[Fedora-directory-users] Password Sync Error

Jeff Gamsby jfgamsby at lbl.gov
Wed Mar 7 17:53:40 UTC 2007 

 From what I remember, you must install Certificate Services on the AD 
server in order to enable LDAP over SSL. It was part of the email that I 
sent to you yesterday. You can confirm SSL communication by querying the 
address book on the AD server on port 636 
(http://support.microsoft.com/kb/238007/EN-US/). You can also run 
'netstat -an | more' and look for 0.0.0.0:636, this means that the AD 
server is listening on the secure LDAP port. You then need to export the 
AD certificate and import it into the FDS server (below). After that, 
you can test communication by running an ldapsearch from the FDS server 
to the AD server. There is an example below, something like this:

cd /opt/fedora-ds/alias ; ldapsearch -Z -P . -h hostname.of.ad.server -p 
636 -D "cn=Administrator,cn=Users,dc=server,dc=example.dc=com" -W  -s 
base -b "cn=Users,dc=server,dc=example,dc=com" "cn=*"

It's been a while, but I think that I have this right. Someone please 
correct me if I'm wrong.

Good luck

---From last post---
3. Retrieve the Certificate Authority Certificate
       1. Open a Web browser on the AD machine
       2. Go to http://localhost/certsrv/
       3. Select the task Retrieve the CA certificate or certificate
          revocation list.
       4. Click Next.
       5. The next page automatically highlights the CA certificate.
          Click Download CA certificate.
       6. A new download window opens. Save the file to the hard drive.
    Save in DER mode

Copy file to FDS server, convert to PEM format

openssl x509 -inform DER -in ad-cert.der -outform PEM -out ad-cert.pem

Import AD CA cert into FDS

certutil -A -d . -P slapd-instance- -t "CT,CT,CT" -a -i ad-cert.pem

check certs ( from /opt/fedora-ds/alias)
certutil -L -d . -P slapd-instance

Check ldapsearch from FDS to AD

ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port> -D 
"<sync manager user> -w < sync manager password> -s <scope> -b "<AD 
base>" "<filter>"



Jeffrey Jamisola wrote:
> Hi Jeff,
>
> Thanks for the reply.
>
> Can I have the following instruction if it is available:
>
> 1. How to install Certificate Services, then Enterprise root CA
>
> 2. How to enable SSL on AD
>
> Since my AD is Windows Server 2003
>
>
> Thank you,
> Jeffrey
> ------------------------------------------------------------------------
>
> *Create and Share your own Video Clip Playlist in minutes at Lycos MIX 
> (_http://mix.lycos.com_ <http://mix.lycos.com/?if_Event=MAILmixtagline>)*
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-- 
Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783

More information about the Fedora-directory-users mailing list