[Fedora-directory-users] Windows Sync using SSL : Peer's Certificate issuer is not recognized

Fri May 18 12:43:39 UTC 2007

Hello,

    First of all, I would like to tell you all that that this is my very 
first message to this mailing list so please be patient with me for a 
while and sorry for the possibly dull questions.

    Also, it's important to let you guys know that I already learnt a 
lot only by searching the list archives. Thanks :-) I tried each and 
every bit I found online (be it by reading the enormous amount of 
documentation under http://directory.fedoraproject.org/ or by reading 
the mailing list archives) and couldn't get Windows Sync using SSL to 
work yet.

    What I have now :

1) Fedora Directory Server 1.0.4 running under a REd Hat Enterprise 
Linux 4 Advanced Server Update 5, installed from the 
fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm package. This host is named 
fds.aw2.local.

2) Windows Server 2003 Enterprise Edition running a locally Active 
Directory set up only for testing. This host is named adserver.aw2.local.

    I already installed PassSync (from 
http://directory.fedoraproject.org/download/PassSync-20060330.msi) in 
the Windows Server 2003 and already have it configured to use the 
following information :

Host name : fds.aw2.local
Port number : 636
User name : uid=replication, cn=config
Password : 123456
Cert Token : 123456
Search base : dc=aw2, dc=local

    uid=replication is a user I added to FDS, under cn=config. Cert 
token is the correct certificate token and search base is the correct 
search base as well.

    I can create a Windows Sync Agreement and have it doing 
synchronization both from AD to FDS and from FDS to AD, but only when 
using a non-SSL connection. But, in this case, as you all know, I don't 
get users passwords sychronized.

    I thin I got both AD and FDS SSL setup right as I can use "Active 
Directory Administration Tool (ldp.exe)" to connect to AD on port 636 
(SSL) correctly and I can use an ldapsearch from the FDS machine to the 
FDS directory using SSL correctly as well.

    The only problem I'm getting is whenever I try to set up a Windows 
Sync Agreement using SSL I get the following error message on my FDS 
LDAP error log (/opt/fedora-ds/slapd-fds/logs/error, in my case) :

[18/May/2007:08:52:40 -0300] NSMMReplicationPlugin - agmt="cn=sync" 
(adserver:636): Simple bind failed, LDAP sdk error 81 (Can't contact 
LDAP server), Netscape Portable Runtime error -8179 (Peer's Certificate 
issuer is not recognized.)

    I have the following configured regarding certificates in the AD 
host ("certutil.exe -d . -L" output running from C:\Program Files\Red 
Hat Directory Password Synchronization\) :

CA certificate		CT,C,C
Server-Cert		Pu,Pu,Pu

    Isn't this certificate database the one which is being used when a 
Windows Sync Agreement is set up ? Anyway, I already also tried the 
following :

1) Import the FDS certificate using :

cd /opt/fedora-ds/alias
/opt/fedora-ds/shared/bin/pk12util -d . -P slapd-fds- -o servercert.pfx 
-n Server-Cert

2) Import it into AD certificate snap-in in Windows Microsoft Management 
Console and reboot.

    No luck with this also. I have read and re-read every single bit of 
documentation I could find about the topic and I have no problem reading 
more if you guys ask me to RTFM. Just point me to the "fine" manual :-)

Regards,

-- 
André Luís Lopes
andrelop at aw2net.com.br