André Luís Lopes
2007-May-18 12:43 UTC
[Fedora-directory-users] Windows Sync using SSL : Peer''s Certificate issuer is not recognized
Hello, First of all, I would like to tell you all that that this is my very first message to this mailing list so please be patient with me for a while and sorry for the possibly dull questions. Also, it''s important to let you guys know that I already learnt a lot only by searching the list archives. Thanks :-) I tried each and every bit I found online (be it by reading the enormous amount of documentation under http://directory.fedoraproject.org/ or by reading the mailing list archives) and couldn''t get Windows Sync using SSL to work yet. What I have now : 1) Fedora Directory Server 1.0.4 running under a REd Hat Enterprise Linux 4 Advanced Server Update 5, installed from the fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm package. This host is named fds.aw2.local. 2) Windows Server 2003 Enterprise Edition running a locally Active Directory set up only for testing. This host is named adserver.aw2.local. I already installed PassSync (from http://directory.fedoraproject.org/download/PassSync-20060330.msi) in the Windows Server 2003 and already have it configured to use the following information : Host name : fds.aw2.local Port number : 636 User name : uid=replication, cn=config Password : 123456 Cert Token : 123456 Search base : dc=aw2, dc=local uid=replication is a user I added to FDS, under cn=config. Cert token is the correct certificate token and search base is the correct search base as well. I can create a Windows Sync Agreement and have it doing synchronization both from AD to FDS and from FDS to AD, but only when using a non-SSL connection. But, in this case, as you all know, I don''t get users passwords sychronized. I thin I got both AD and FDS SSL setup right as I can use "Active Directory Administration Tool (ldp.exe)" to connect to AD on port 636 (SSL) correctly and I can use an ldapsearch from the FDS machine to the FDS directory using SSL correctly as well. The only problem I''m getting is whenever I try to set up a Windows Sync Agreement using SSL I get the following error message on my FDS LDAP error log (/opt/fedora-ds/slapd-fds/logs/error, in my case) : [18/May/2007:08:52:40 -0300] NSMMReplicationPlugin - agmt="cn=sync" (adserver:636): Simple bind failed, LDAP sdk error 81 (Can''t contact LDAP server), Netscape Portable Runtime error -8179 (Peer''s Certificate issuer is not recognized.) I have the following configured regarding certificates in the AD host ("certutil.exe -d . -L" output running from C:\Program Files\Red Hat Directory Password Synchronization\) : CA certificate CT,C,C Server-Cert Pu,Pu,Pu Isn''t this certificate database the one which is being used when a Windows Sync Agreement is set up ? Anyway, I already also tried the following : 1) Import the FDS certificate using : cd /opt/fedora-ds/alias /opt/fedora-ds/shared/bin/pk12util -d . -P slapd-fds- -o servercert.pfx -n Server-Cert 2) Import it into AD certificate snap-in in Windows Microsoft Management Console and reboot. No luck with this also. I have read and re-read every single bit of documentation I could find about the topic and I have no problem reading more if you guys ask me to RTFM. Just point me to the "fine" manual :-) Regards, -- André Luís Lopes andrelop@aw2net.com.br
Glenn
2007-May-18 15:53 UTC
Re: [Fedora-directory-users] Windows Sync using SSL : Peer''s Certificate issuer is not recognized
Hello Andre, It seems your certificates are not set up correctly. You should have the same CA certificate in the database in both FDS and AD. Also, the server certs in each database should be issued by the same certificate authority. It is convenient to use the Certificate Authority included with recent Microsoft Windows servers to create a CA certificate to import into both databases. You can then create server certificates using the MSCA and import them into their respective databases. You may also need to import the server certificate from FDS into the database on AD and vice-versa. Once this is done, you should review and possibly modify the trust attributes on all the certs. As you can see from my examples, I used a scatter-gun approach. You will need to use certutil for all import and modify operations on the certificate databases. "certutil -H" gives a nice reference. Examples: sibelius=FD boccherini=AD TWCA=CA [root@sibelius alias]# ./certutil -L -d . -P slapd-sibelius- TWCA CT,c,c boccherini P,P,P server-cert CTu,cu,cu C:\Program Files\RHD Password Sync>certutil -L -d . TWCA CT,C,C server-cert Pu,Pu,Pu boccherini P,P,P Remember to restart FDS and PassSync after making changes. Also, note that although it is rumored that the FDS bind user for replication can be created by the administrator, no one has explained in detail how to make it work. You might use cn=Directory Manager for your bind user who will bind to the FDS for replication, at least while testing. The "fine" manual is here: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/adminTOC.html Hope this helps. -G. ---------- Original Message ----------- From: André Luís Lopes <andrelop@aw2net.com.br> To: fedora-directory-users@redhat.com Sent: Fri, 18 May 2007 09:43:39 -0300 Subject: [Fedora-directory-users] Windows Sync using SSL : Peer''s Certificate issuer is not recognized> Hello, > > First of all, I would like to tell you all that that this is my > very first message to this mailing list so please be patient with me > for a while and sorry for the possibly dull questions. > > Also, it''s important to let you guys know that I already learnt > a lot only by searching the list archives. Thanks :-) I tried each > and every bit I found online (be it by reading the enormous amount > of documentation under http://directory.fedoraproject.org/ or by > reading the mailing list archives) and couldn''t get Windows Sync > using SSL to work yet. > > What I have now : > > 1) Fedora Directory Server 1.0.4 running under a REd Hat Enterprise > Linux 4 Advanced Server Update 5, installed from the > fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm package. This host is named > fds.aw2.local. > > 2) Windows Server 2003 Enterprise Edition running a locally Active > Directory set up only for testing. This host is named adserver.aw2.local. > > I already installed PassSync (from > http://directory.fedoraproject.org/download/PassSync-20060330.msi) > in the Windows Server 2003 and already have it configured to use the > following information : > > Host name : fds.aw2.local > Port number : 636 > User name : uid=replication, cn=config > Password : 123456 > Cert Token : 123456 > Search base : dc=aw2, dc=local > > uid=replication is a user I added to FDS, under cn=config. Cert > token is the correct certificate token and search base is the > correct search base as well. > > I can create a Windows Sync Agreement and have it doing > synchronization both from AD to FDS and from FDS to AD, but only > when using a non-SSL connection. But, in this case, as you all know, > I don''t get users passwords sychronized. > > I thin I got both AD and FDS SSL setup right as I can use > "Active Directory Administration Tool (ldp.exe)" to connect to AD on > port 636 > (SSL) correctly and I can use an ldapsearch from the FDS machine to > the FDS directory using SSL correctly as well. > > The only problem I''m getting is whenever I try to set up a > Windows Sync Agreement using SSL I get the following error message > on my FDS LDAP error log (/opt/fedora-ds/slapd-fds/logs/error, in my > case) : > > [18/May/2007:08:52:40 -0300] NSMMReplicationPlugin - agmt="cn=sync" > (adserver:636): Simple bind failed, LDAP sdk error 81 (Can''t contact > LDAP server), Netscape Portable Runtime error -8179 (Peer''s > Certificate issuer is not recognized.) > > I have the following configured regarding certificates in the AD > host ("certutil.exe -d . -L" output running from C:\Program > Files\Red Hat Directory Password Synchronization\) : > > CA certificate CT,C,C > Server-Cert Pu,Pu,Pu > > Isn''t this certificate database the one which is being used when > a Windows Sync Agreement is set up ? Anyway, I already also tried > the following : > > 1) Import the FDS certificate using : > > cd /opt/fedora-ds/alias > /opt/fedora-ds/shared/bin/pk12util -d . -P slapd-fds- -o > servercert.pfx -n Server-Cert > > 2) Import it into AD certificate snap-in in Windows Microsoft > Management Console and reboot. > > No luck with this also. I have read and re-read every single bit > of documentation I could find about the topic and I have no problem > reading more if you guys ask me to RTFM. Just point me to the "fine" > manual :-) > > Regards, > > -- > André Luís Lopes > andrelop@aw2net.com.br > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users------- End of Original Message -------
André Luís Lopes
2007-May-28 17:14 UTC
Re: [Fedora-directory-users] Windows Sync using SSL : Peer''s Certificate issuer is not recognized
Hello Glenn and everyone from the list, Glenn wrote:> Hello Andre, > > It seems your certificates are not set up correctly. You should have the > same CA certificate in the database in both FDS and AD. Also, the server > certs in each database should be issued by the same certificate authority.Ok, since then I did it and still I have no luck getting the synchronization to work. I installed FDS 1.0.4 and used the setup-ssl.sh script which was made available from http://directory.fedoraproject.org/download/setupssl.sh . It correctly set up SSL in FDS and I also have SSL working in AD as I can use "ldp.exe" and establish a SSL connection to AD with no problems at all. After using the setussl.sh script, I generated a server cert for AD in /opt/fedora-ds/alias using the following command : [root@fds alias]# /opt/fedora-ds/shared/bin/certutil -S -n "AD server" -s "cn=adserver.aw2.local,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1003 -v 120 -d . -P slapd-fds- -z noise.txt -f pwdfile.txt After doing this and adjusting the trust attributes I have the following scenario in FDS : [root@fds ~]# cd /opt/fedora-ds/alias/ [root@fds alias]# [root@fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -L server-cert u,u,u CA certificate CTu,Cu,Cu Server-Cert Pu,Pu,Pu AD server Pu,Pu,Pu [root@fds alias]# Legend : "AD server" = Active Directory certificate "Server-Cert" = FDS server "CA certificate" = The CA certificate "server-cert" = The admin-server (not the slapd) certificate It seems to be right. The certificates are all valid according to certutil : [root@fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -V -n Server-Cert -u C certutil-bin: certificate is valid [root@fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -V -n Server-Cert -u V certutil-bin: certificate is valid [root@fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -V -n "AD server" -u C certutil-bin: certificate is valid [root@fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -V -n "AD server" -u V certutil-bin: certificate is valid [root@fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -V -n "CA certificate" -u C certutil-bin: certificate is valid [root@fds alias]# /opt/fedora-ds/shared/bin/certutil -d . -P slapd-fds- -V -n "CA certificate" -u V certutil-bin: certificate is valid [root@fds alias]# Also, I imported the certificates into the AD certificate DB and currently I have the following scenario in AD certificate DB : C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -L CA certificate CT,C,C Server-Cert Pu,Pu,Pu AD server Pu,Pu,Pu C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -V -n Server-Cert -u C certutil.exe: certificate is valid C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -V -n Server-Cert -u V certutil.exe: certificate is valid C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -V -n "AD server" -u C certutil.exe: certificate is valid C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -V -n "AD server" -u V certutil.exe: certificate is valid C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -V -n "CA certificate" -u C certutil.exe: certificate is valid C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -V -n "CA certificate" -u V certutil.exe: certificate is valid However, I''m still seeing the same errors on /opt/fedora-ds/slapd-<instance>/logs/errors : [28/May/2007:13:13:29 -0300] NSMMReplicationPlugin - agmt="cn=winsync" (adserver:636): Simple bind failed, LDAP sdk error 81 (Can''t contact LDAP server), Netscape Portable Runtime error -8179 (Peer''s Certificate issuer is not recognized.) If I create a sync agreement which doesn''t use SSL, using port 389 directly, I can do synchronization in both ways (to and from AD and to and from FDS), but I have no user''s passwords synchronized and this is crucial for me get working. Any ideas on what I should be looking at or on where the problem is hiding itself ? Regards, -- André Luís Lopes andrelop@aw2net.com.br