Fedora directory users - Jun 2006 - PassSync setup still not working

Please help me, I cannot get this to work. It''s driving me crazy.

This is what I did:

Setup FDS over SSL using certutil.

Windows 2000 AD server with "Enterprise Certificate Authority"

Can search AD over SSL ( using ldp.exe, people search over ssl, and 
openldap ldapsearch over ssl -H ldaps://)

Installed PassSync ( used FDS host, port 636, FDS Manager account 
cn=Manager, FDS cert db password, FDS base )

Exported FDS certs ( per howto:ssl ) and imported them into AD ( 
certutil databases on windows side )

Setup changelog ( default ) and single master replication

Setup windows sync agreement ( bind as AD administrator account 
cn=administrator,cn=users,....)

Then I test SSL connection from FDS to AD:

../shared/bin/ldapsearch -X -h ad-host -p 636 -D 
"cn=administrator,cn=users,... -w - -s base -b ""
"objectclass=*"

ldap_init( ad.server.xxx.xxx, 636 )
ldaptool_getcertpath -- .
ldaptool_getkeypath -- .
ldaptool_getmodpath -- (null)
ldaptool_getdonglefilename -- (null)
ldap_simple_bind: Can''t contact LDAP server
        SSL error -8179 (Peer''s Certificate issuer is not recognized.)

OpenLDAP ldapsearch
ldapsearch -x -H ldaps://ad-host  works

On Windows Machine:
certutil -L -d .
CA certificate    CT,C,C
Server-Cert       Pu,Pu,Pu

On FDS server (FC4):
# ../shared/bin/certutil -L -d .
CA certificate                                               CTu,u,u
Server-Cert                                                  u,u,u

I have no idea what to try next. Please help

One thing to note, in case it isn''t already clear :

The SSL connection setup between FDS and AD is entirely
orthogonal to the SSL connection from PassSync running on  Win2k
and FDS.

 From your e-mail it isn''t clear to me that you''re aware of
this.

e.g. the certutil command you''re running on Windows will relate
only to the certs that PassSync will use to contact FDS. That has
nothing to do with the SSL connection from FDS to AD
(which will use the certs configured in FDS on one end,
and the cert configuration in AD on the Windows end --
entirely separate from the aforementioned PassSync
cert config).


Jeff Gamsby wrote:
> Please help me, I cannot get this to work. It''s driving me crazy.
>
> This is what I did:
>
> Setup FDS over SSL using certutil.
>
> Windows 2000 AD server with "Enterprise Certificate Authority"
>
> Can search AD over SSL ( using ldp.exe, people search over ssl, and 
> openldap ldapsearch over ssl -H ldaps://)
>
> Installed PassSync ( used FDS host, port 636, FDS Manager account 
> cn=Manager, FDS cert db password, FDS base )
>
> Exported FDS certs ( per howto:ssl ) and imported them into AD ( 
> certutil databases on windows side )
>
> Setup changelog ( default ) and single master replication
>
> Setup windows sync agreement ( bind as AD administrator account 
> cn=administrator,cn=users,....)
>
> Then I test SSL connection from FDS to AD:
>
> ../shared/bin/ldapsearch -X -h ad-host -p 636 -D 
> "cn=administrator,cn=users,... -w - -s base -b ""
"objectclass=*"
>
> ldap_init( ad.server.xxx.xxx, 636 )
> ldaptool_getcertpath -- .
> ldaptool_getkeypath -- .
> ldaptool_getmodpath -- (null)
> ldaptool_getdonglefilename -- (null)
> ldap_simple_bind: Can''t contact LDAP server
>        SSL error -8179 (Peer''s Certificate issuer is not
recognized.)
>
> OpenLDAP ldapsearch
> ldapsearch -x -H ldaps://ad-host  works
>
> On Windows Machine:
> certutil -L -d .
> CA certificate    CT,C,C
> Server-Cert       Pu,Pu,Pu
>
> On FDS server (FC4):
> # ../shared/bin/certutil -L -d .
> CA certificate                                               CTu,u,u
> Server-Cert                                                  u,u,u
>
> I have no idea what to try next. Please help
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Thanks. Yes, I understand that.
>From what I understand, the FDS (client, certutil db) is trying to talk to
the AD (server, Microsoft CA) and the PassSync cert db just has the
trusted FDS server certs (for synchronization).

Do I need to import the FDS server certs into AD, or export the AD certs
into the FDS server?

Thanks again for your help.
>
> One thing to note, in case it isn''t already clear :
>
> The SSL connection setup between FDS and AD is entirely
> orthogonal to the SSL connection from PassSync running on  Win2k
> and FDS.
>
>  From your e-mail it isn''t clear to me that you''re aware
of this.
>
> e.g. the certutil command you''re running on Windows will relate
> only to the certs that PassSync will use to contact FDS. That has
> nothing to do with the SSL connection from FDS to AD
> (which will use the certs configured in FDS on one end,
> and the cert configuration in AD on the Windows end --
> entirely separate from the aforementioned PassSync
> cert config).
>
>
> Jeff Gamsby wrote:
>
>> Please help me, I cannot get this to work. It''s driving me
crazy.
>>
>> This is what I did:
>>
>> Setup FDS over SSL using certutil.
>>
>> Windows 2000 AD server with "Enterprise Certificate
Authority"
>>
>> Can search AD over SSL ( using ldp.exe, people search over ssl, and
>> openldap ldapsearch over ssl -H ldaps://)
>>
>> Installed PassSync ( used FDS host, port 636, FDS Manager account
>> cn=Manager, FDS cert db password, FDS base )
>>
>> Exported FDS certs ( per howto:ssl ) and imported them into AD (
>> certutil databases on windows side )
>>
>> Setup changelog ( default ) and single master replication
>>
>> Setup windows sync agreement ( bind as AD administrator account
>> cn=administrator,cn=users,....)
>>
>> Then I test SSL connection from FDS to AD:
>>
>> ../shared/bin/ldapsearch -X -h ad-host -p 636 -D
>> "cn=administrator,cn=users,... -w - -s base -b ""
"objectclass=*"
>>
>> ldap_init( ad.server.xxx.xxx, 636 )
>> ldaptool_getcertpath -- .
>> ldaptool_getkeypath -- .
>> ldaptool_getmodpath -- (null)
>> ldaptool_getdonglefilename -- (null)
>> ldap_simple_bind: Can''t contact LDAP server
>>        SSL error -8179 (Peer''s Certificate issuer is not
recognized.)
>>
>> OpenLDAP ldapsearch
>> ldapsearch -x -H ldaps://ad-host  works
>>
>> On Windows Machine:
>> certutil -L -d .
>> CA certificate    CT,C,C
>> Server-Cert       Pu,Pu,Pu
>>
>> On FDS server (FC4):
>> # ../shared/bin/certutil -L -d .
>> CA certificate                                               CTu,u,u
>> Server-Cert                                                  u,u,u
>>
>> I have no idea what to try next. Please help
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Jeff Gamsby wrote:
>Thanks. Yes, I understand that.
>
>From what I understand, the FDS (client, certutil db) is trying to talk to
>the AD (server, Microsoft CA) and the PassSync cert db just has the
>trusted FDS server certs (for synchronization).
>
>Do I need to import the FDS server certs into AD, or export the AD certs
>into the FDS server?
>  
>
The FDS cert database needs to contain an exported copy of the CA cert 
used to sign
the AD''s server cert.