[Fedora-directory-devel] [Fwd: FDS over SSL with PassSync -- How I did it]

Richard Megginson rmeggins at redhat.com
Mon Jun 19 20:54:53 UTC 2006 

Rob Crittenden wrote:
> Is this something that should be translated into a FAQ or How-to on 
> the wiki?
Sure.
> I'd be happy to write it up I just don't have the means to test 
> whether his method works in general.
Ok, that's fine.  As long as we get the general idea down, we can always 
iterate on the details later.
>
> rob
>
> -------- Original Message --------
> Subject: [Fedora-directory-users] FDS over SSL with PassSync -- How I 
> did it
> Date: Thu, 08 Jun 2006 11:33:39 -0700
> From: Jeff Gamsby <JFGamsby at lbl.gov>
> Reply-To: General discussion list for the Fedora Directory server 
> project. <fedora-directory-users at redhat.com>
> To: General discussion list for the Fedora Directory server project. 
> <fedora-directory-users at redhat.com>
>
> Thanks to everyone who helped me.
>
> Since it was a struggle for me, I thought that I would post how I did it
> in case others have the same problems that I had. Maybe it will help
> someone else.
>
> My Setup:
>
> Fedora Core 4
> Fedora Directory Server 1.0.2
> Windows 2000 Server
>
> Install FDS ( or reinstall: rpm -qa | grep fedora-ds | xargs rpm -e; rm
> -rf /opt/fedora-ds ; rpm -i fedora-ds-1.0.2 )
> create certificates, etc..
> I used this simple script that I wrote: (cd to /opt/fedora-ds/alias)
> -----------------------------------------------------------------------
>
> echo -n "Creating password and noise file..."
>
> echo "8904859034905834-580943502385430958430958049385" >
> /opt/fedora-ds/alias/pwdfile.txt
>
> echo "8374893jkhsdfjkhdjksfah89dskjfkdghkjdfhguiert9348khkfhgkjfd79" >
> /opt/fedora-ds/alias/noise.txt
>
> echo -n "Creating Databases..."
>
> $serverroot/shared/bin/certutil -N -d . -f pwdfile.txt
>
> echo -n "Generating encryption key..."
>
> $serverroot/shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt
>
> echo -n "Generating self-signed certificate..."
>
> $serverroot/shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x
> -t "CT,," -m 1000 -v 120  -d . -z noise.txt -f pwdfile.txt
>
> echo -n "Generating server certificate.."
>
> $serverroot/shared/bin/certutil -S -n "Server-Cert" -s
> "cn=msas.msd.lbl.gov" -c "CA certificate" -t "u,u,u" -m 1001 -v 120  -d
> . -z noise.txt -f pwdfile.txt
>
> mv key3.db slapd-msas-key3.db
>
> mv cert8.db slapd-msas-cert8.db
>
> ln -s slapd-msas-key3.db key3.db
>
> ln -s slapd-msas-cert8.db cert8.db
>
> echo -n "Setting permissions.."
>
> chown nobody.nobody /opt/fedora-ds/alias/slapd-msas*
>
> echo -n "Exporting certificate.."
>
> $serverroot/shared/bin/certutil -L -d . -n "CA certificate" -r > 
> cacert.der
>
> echo "Converting certificate.."
>
> openssl x509 -inform DER -in cacert.der -outform PEM -out cacert.pem
>
> echo "Copying cacert.pem to /etc/openldap/cacerts.."
>
> cp cacert.pem /etc/openldap/cacerts/
>
> echo -n "Enabling SSL in FDS"
>
> echo ""
>
> echo -n "Please enter Manager password..(twice)"
>
> ldapmodify -x -D cn=Manager -W -f /tmp/ssl_enable.ldif
>
> ldapmodify -x -D cn=Manager -W -a -f /tmp/addRSA.ldif
>
> ---------------------------------------------------------
>
> restart FDS
>
> Test SSL connections and ldapsearch
> netstat -an | grep 636
>
> Install Active Directory on Windows Server
>
> Install Certificate Services --> Enterprise root CA
> reboot
> Enable SSL on AD
>
>   1. Install Certificate Services on Windows 2000 Server and an
>      Enterprise Certificate Authority in the Active Directory Domain.
>      Make sure you install an Enterprise Certificate Authority.
>   2. Create a Security (Group) Policy to direct Domain Controllers to
>      get an SSL certificate from the Certificate Authority (CA).
>         1. Open the Active Directory Users and Computers Administrative
>            tool.
>         2. Under the domain, right-click on Domain Controllers.
>         3. Select Properties.
>         4. In the Group Policy tab, click to edit the Default Domain
>            Controllers Policy.
>         5. Go to Computer Configuration->Windows Settings->Security
>            Settings->Public Key Policies.
>         6. Right click Automatic Certificate Request Settings.
>         7. Select New.
>         8. Select Automatic Certificate Request.
>         9. Run the wizard. Select the Certificate Template for a Domain
>            Controller.
>        10. Select your Enterprise Certificate Authority as the CA.
>            Selecting a third-party CA works as well.
>        11. Complete the wizard.
>        12. All Domain Controllers now automatically request a
>            certificate from the CA, and support LDAP using SSL on port 
> 636.
>   3. Retrieve the Certificate Authority Certificate
>         1. Open a Web browser on the AD machine
>         2. Go to http://localhost/certsrv/
>         3. Select the task Retrieve the CA certificate or certificate
>            revocation list.
>         4. Click Next.
>         5. The next page automatically highlights the CA certificate.
>            Click Download CA certificate.
>         6. A new download window opens. Save the file to the hard drive.
>      Save in DER mode
>
> Copy file to FDS server, convert to PEM format
>
> openssl x509 -inform DER -in ad-cert.der -outform PEM -out ad-cert.pem
>
> Import AD CA cert into FDS
>
> certutil -A -d . -P slapd-instance- -t "CT,CT,CT" -a -i ad-cert.pem
>
> check certs ( from /opt/fedora-ds/alias)
> certutil -L -d . -P slapd-instance
>
> Check ldapsearch from FDS to AD
>
> ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port>
> -D "<sync manager user> -w < sync manager password> -s <scope>
> -b "<AD base>" "<filter>"
>
> Install PassSync on Windows machine.
> Follow directions from Howto:WindowsSync (certificate creation)
> restart AD server
>
> Enable Replication in Directory Server Console:
>
> Go to configuration tab --> Replication --> enable changelog --> default
> Expand Replication, click UserRoot
> Check "Enable Replica" Single-master
>
> Right Click UserRoot --> Create new windows sync agreement
>
> Up log level in FDS:
>
> dn: cn=config
> changetype: modify
> replace: nsslapd-errorlog-level
> nsslapd-errorlog-level: 8192
>
> ldapmodify -x -D "cn=directory manager" -a -f repl_log.ldif
>
> restart FDS
>
> right click win sync agreement --> Initiate Full Sync
>
> check error logs (/opt/fedora/slapd-instance/logs/errors)
>
> In order for users to be created on the Windows side, users must have
> certain attributes.
>
> e.g.
> dn: uid=TBird,ou=People, dc=server,dc=com
> givenName: Tweetie
> ntUserCreateNewAccount: true
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: ntuser
> objectClass: posixAccount
> facsimileTelephoneNumber: 510-555-5555
> uid: TBird
> mail: tbird at server.com
> uidNumber: 71209
> cn: Tweetie Bird
> ntUserComment: Tweetie Bird User Account
> telephoneNumber: 510-555-5555
> loginShell: /bin/bash
> ntUserDomainId: tbird
> gidNumber: 5000
> ntUserDeleteAccount: true
> gecos: Tweetie Bird
> homeDirectory: /home/tbird
> sn: Bird
> userPassword::
>
> I hope that I have this right.
>
>
>
>
>
>
>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-devel mailing list
> Fedora-directory-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20060619/36a0e4ca/attachment.bin>

More information about the Fedora-directory-devel mailing list