyone,<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>I can use some help with setting up the Windows Sync.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>Ill give some context first, im trying to sync user, groups and
passwords from a Windows 2003 server with Active Directory with a Red Hat
enterprise 5, Red Hat Directory Server 8.0.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>It is a test environment with where I can access and configure the
servers easily.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>But ive got some problems setting a new Windows Sync Agreement.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>It comes down to the following:<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>I can’t get an SSL connection with the a new
Windows Sync Agreement, from the Red Hat DS to the Windows AD server.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>In the Windows Sync Server info screen I get the following message
when clicking on next: <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>"unable to contact Active Directory server, continue"<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>(Windows Sync Server info screen located In the Directory Server
Console -> Configuration tab -> Replication ->
userRoot -> highlight the database -> Object -> New Windows Sync
Agreement -> The second screen reads Windows Sync Server Info)<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>But when I uncheck the checkbox “Using encrypted SSL
connection” the connection works and the Windows AD server is
reached.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>So this concludes (and ive tested) that the Windows Server and domain
is reachable and the Bind DN is valid, and entered values are correct.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>The SSL connection seems to be setup correctly, the checks
(ldapsearch query) described by the fedora manual outputs the correct
result. Following:<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>“<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'><a href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync"
target="_blank">http://directory.fedoraproject.org/wiki/Howto:WindowsSync</a>
<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>Testing your Configuration<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>Test to make sure you can talk SSL from Fedora Directory to AD<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>This is how you test to verify that the Windows side SSL is enabled
properly:<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p
<AD SSL port> -D "<sync manager user>” -w < sync
manager password> -s <scope> -b "<AD base>"
"<filter>"<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>“<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>My ldapsearch query:<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>/usr/lib64/mozldap/dapsearch -Z -P
/etc/dirsrv/slapd-<instance>/cert8.db -h compute.domain.com -p 636 -D
"CN=Administrator,CN=Users,DC=domain,DC=com" -w <pwd>
-s base -b "dc=domain,dc=com" "objectclass=top"<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>But strangely enough there is not network traffic at all when the
SSL connection is checked!<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>(when clicking on next and the message "unable to contact Active
Directory server, continue" appears)<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>Ive done the following actions to make to monitor it:<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>First I’ve disabled SELinux, in case that blocks something
(just for testing).<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>watch the tcp ip traffic with:<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>tcpdump -nn -p port not ssh and ip host <Red Hat IP number><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>Here I can see that, when I don’t use the SSL connection, there
is traffic towards my Widows AD, but when ive check the SSL option, there
is no traffic at all, nothing.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>As well when I look at the iptables:<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>added an extra line: iptables -I OUTPUT 1 -d <Windows AD IP
number> -j ACCEPT <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>watch -d iptables -L –nv<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>I see the same result, traffic when I don’t use the SSL option
and no traffic at all when the SSL option is checked.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>How can I get the message "unable to contact Active Directory
server, continue" when there is no outgoing request from my Red Hat
server.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>Ive made certificates at both sides (Windows and Red Hat) and
exported and imported these certificated to the other server.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>Please advice on following steps I can take, what the problem can be
and how it is possible that there is no traffic at all.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>Thanks in advanced.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'>Matt<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Mathijs
A. de Groot</span></b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>
Consultant - Software Engineer<br>
_________________________________________ </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Logica</span></b><span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span><b><span
style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#7D7D7D'>-
Releasing your potential</span></b><span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>George
Hintzenweg 89<br>
3068 AX Rotterdam<br>
Postbus 8566<br>
3009 AN Rotterdam<br>
Nederland<br>
T: +31 (0) 10 253 7000<br>
D: +31(0) 70 37 56627<br>
E: </span><a href="mailto:math.de.groot@logica.com" target="_blank"><span
style='font-size:8.0pt;font-family:"Arial","sans-serif"'>math.de.groot@logica.com</span></a><span
style='font-size:8.0pt;font-family:"Arial","sans-serif"'><br>
</span><a href="http://www.logica.com/" target="_blank"><span
style='font-size:8.0pt;font-family:"Arial","sans-serif"'>www.logica.com</span></a><span
style='font-size:8.0pt;font-family:"Arial","sans-serif"'><br>
<br>
</span><span style='color:black'>Logica Nederland B.V.</span><span
style='font-size:8.0pt;color:navy'><br>
</span><span style='font-size:8.0pt;color:black'>Registered office in
Amstelveen, The Netherlands<br>
Registration Number Chamber of Commerce: 33136004</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'> <o:p></o:p></p>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'><br clear=all>
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you. <o:p></o:p></p>
</div>
<pre>--<br>
<br>
Fedora-directory-users mailing list<br>
<br>
Fedora-directory-users@redhat.com<br>
<br>
https://www.redhat.com/mailman/listinfo/fedora-directory-users<o:p></o:p></pre></td>
</tr>
</table>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p>
</div>
<p class=MsoNormal><br clear=all>
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any attachment
and all copies and inform the sender. Thank you. <o:p></o:p></p>
</div>
</td>
</tr>
</table>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
</div>
<br clear=all> This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
</body>
</html>