[Fedora-directory-users] Windows Sync using SSL : Peer's Certificate issuer is not recognized
André Luís Lopes
andrelop at aw2net.com.br
Mon May 28 17:14:15 UTC 2007
Hello Glenn and everyone from the list,
Glenn wrote:
> Hello Andre,
>
> It seems your certificates are not set up correctly. You should have the
> same CA certificate in the database in both FDS and AD. Also, the server
> certs in each database should be issued by the same certificate authority.
Ok, since then I did it and still I have no luck getting the
synchronization to work. I installed FDS 1.0.4 and used the setup-ssl.sh
script which was made available from
http://directory.fedoraproject.org/download/setupssl.sh .
It correctly set up SSL in FDS and I also have SSL working in AD as
I can use "ldp.exe" and establish a SSL connection to AD with no
problems at all.
After using the setussl.sh script, I generated a server cert for AD
in /opt/fedora-ds/alias using the following command :
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -S -n "AD server"
-s "cn=adserver.aw2.local,ou=Fedora Directory Server" -c "CA
certificate" -t "u,u,u" -m 1003 -v 120 -d . -P slapd-fds- -z noise.txt
-f pwdfile.txt
After doing this and adjusting the trust attributes I have the
following scenario in FDS :
[root at fds ~]# cd /opt/fedora-ds/alias/
[root at fds alias]#
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -L
server-cert u,u,u
CA certificate CTu,Cu,Cu
Server-Cert Pu,Pu,Pu
AD server Pu,Pu,Pu
[root at fds alias]#
Legend :
"AD server" = Active Directory certificate
"Server-Cert" = FDS server
"CA certificate" = The CA certificate
"server-cert" = The admin-server (not the slapd) certificate
It seems to be right. The certificates are all valid according to
certutil :
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds-
-V -n Server-Cert -u C
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds-
-V -n Server-Cert -u V
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds-
-V -n "AD server" -u C
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds-
-V -n "AD server" -u V
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds-
-V -n "CA certificate" -u C
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds-
-V -n "CA certificate" -u V
certutil-bin: certificate is valid
[root at fds alias]#
Also, I imported the certificates into the AD certificate DB and
currently I have the following scenario in AD certificate DB :
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe
-d . -L
CA certificate CT,C,C
Server-Cert Pu,Pu,Pu
AD server Pu,Pu,Pu
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe
-d . -V -n Server-Cert -u C
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe
-d . -V -n Server-Cert -u V
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe
-d . -V -n "AD server" -u C
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe
-d . -V -n "AD server" -u V
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe
-d . -V -n "CA certificate" -u C
certutil.exe: certificate is valid
C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe
-d . -V -n "CA certificate" -u V
certutil.exe: certificate is valid
However, I'm still seeing the same errors on
/opt/fedora-ds/slapd-<instance>/logs/errors :
[28/May/2007:13:13:29 -0300] NSMMReplicationPlugin - agmt="cn=winsync"
(adserver:636): Simple bind failed, LDAP sdk error 81 (Can't contact
LDAP server), Netscape Portable Runtime error -8179 (Peer's Certificate
issuer is not recognized.)
If I create a sync agreement which doesn't use SSL, using port 389
directly, I can do synchronization in both ways (to and from AD and to
and from FDS), but I have no user's passwords synchronized and this is
crucial for me get working.
Any ideas on what I should be looking at or on where the problem is
hiding itself ?
Regards,
--
André Luís Lopes
andrelop at aw2net.com.br
More information about the Fedora-directory-users
mailing list