[Fedora-directory-users] Windows Sync using SSL : Peer's Certificate issuer is not recognized

André Luís Lopes andrelop at aw2net.com.br
Mon May 28 17:14:15 UTC 2007 

Hello Glenn and everyone from the list,

Glenn wrote:
> Hello Andre,
> 
> It seems your certificates are not set up correctly.  You should have the 
> same CA certificate in the database in both FDS and AD.  Also, the server 
> certs in each database should be issued by the same certificate authority.

    Ok, since then I did it and still I have no luck getting the 
synchronization to work. I installed FDS 1.0.4 and used the setup-ssl.sh 
script which was made available from 
http://directory.fedoraproject.org/download/setupssl.sh .

    It correctly set up SSL in FDS and I also have SSL working in AD as 
I can use "ldp.exe" and establish a SSL connection to AD with no 
problems at all.

    After using the setussl.sh script, I generated a server cert for AD 
in /opt/fedora-ds/alias using the following command :

[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -S -n "AD server" 
-s "cn=adserver.aw2.local,ou=Fedora Directory Server" -c "CA 
certificate" -t "u,u,u" -m 1003 -v 120 -d . -P slapd-fds- -z noise.txt 
-f pwdfile.txt

    After doing this and adjusting the trust attributes I have the 
following scenario in FDS :

[root at fds ~]# cd /opt/fedora-ds/alias/
[root at fds alias]#
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -L
server-cert                                                  u,u,u
CA certificate                                               CTu,Cu,Cu
Server-Cert                                                  Pu,Pu,Pu
AD server                                                    Pu,Pu,Pu
[root at fds alias]#

    Legend :

    "AD server" = Active Directory certificate
    "Server-Cert" = FDS server
    "CA certificate" = The CA certificate
    "server-cert" = The admin-server (not the slapd) certificate

    It seems to be right. The certificates are all valid according to 
certutil :

[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- 
-V -n Server-Cert -u C
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- 
-V -n Server-Cert -u V
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- 
-V -n "AD server" -u C
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- 
-V -n "AD server" -u V
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- 
-V -n "CA certificate" -u C
certutil-bin: certificate is valid
[root at fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- 
-V -n "CA certificate" -u V
certutil-bin: certificate is valid
[root at fds alias]#

    Also, I imported the certificates into the AD certificate DB and 
currently I have the following scenario in AD certificate DB :

C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe 
-d . -L

CA certificate				CT,C,C
Server-Cert                             Pu,Pu,Pu
AD server                               Pu,Pu,Pu

C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe 
-d . -V -n Server-Cert -u C
certutil.exe: certificate is valid

C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe 
-d . -V -n Server-Cert -u V
certutil.exe: certificate is valid

C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe 
-d . -V -n "AD server" -u C
certutil.exe: certificate is valid

C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe 
-d . -V -n "AD server" -u V
certutil.exe: certificate is valid

C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe 
-d . -V -n "CA certificate" -u C
certutil.exe: certificate is valid

C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe 
-d . -V -n "CA certificate" -u V
certutil.exe: certificate is valid

    However, I'm still seeing the same errors on 
/opt/fedora-ds/slapd-<instance>/logs/errors :

[28/May/2007:13:13:29 -0300] NSMMReplicationPlugin - agmt="cn=winsync" 
(adserver:636): Simple bind failed, LDAP sdk error 81 (Can't contact 
LDAP server), Netscape Portable Runtime error -8179 (Peer's Certificate 
issuer is not recognized.)

    If I create a sync agreement which doesn't use SSL, using port 389 
directly, I can do synchronization in both ways (to and from AD and to 
and from FDS), but I have no user's passwords synchronized and this is 
crucial for me get working.

    Any ideas on what I should be looking at or on where the problem is 
hiding itself ?

Regards,

-- 
André Luís Lopes
andrelop at aw2net.com.br

More information about the Fedora-directory-users mailing list