[Fedora-directory-users] AD sync
Rich Megginson
rmeggins at redhat.com
Wed Oct 19 13:52:22 UTC 2005
Short answer: You are using an invalid SSL certificate.
Longer Answer: SSL server certificates must be capable of key exchange.
The cert you are using may be a signing only certificate. This would
make it a perfectly good cert for client authentication. It would also
make it an acceptable certificate for DHE_ type diffie Hellman server
operations. It does not work for RSA SSL server operations. You need to
either 1) don't the key usage extension, or 2) specify Key Encipherment
(or Key Exchange). The problem is that the MSADCA by default issues
these types of certificates, presumably because all of the MS clients
are configured to "just work" with them.
Darjo Gregoric wrote:
>Hi,
>
>
>
>I have a problem with AD sync. I have established synchronization without
>SSL and works fine, but when I use SSL, connection is not established and I
>receive error:
>
>
>
>Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape
>Portable Runtime error -8179 (Peer's Certificate issuer is not recognized.)
>
>
>
>AD machine name is suzy.
>
>
>
>I have exported CA and imported it on Directory server.
>
>
>
>Certutil -L -d . gives:
>
>
>
>CA certificate CTu,u,u
>
>suzy CT,,
>
>Server-Cert u,u,u
>
>
>
>
>
>Did i miss something?
>
>
>
>Is there any HOW TO for this type of configuration?
>
>
>
>Regards
>Darjo
>
>
>
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20051019/d4c0c060/attachment.bin>
More information about the Fedora-directory-users
mailing list