[Freeipa-users] Sync IPA and AD while using external CA
Rob Crittenden
rcritten at redhat.com
Fri Oct 30 13:47:39 UTC 2015
Please keep responses on the list
mitra dehghan wrote:
> Thank you for your response.
> -First of all in section 15.5.1 of Red hat Enterprise Linux 6 Identity
> Management guide it says to copy both ad and IPA certificates in
> /etc/openldap/certs and i did the same. of course it worked when i was
> using internal CAs.
Ok, it doesn't hurt anything, but for the purposes of ipa-replica-manage
it is a no-op.
> - I pass ad certificate in ipa-replica-manage command via --cacert switch.
Yes but which cert did you provider, the root CA contoso.com or the
subordinate CA local.dc?
> - After all I would be glad if you could give me more info about NSS
> database. Is that kind of substitute for /etc/openldap/certs? would you
> please give me more details about configurations needed for that?
The crypto library that 389-ds uses is NSS. This uses a database to
store certificates and keys rather than discrete files. The certutil
tool is used to manage this file (there is a brief man page).
ipa-replica-manage will add the AD cert to 389-ds for you, but you can
add certs manually and I think it might help in this case:
# certutil -A -d /etc/dirsrc/slapd-YOUR-REALM -n "contoso.com CA" -t
CT,, -a -i /path/to/contoso.pem
# certutil -A -d /etc/dirsrc/slapd-YOUR-REALM -n "local.dc CA" -t CT,,
-a -i /path/to/localdc.pem
The -n option specifies a "nickname" to use for the certificate. You can
use pretty much anything you want but being descriptive helps.
rob
>
>
>
> On Wed, Oct 28, 2015 at 5:20 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> mitra dehghan wrote:
> > hello,
> > I want to implement and IPA server and Sync it with my 2012 ms ad.
> While
> > things go well using an internal CA in each server, I came across kind
> > of problem when I want integrate solution with my PKI which is already
> > serving the AD server.
> > I can install IPA with --external-ca switch. but when it comes to
> Sync.
> > agreement it says "TLS error -8179:Peer's Certificate issuer is not
> > recognized."
> >
> > The architecture is:
> > - There is a root CA named contoso.com <http://contoso.com>
> <http://contoso.com>
> > - There is a subordinate CA named local.dc
> > - The certificates of AD and IPA server are both issued by local.dc
> > - IPA's certificate is issued based on the CSR file generated by
> > ipa-server-install
> > - I have copied both certificates in /etc/openldap/certs directory and
> > the rest was same as what i did in the internal CA scenario.
> >
> > while the FreeIPA docs say both servers must have internal CA's i need
> > to integrate solution with available PKI.
> > I would be glad hear suggestions if this scenario is applicable
> and what
> > is wrong there.
> > thank you
>
> 389-ds doesn't use /etc/openldap/certs.
>
> What cert are you passing in when creating the winsync agreement using
> ipa-replica-manage?
>
> You may need/want to add these certs to the IPA 389-ds NSS database
> prior to setting up the agreement.
>
> rob
>
>
>
>
> --
> m-dehghan
More information about the Freeipa-users
mailing list