[Fedora-directory-users] Password Sync Error
Jeff Gamsby
jfgamsby at lbl.gov
Tue Mar 6 18:08:02 UTC 2007
Have you tried connecting on port 636 using the FQDN of the directory
server rather than the IP address?
Did you export the Windows cert and import it into the Directory Server?
This is how I did it, first on Windows 2000 server then on 2003 server.
My Setup:
Fedora Core 4
Fedora Directory Server 1.0.2
Windows 2000 Server
Install FDS ( or reinstall: rpm -qa | grep fedora-ds | xargs rpm -e; rm
-rf /opt/fedora-ds ; rpm -i fedora-ds-1.0.2 )
create certificates, etc..
I used this simple script that I wrote: (cd to /opt/fedora-ds/alias)
-----------------------------------------------------------------------
echo -n "Creating password and noise file..."
echo "8904859034905834-580943502385430958430958049385" >
/opt/fedora-ds/alias/pwdfile.txt echo
"8374893jkhsdfjkhdjksfah89dskjfkdghkjdfhguiert9348khkfhgkjfd79" >
/opt/fedora-ds/alias/noise.txt
echo -n "Creating Databases..."
$serverroot/shared/bin/certutil -N -d . -f pwdfile.txt
echo -n "Generating encryption key..."
$serverroot/shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt
echo -n "Generating self-signed certificate..."
$serverroot/shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x
-t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt
echo -n "Generating server certificate.."
$serverroot/shared/bin/certutil -S -n "Server-Cert" -s
"cn=hostname.of.fds" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d .
-z noise.txt -f pwdfile.txt
mv key3.db slapd-host-key3.db
mv cert8.db slapd-host-cert8.db
ln -s slapd-host-key3.db key3.db
ln -s slapd-host-cert8.db cert8.db
echo -n "Setting permissions.."
chown nobody.nobody /opt/fedora-ds/alias/slapd-name*
echo -n "Exporting certificate.."
$serverroot/shared/bin/certutil -L -d . -n "CA certificate" -r > cacert.der
echo "Converting certificate.."
openssl x509 -inform DER -in cacert.der -outform PEM -out cacert.pem
echo "Copying cacert.pem to /etc/openldap/cacerts.."
cp cacert.pem /etc/openldap/cacerts/
echo -n "Enabling SSL in FDS"
echo ""
echo -n "Please enter Manager password..(twice)"
ldapmodify -x -D cn=Manager -W -f /tmp/ssl_enable.ldif
ldapmodify -x -D cn=Manager -W -a -f /tmp/addRSA.ldif
---------------------------------------------------------
restart FDS
Test SSL connections and ldapsearch
netstat -an | grep 636
Install Active Directory on Windows Server
Install Certificate Services --> Enterprise root CA
reboot
Enable SSL on AD
1. Install Certificate Services on Windows 2000 Server and an
Enterprise Certificate Authority in the Active Directory Domain. Make
sure you install an Enterprise Certificate Authority.
2. Create a Security (Group) Policy to direct Domain Controllers to
get an SSL certificate from the Certificate Authority (CA).
1. Open the Active Directory Users and Computers Administrative
tool.
2. Under the domain, right-click on Domain Controllers.
3. Select Properties.
4. In the Group Policy tab, click to edit the Default Domain
Controllers Policy.
5. Go to Computer Configuration->Windows Settings->Security
Settings->Public Key Policies.
6. Right click Automatic Certificate Request Settings.
7. Select New.
8. Select Automatic Certificate Request.
9. Run the wizard. Select the Certificate Template for a Domain
Controller.
10. Select your Enterprise Certificate Authority as the CA.
Selecting a third-party CA works as well.
11. Complete the wizard.
12. All Domain Controllers now automatically request a
certificate from the CA, and support LDAP using SSL on port 636.
3. Retrieve the Certificate Authority Certificate
1. Open a Web browser on the AD machine
2. Go to http://localhost/certsrv/
3. Select the task Retrieve the CA certificate or certificate
revocation list.
4. Click Next.
5. The next page automatically highlights the CA certificate.
Click Download CA certificate.
6. A new download window opens. Save the file to the hard drive.
Save in DER mode
Copy file to FDS server, convert to PEM format
openssl x509 -inform DER -in ad-cert.der -outform PEM -out ad-cert.pem
Import AD CA cert into FDS
certutil -A -d . -P slapd-instance- -t "CT,CT,CT" -a -i ad-cert.pem
check certs ( from /opt/fedora-ds/alias)
certutil -L -d . -P slapd-instance
Check ldapsearch from FDS to AD
ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port> -D
"<sync manager user> -w < sync manager password> -s <scope> -b "<AD
base>" "<filter>"
Install PassSync on Windows machine.
Follow directions from Howto:WindowsSync (certificate creation)
restart AD server
Enable Replication in Directory Server Console:
Go to configuration tab --> Replication --> enable changelog --> default
Expand Replication, click UserRoot
Check "Enable Replica" Single-master
Right Click UserRoot --> Create new windows sync agreement
Up log level in FDS:
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 8192
ldapmodify -x -D "cn=directory manager" -a -f repl_log.ldif
restart FDS
right click win sync agreement --> Initiate Full Sync
check error logs (/opt/fedora/slapd-instance/logs/errors)
In order for users to be created on the Windows side, users must have
certain attributes.
e.g.
dn: uid=TBird,ou=People, dc=server,dc=com
givenName: Tweetie
ntUserCreateNewAccount: true
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: ntuser
objectClass: posixAccount
facsimileTelephoneNumber: 510-555-5555
uid: TBird
mail: tbird server com
uidNumber: 71209
cn: Tweetie Bird
ntUserComment: Tweetie Bird User Account
telephoneNumber: 510-555-5555
loginShell: /bin/bash
ntUserDomainId: tbird
gidNumber: 5000
ntUserDeleteAccount: true
gecos: Tweetie Bird
homeDirectory: /home/tbird
sn: Bird
userPassword::
Jeffrey Jamisola wrote:
> Yes, Ive already tried to add port 389 and 636 on iptables
> and restart the iptables service, same error result.
> Then tried to disable firewall on linux server, same error:
>
> "Can not connect to ldap server in syncPasswords"
>
> Ive use a tool called LdapAdmin.exe to connect to Directory
> Server PC from Active Directory PC, using credentials below:
>
> Host: 192.36.253.152
> Port Number: 389 or 636
> User Name: Directory Manager
> Password: Directory Manager password
> Base: ou=People,dc=example,dc=com
>
> It successfully connect to the Directory Server.
> Yet during password sync, it cannot contact the directory server.
>
> Are there some other way?
>
>
>
>
>
> Jeffrey Jamisola wrote:
>
> Synchronization of users between active directory and directory server
> is already done. However, I am trying to synchronize password for
> redhat directory server & windows 2003
>
> active directory.
>
> Installed Password Sync for active directory with the following:
>
> Host Name: 192.36.253.152
> Port Number: 389
> User Name: Directory Manager
> Password:
> Cert Token:
> Search Base: ou=People,dc=example,dc=com
>
>
>
>
> Checking the password sync log file, found this error:
>
> ---------------
> 02/09/07 19:18:32 : Ldap bind error in Connect
> 81:Can't connect to LDAP Server
> 02/09/07 19:18:32 : Can not connect to ldap server in syncPasswords
>
> Firewall?
>
> --------------
>
> does anyone know how to solve this problem?
>
> ------------------------------------------------------------------------
>
> *Create and Share your own Video Clip Playlist in minutes at Lycos MIX
> (_http://mix.lycos.com_ <http://mix.lycos.com/?if_Event=MAILmixtagline>)*
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
--
Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783
More information about the Fedora-directory-users
mailing list