Fedora directory users - Jan 2008 - Windows Active Directory sync Help!

Hello,

I am trying to sync the DS with AD. Since I am new to AD and DS I have few
questions.

I want to synchronize only users and groups so Is it necessary to enable SSL on
Active Directory and connect to Active directory through SSL?

In the replica settings the supplier DN user need to be on both AD and DS with
should be a Domain admin of the AD?

When trying to synchronize with AD the bind DN (In screen shot) user should be
in both AD and DS?


I have attached the screen shot of my final DS agreement window. I believe
currently it is defined to synchronize users what changes I need to make it
synchronize groups aswell.

Thanks in advance
_________________________________________________________________
Exercise your brain! Try Flexicon!
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig

As far I understand by reading docs again that the user specified in the Syn
agreement and Bind DN should be same and exist on Active directory with Domain
Admin privileges.  But I have other issues now.

The DS server is unable to connect to my AD.  I enabled SSL by copying the same
root certificate into AD and also generating a server certificate and opened up
ports in firewall. Am I missing something like allowing client Authentication on
the AD machine?

My currents certificates are as follows.

DS has its own server certificate
AD has its own server  certificate
ALL 3 servers AS,DS and AD have the same CA root certificate



----------------------------------------
> From: kirankmadala@hotmail.com
> To: fedora-directory-users@redhat.com
> Date: Wed, 9 Jan 2008 10:35:00 -0400
> Subject: [Fedora-directory-users] Windows Active Directory sync Help!
> 
> 
> Hello,
> 
> I am trying to sync the DS with AD. Since I am new to AD and DS I have few
questions.
> 
> I want to synchronize only users and groups so Is it necessary to enable
SSL on Active Directory and connect to Active directory through SSL?
> 
> In the replica settings the supplier DN user need to be on both AD and DS
with should be a Domain admin of the AD?
> 
> When trying to synchronize with AD the bind DN (In screen shot) user should
be in both AD and DS?
> 
> 
> I have attached the screen shot of my final DS agreement window. I believe
currently it is defined to synchronize users what changes I need to make it
synchronize groups aswell.
> 
> Thanks in advance
> _________________________________________________________________
> Exercise your brain! Try Flexicon!
> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
_________________________________________________________________
Use fowl language with Chicktionary. Click here to start playing!
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig

kiran madala wrote:
> As far I understand by reading docs again that the user specified in the
Syn agreement and Bind DN should be same and exist on Active directory with
Domain Admin privileges.  But I have other issues now.
>
> The DS server is unable to connect to my AD.
What error messages are you getting?  Check the error log.

You can also try using ldapsearch.  Are you using Fedora DS 1.1 or 
1.0.4?  What OS?
> I enabled SSL by copying the same root certificate into AD and also
generating a server certificate and opened up ports in firewall. Am I missing
something like allowing client Authentication on the AD machine?
>   
You don''t need to use cert based client auth.  You can use regular 
username/password auth over TLS/SSL.
> My currents certificates are as follows.
>
> DS has its own server certificate
> AD has its own server  certificate
> ALL 3 servers AS,DS and AD have the same CA root certificate
>
>
>
> ----------------------------------------
>   
>> From: kirankmadala@hotmail.com
>> To: fedora-directory-users@redhat.com
>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>> Subject: [Fedora-directory-users] Windows Active Directory sync Help!
>>
>>
>> Hello,
>>
>> I am trying to sync the DS with AD. Since I am new to AD and DS I have
few questions.
>>
>> I want to synchronize only users and groups so Is it necessary to
enable SSL on Active Directory and connect to Active directory through SSL?
>>
>> In the replica settings the supplier DN user need to be on both AD and
DS with should be a Domain admin of the AD?
>>
>> When trying to synchronize with AD the bind DN (In screen shot) user
should be in both AD and DS?
>>
>>
>> I have attached the screen shot of my final DS agreement window. I
believe currently it is defined to synchronize users what changes I need to make
it synchronize groups aswell.
>>
>> Thanks in advance
>> _________________________________________________________________
>> Exercise your brain! Try Flexicon!
>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>     
>
> _________________________________________________________________
> Use fowl language with Chicktionary. Click here to start playing!
> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

I am using  Fedora 1.1 on Fedora 6 x86 machine.  When i fill in the entries and
click next a message pops up saying "Unable to connet to Active Directory
server, continue?".  Also in the domain controller host field can I specify
the IP address of the machine?.

The error log for DS server is below. The IP is the windows xp machine on whcih
I am  runnign the remote DS console.

[Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241]
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
[Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241]
admserv_check_authz(): passing [/admin-serv/authenticate] to the userauth
handler
[Wed Jan 09 09:15:28 2008] [notice] [client 192.168.8.241]
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
[Wed Jan 09 09:15:29 2008] [notice] [client 192.168.8.241]
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
[Wed Jan 09 09:15:35 2008] [notice] [client 192.168.8.241]
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
[Wed Jan 09 09:15:35 2008] [notice] [client 192.168.8.241]
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
[Wed Jan 09 09:15:43 2008] [notice] [client 192.168.8.241]
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
[Wed Jan 09 09:15:44 2008] [notice] [client 192.168.8.241]
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241

----------------------------------------
> Date: Wed, 9 Jan 2008 10:52:05 -0700
> From: rmeggins@redhat.com
> To: fedora-directory-users@redhat.com
> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
> 
> kiran madala wrote:
>> As far I understand by reading docs again that the user specified in
the Syn agreement and Bind DN should be same and exist on Active directory with
Domain Admin privileges.  But I have other issues now.
>>
>> The DS server is unable to connect to my AD.
> What error messages are you getting?  Check the error log.
> 
> You can also try using ldapsearch.  Are you using Fedora DS 1.1 or 
> 1.0.4?  What OS?
>> I enabled SSL by copying the same root certificate into AD and also
generating a server certificate and opened up ports in firewall. Am I missing
something like allowing client Authentication on the AD machine?
>>   
> You don''t need to use cert based client auth.  You can use regular
> username/password auth over TLS/SSL.
>> My currents certificates are as follows.
>>
>> DS has its own server certificate
>> AD has its own server  certificate
>> ALL 3 servers AS,DS and AD have the same CA root certificate
>>
>>
>>
>> ----------------------------------------
>>   
>>> From: kirankmadala@hotmail.com
>>> To: fedora-directory-users@redhat.com
>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>> Subject: [Fedora-directory-users] Windows Active Directory sync
Help!
>>>
>>>
>>> Hello,
>>>
>>> I am trying to sync the DS with AD. Since I am new to AD and DS I
have few questions.
>>>
>>> I want to synchronize only users and groups so Is it necessary to
enable SSL on Active Directory and connect to Active directory through SSL?
>>>
>>> In the replica settings the supplier DN user need to be on both AD
and DS with should be a Domain admin of the AD?
>>>
>>> When trying to synchronize with AD the bind DN (In screen shot)
user should be in both AD and DS?
>>>
>>>
>>> I have attached the screen shot of my final DS agreement window. I
believe currently it is defined to synchronize users what changes I need to make
it synchronize groups aswell.
>>>
>>> Thanks in advance
>>> _________________________________________________________________
>>> Exercise your brain! Try Flexicon!
>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>     
>>
>> _________________________________________________________________
>> Use fowl language with Chicktionary. Click here to start playing!
>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
> 
_________________________________________________________________
Read what Santa`s been up to! For all the latest, visit
asksantaclaus.spaces.live.com!
http://asksantaclaus.spaces.live.com/

kiran madala wrote:
> I am using  Fedora 1.1 on Fedora 6 x86 machine.  When i fill in the entries
and click next a message pops up saying "Unable to connet to Active
Directory server, continue?".  Also in the domain controller host field can
I specify the IP address of the machine?.
>
> The error log for DS server is below. The IP is the windows xp machine on
whcih I am  runnign the remote DS console.
>
> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241]
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
> <snip<
>   
Actually, this is the error log for the admin server.  The error log for 
the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance 
is your instance name.

The console might be failing to connect to AD because the console has a 
separate key/cert db under ~/.fedora-idm-console (in 1.1).  You may need 
to add the CA cert in this directory too:

certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t
"CT,," -a -i /path/to/cacert.asc
> ----------------------------------------
>   
>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>> From: rmeggins@redhat.com
>> To: fedora-directory-users@redhat.com
>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync
Help!
>>
>> kiran madala wrote:
>>     
>>> As far I understand by reading docs again that the user specified
in the Syn agreement and Bind DN should be same and exist on Active directory
with Domain Admin privileges.  But I have other issues now.
>>>
>>> The DS server is unable to connect to my AD.
>>>       
>> What error messages are you getting?  Check the error log.
>>
>> You can also try using ldapsearch.  Are you using Fedora DS 1.1 or 
>> 1.0.4?  What OS?
>>     
>>> I enabled SSL by copying the same root certificate into AD and also
generating a server certificate and opened up ports in firewall. Am I missing
something like allowing client Authentication on the AD machine?
>>>   
>>>       
>> You don''t need to use cert based client auth.  You can use
regular
>> username/password auth over TLS/SSL.
>>     
>>> My currents certificates are as follows.
>>>
>>> DS has its own server certificate
>>> AD has its own server  certificate
>>> ALL 3 servers AS,DS and AD have the same CA root certificate
>>>
>>>
>>>
>>> ----------------------------------------
>>>   
>>>       
>>>> From: kirankmadala@hotmail.com
>>>> To: fedora-directory-users@redhat.com
>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>> Subject: [Fedora-directory-users] Windows Active Directory sync
Help!
>>>>
>>>>
>>>> Hello,
>>>>
>>>> I am trying to sync the DS with AD. Since I am new to AD and DS
I have few questions.
>>>>
>>>> I want to synchronize only users and groups so Is it necessary
to enable SSL on Active Directory and connect to Active directory through SSL?
>>>>
>>>> In the replica settings the supplier DN user need to be on both
AD and DS with should be a Domain admin of the AD?
>>>>
>>>> When trying to synchronize with AD the bind DN (In screen shot)
user should be in both AD and DS?
>>>>
>>>>
>>>> I have attached the screen shot of my final DS agreement
window. I believe currently it is defined to synchronize users what changes I
need to make it synchronize groups aswell.
>>>>
>>>> Thanks in advance
>>>>
_________________________________________________________________
>>>> Exercise your brain! Try Flexicon!
>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>     
>>>>         
>>> _________________________________________________________________
>>> Use fowl language with Chicktionary. Click here to start playing!
>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>>       
>
> _________________________________________________________________
> Read what Santa`s been up to! For all the latest, visit
asksantaclaus.spaces.live.com!
> http://asksantaclaus.spaces.live.com/
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

kiran madala wrote:
> Hello,
>
> I am trying to sync the DS with AD. Since I am new to AD and DS I have few
questions.
>
> I want to synchronize only users and groups so Is it necessary to enable
SSL on Active Directory and connect to Active directory through SSL?
>   
No.  TLS/SSL is only required for password sync.
> In the replica settings the supplier DN user need to be on both AD and DS
No, only on AD
> with should be a Domain admin of the AD?
>   
Domain admin is the easiest way to go - harder but safer would be to 
create a special user that has read/write access to the subtree
only.
> When trying to synchronize with AD the bind DN (In screen shot) user should
be in both AD and DS?
>
>
> I have attached the screen shot of my final DS agreement window. I believe
currently it is defined to synchronize users what changes I need to make it
synchronize groups aswell.
>   
You should definitely not use o=NetscapeRoot.  When you ran setup, it 
should have created a suffix for use with users and groups e.g. 
dc=netscaper,dc=com
> Thanks in advance
> _________________________________________________________________
> Exercise your brain! Try Flexicon!
> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Sorry here is the error log for DS server

[09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync"
(netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can''t
connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid
function argument.)

It cannot connect to AD. I imported the CA certificate into the Installation
folder of the console in the windows xp machine.


----------------------------------------
> Date: Wed, 9 Jan 2008 11:09:54 -0700
> From: rmeggins@redhat.com
> To: fedora-directory-users@redhat.com
> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
> 
> kiran madala wrote:
>> I am using  Fedora 1.1 on Fedora 6 x86 machine.  When i fill in the
entries and click next a message pops up saying "Unable to connet to Active
Directory server, continue?".  Also in the domain controller host field can
I specify the IP address of the machine?.
>>
>> The error log for DS server is below. The IP is the windows xp machine
on whcih I am  runnign the remote DS console.
>>
>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241]
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
>> <snip<
>>   
> Actually, this is the error log for the admin server.  The error log for 
> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance 
> is your instance name.
> 
> The console might be failing to connect to AD because the console has a 
> separate key/cert db under ~/.fedora-idm-console (in 1.1).  You may need 
> to add the CA cert in this directory too:
> 
> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t
"CT,," -a -i /path/to/cacert.asc
> 
>> ----------------------------------------
>>   
>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>> From: rmeggins@redhat.com
>>> To: fedora-directory-users@redhat.com
>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync
Help!
>>>
>>> kiran madala wrote:
>>>     
>>>> As far I understand by reading docs again that the user
specified in the Syn agreement and Bind DN should be same and exist on Active
directory with Domain Admin privileges.  But I have other issues now.
>>>>
>>>> The DS server is unable to connect to my AD.
>>>>       
>>> What error messages are you getting?  Check the error log.
>>>
>>> You can also try using ldapsearch.  Are you using Fedora DS 1.1 or 
>>> 1.0.4?  What OS?
>>>     
>>>> I enabled SSL by copying the same root certificate into AD and
also generating a server certificate and opened up ports in firewall. Am I
missing something like allowing client Authentication on the AD machine?
>>>>   
>>>>       
>>> You don''t need to use cert based client auth.  You can use
regular
>>> username/password auth over TLS/SSL.
>>>     
>>>> My currents certificates are as follows.
>>>>
>>>> DS has its own server certificate
>>>> AD has its own server  certificate
>>>> ALL 3 servers AS,DS and AD have the same CA root certificate
>>>>
>>>>
>>>>
>>>> ----------------------------------------
>>>>   
>>>>       
>>>>> From: kirankmadala@hotmail.com
>>>>> To: fedora-directory-users@redhat.com
>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>> Subject: [Fedora-directory-users] Windows Active Directory
sync Help!
>>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>> I am trying to sync the DS with AD. Since I am new to AD
and DS I have few questions.
>>>>>
>>>>> I want to synchronize only users and groups so Is it
necessary to enable SSL on Active Directory and connect to Active directory
through SSL?
>>>>>
>>>>> In the replica settings the supplier DN user need to be on
both AD and DS with should be a Domain admin of the AD?
>>>>>
>>>>> When trying to synchronize with AD the bind DN (In screen
shot) user should be in both AD and DS?
>>>>>
>>>>>
>>>>> I have attached the screen shot of my final DS agreement
window. I believe currently it is defined to synchronize users what changes I
need to make it synchronize groups aswell.
>>>>>
>>>>> Thanks in advance
>>>>>
_________________________________________________________________
>>>>> Exercise your brain! Try Flexicon!
>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>     
>>>>>         
>>>>
_________________________________________________________________
>>>> Use fowl language with Chicktionary. Click here to start
playing!
>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>>       
>>
>> _________________________________________________________________
>> Read what Santa`s been up to! For all the latest, visit
asksantaclaus.spaces.live.com!
>> http://asksantaclaus.spaces.live.com/
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
> 
_________________________________________________________________
Introducing the City @ Live! Take a tour!
http://getyourliveid.ca/?icid=LIVEIDENCA006

kiran madala wrote:
> Sorry here is the error log for DS server
>
> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD
sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91
(Can''t connect to the LDAP server), Netscape Portable Runtime error
-5987 (Invalid function argument.)
>
> It cannot connect to AD. I imported the CA certificate into the
Installation folder of the console in the windows xp machine.
>   
Did you configure the agreement to use SSL?  Error 91 means some sort of 
connection problem, or invalid argument to the LDAP API e.g. you are 
attempting to use LDAP on the secure port instead of LDAPS.

You can verify that TLS/SSL is working by using ldapsearch from the 
command line.  On the directory server machine:
/usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P 
/etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*"

Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>
> ----------------------------------------
>   
>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>> From: rmeggins@redhat.com
>> To: fedora-directory-users@redhat.com
>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync
Help!
>>
>> kiran madala wrote:
>>     
>>> I am using  Fedora 1.1 on Fedora 6 x86 machine.  When i fill in the
entries and click next a message pops up saying "Unable to connet to Active
Directory server, continue?".  Also in the domain controller host field can
I specify the IP address of the machine?.
>>>
>>> The error log for DS server is below. The IP is the windows xp
machine on whcih I am  runnign the remote DS console.
>>>
>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241]
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
>>> <snip<
>>>   
>>>       
>> Actually, this is the error log for the admin server.  The error log
for
>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where
instance
>> is your instance name.
>>
>> The console might be failing to connect to AD because the console has a
>> separate key/cert db under ~/.fedora-idm-console (in 1.1).  You may
need
>> to add the CA cert in this directory too:
>>
>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t
"CT,," -a -i /path/to/cacert.asc
>>
>>     
>>> ----------------------------------------
>>>   
>>>       
>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>> From: rmeggins@redhat.com
>>>> To: fedora-directory-users@redhat.com
>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory
sync Help!
>>>>
>>>> kiran madala wrote:
>>>>     
>>>>         
>>>>> As far I understand by reading docs again that the user
specified in the Syn agreement and Bind DN should be same and exist on Active
directory with Domain Admin privileges.  But I have other issues now.
>>>>>
>>>>> The DS server is unable to connect to my AD.
>>>>>       
>>>>>           
>>>> What error messages are you getting?  Check the error log.
>>>>
>>>> You can also try using ldapsearch.  Are you using Fedora DS 1.1
or
>>>> 1.0.4?  What OS?
>>>>     
>>>>         
>>>>> I enabled SSL by copying the same root certificate into AD
and also generating a server certificate and opened up ports in firewall. Am I
missing something like allowing client Authentication on the AD machine?
>>>>>   
>>>>>       
>>>>>           
>>>> You don''t need to use cert based client auth.  You can
use regular
>>>> username/password auth over TLS/SSL.
>>>>     
>>>>         
>>>>> My currents certificates are as follows.
>>>>>
>>>>> DS has its own server certificate
>>>>> AD has its own server  certificate
>>>>> ALL 3 servers AS,DS and AD have the same CA root
certificate
>>>>>
>>>>>
>>>>>
>>>>> ----------------------------------------
>>>>>   
>>>>>       
>>>>>           
>>>>>> From: kirankmadala@hotmail.com
>>>>>> To: fedora-directory-users@redhat.com
>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>>> Subject: [Fedora-directory-users] Windows Active
Directory sync Help!
>>>>>>
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I am trying to sync the DS with AD. Since I am new to
AD and DS I have few questions.
>>>>>>
>>>>>> I want to synchronize only users and groups so Is it
necessary to enable SSL on Active Directory and connect to Active directory
through SSL?
>>>>>>
>>>>>> In the replica settings the supplier DN user need to be
on both AD and DS with should be a Domain admin of the AD?
>>>>>>
>>>>>> When trying to synchronize with AD the bind DN (In
screen shot) user should be in both AD and DS?
>>>>>>
>>>>>>
>>>>>> I have attached the screen shot of my final DS
agreement window. I believe currently it is defined to synchronize users what
changes I need to make it synchronize groups aswell.
>>>>>>
>>>>>> Thanks in advance
>>>>>>
_________________________________________________________________
>>>>>> Exercise your brain! Try Flexicon!
>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>     
>>>>>>         
>>>>>>             
>>>>>
_________________________________________________________________
>>>>> Use fowl language with Chicktionary. Click here to start
playing!
>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>>       
>>>>>           
>>> _________________________________________________________________
>>> Read what Santa`s been up to! For all the latest, visit
asksantaclaus.spaces.live.com!
>>> http://asksantaclaus.spaces.live.com/
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>>       
>
> _________________________________________________________________
> Introducing the City @ Live! Take a tour!
> http://getyourliveid.ca/?icid=LIVEIDENCA006
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

I keep getting these errors when trying to initiate sync 

[09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key,
ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function
argument.)
[09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync"
(netsweep-41a75e:636): Replication bind with SSL client authentication failed:
LDAP error -1 (Unknown error)

The LDAP search is not installed on my machine so i could not do a search
----------------------------------------
> Date: Wed, 9 Jan 2008 11:43:49 -0700
> From: rmeggins@redhat.com
> To: fedora-directory-users@redhat.com
> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
> 
> kiran madala wrote:
>> Sorry here is the error log for DS server
>>
>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD
sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91
(Can''t connect to the LDAP server), Netscape Portable Runtime error
-5987 (Invalid function argument.)
>>
>> It cannot connect to AD. I imported the CA certificate into the
Installation folder of the console in the windows xp machine.
>>   
> Did you configure the agreement to use SSL?  Error 91 means some sort of 
> connection problem, or invalid argument to the LDAP API e.g. you are 
> attempting to use LDAP on the secure port instead of LDAPS.
> 
> You can verify that TLS/SSL is working by using ldapsearch from the 
> command line.  On the directory server machine:
> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P 
> /etc/dirsrv/slapd-instancename -s base -b ""
"objectclass=*"
> 
> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>>
>> ----------------------------------------
>>   
>>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>>> From: rmeggins@redhat.com
>>> To: fedora-directory-users@redhat.com
>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync
Help!
>>>
>>> kiran madala wrote:
>>>     
>>>> I am using  Fedora 1.1 on Fedora 6 x86 machine.  When i fill in
the entries and click next a message pops up saying "Unable to connet to
Active Directory server, continue?".  Also in the domain controller host
field can I specify the IP address of the machine?.
>>>>
>>>> The error log for DS server is below. The IP is the windows xp
machine on whcih I am  runnign the remote DS console.
>>>>
>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241]
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
>>>> <snip<
>>>>   
>>>>       
>>> Actually, this is the error log for the admin server.  The error
log for
>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where
instance
>>> is your instance name.
>>>
>>> The console might be failing to connect to AD because the console
has a
>>> separate key/cert db under ~/.fedora-idm-console (in 1.1).  You may
need
>>> to add the CA cert in this directory too:
>>>
>>> certutil -A -d ~/.fedora-idm-console -n "CA certificate"
-t "CT,," -a -i /path/to/cacert.asc
>>>
>>>     
>>>> ----------------------------------------
>>>>   
>>>>       
>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>>> From: rmeggins@redhat.com
>>>>> To: fedora-directory-users@redhat.com
>>>>> Subject: Re: [Fedora-directory-users] Windows Active
Directory sync Help!
>>>>>
>>>>> kiran madala wrote:
>>>>>     
>>>>>         
>>>>>> As far I understand by reading docs again that the user
specified in the Syn agreement and Bind DN should be same and exist on Active
directory with Domain Admin privileges.  But I have other issues now.
>>>>>>
>>>>>> The DS server is unable to connect to my AD.
>>>>>>       
>>>>>>           
>>>>> What error messages are you getting?  Check the error log.
>>>>>
>>>>> You can also try using ldapsearch.  Are you using Fedora DS
1.1 or
>>>>> 1.0.4?  What OS?
>>>>>     
>>>>>         
>>>>>> I enabled SSL by copying the same root certificate into
AD and also generating a server certificate and opened up ports in firewall. Am
I missing something like allowing client Authentication on the AD machine?
>>>>>>   
>>>>>>       
>>>>>>           
>>>>> You don''t need to use cert based client auth.  You
can use regular
>>>>> username/password auth over TLS/SSL.
>>>>>     
>>>>>         
>>>>>> My currents certificates are as follows.
>>>>>>
>>>>>> DS has its own server certificate
>>>>>> AD has its own server  certificate
>>>>>> ALL 3 servers AS,DS and AD have the same CA root
certificate
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----------------------------------------
>>>>>>   
>>>>>>       
>>>>>>           
>>>>>>> From: kirankmadala@hotmail.com
>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>>>> Subject: [Fedora-directory-users] Windows Active
Directory sync Help!
>>>>>>>
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I am trying to sync the DS with AD. Since I am new
to AD and DS I have few questions.
>>>>>>>
>>>>>>> I want to synchronize only users and groups so Is
it necessary to enable SSL on Active Directory and connect to Active directory
through SSL?
>>>>>>>
>>>>>>> In the replica settings the supplier DN user need
to be on both AD and DS with should be a Domain admin of the AD?
>>>>>>>
>>>>>>> When trying to synchronize with AD the bind DN (In
screen shot) user should be in both AD and DS?
>>>>>>>
>>>>>>>
>>>>>>> I have attached the screen shot of my final DS
agreement window. I believe currently it is defined to synchronize users what
changes I need to make it synchronize groups aswell.
>>>>>>>
>>>>>>> Thanks in advance
>>>>>>>
_________________________________________________________________
>>>>>>> Exercise your brain! Try Flexicon!
>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>     
>>>>>>>         
>>>>>>>             
>>>>>>
_________________________________________________________________
>>>>>> Use fowl language with Chicktionary. Click here to
start playing!
>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>>       
>>>>>>           
>>>>
_________________________________________________________________
>>>> Read what Santa`s been up to! For all the latest, visit
asksantaclaus.spaces.live.com!
>>>> http://asksantaclaus.spaces.live.com/
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>>       
>>
>> _________________________________________________________________
>> Introducing the City @ Live! Take a tour!
>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
> 
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it''s
FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Also the console give me thsi error when Icick on manage certificates on the DS
server and never opens up. It works fine on AS server

Exception during event dispatch:
java.lang.NullPointerException
   at com.netscape.management.client.security.CertificateDialog.(Unknown Source)
   at com.netscape.management.client.security.CertificateDialog.(Unknown Source)
   at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source)
   at com.netscape.management.client.TaskModel.actionObjectRun(Unknown Source)
   at
com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown
Source)
   at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh)
   at java.awt.Component.processMouseEvent(libgcj.so.7rh)
   at java.awt.Component.processEvent(libgcj.so.7rh)
   at java.awt.Container.processEvent(libgcj.so.7rh)
   at java.awt.Component.dispatchEventImpl(libgcj.so.7rh)
   at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
   at java.awt.Component.dispatchEvent(libgcj.so.7rh)
   at java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh)
   at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh)
   at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
   at java.awt.Window.dispatchEventImpl(libgcj.so.7rh)
   at java.awt.Component.dispatchEvent(libgcj.so.7rh)
   at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh)
   at java.awt.EventDispatchThread.run(libgcj.so.7rh)
Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/"
java.lang.NullPointerException
   at com.netscape.management.client.comm.HttpChannel.run(Unknown Source)
   at java.lang.Thread.run(libgcj.so.7rh)
Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/"
java.lang.NullPointerException
   at com.netscape.management.client.comm.HttpChannel.run(Unknown Source)
   at java.lang.Thread.run(libgcj.so.7rh)



----------------------------------------
> From: kirankmadala@hotmail.com
> To: fedora-directory-users@redhat.com
> Subject: RE: [Fedora-directory-users] Windows Active Directory sync Help!
> Date: Wed, 9 Jan 2008 17:03:18 -0400
> 
> 
> I keep getting these errors when trying to initiate sync 
> 
> [09/Jan/2008:16:00:12 -0500] - SSL alert:
ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable
Runtime error -5987 - Invalid function argument.)
> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD
Sync" (netsweep-41a75e:636): Replication bind with SSL client
authentication failed: LDAP error -1 (Unknown error)
> 
> The LDAP search is not installed on my machine so i could not do a search
> ----------------------------------------
>> Date: Wed, 9 Jan 2008 11:43:49 -0700
>> From: rmeggins@redhat.com
>> To: fedora-directory-users@redhat.com
>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync
Help!
>> 
>> kiran madala wrote:
>>> Sorry here is the error log for DS server
>>>
>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin -
agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk
error 91 (Can''t connect to the LDAP server), Netscape Portable Runtime
error -5987 (Invalid function argument.)
>>>
>>> It cannot connect to AD. I imported the CA certificate into the
Installation folder of the console in the windows xp machine.
>>>   
>> Did you configure the agreement to use SSL?  Error 91 means some sort
of
>> connection problem, or invalid argument to the LDAP API e.g. you are 
>> attempting to use LDAP on the secure port instead of LDAPS.
>> 
>> You can verify that TLS/SSL is working by using ldapsearch from the 
>> command line.  On the directory server machine:
>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P 
>> /etc/dirsrv/slapd-instancename -s base -b ""
"objectclass=*"
>> 
>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>>>
>>> ----------------------------------------
>>>   
>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>>>> From: rmeggins@redhat.com
>>>> To: fedora-directory-users@redhat.com
>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory
sync Help!
>>>>
>>>> kiran madala wrote:
>>>>     
>>>>> I am using  Fedora 1.1 on Fedora 6 x86 machine.  When i
fill in the entries and click next a message pops up saying "Unable to
connet to Active Directory server, continue?".  Also in the domain
controller host field can I specify the IP address of the machine?.
>>>>>
>>>>> The error log for DS server is below. The IP is the windows
xp machine on whcih I am  runnign the remote DS console.
>>>>>
>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241]
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
>>>>> <snip<
>>>>>   
>>>>>       
>>>> Actually, this is the error log for the admin server.  The
error log for
>>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where
instance
>>>> is your instance name.
>>>>
>>>> The console might be failing to connect to AD because the
console has a
>>>> separate key/cert db under ~/.fedora-idm-console (in 1.1).  You
may need
>>>> to add the CA cert in this directory too:
>>>>
>>>> certutil -A -d ~/.fedora-idm-console -n "CA
certificate" -t "CT,," -a -i /path/to/cacert.asc
>>>>
>>>>     
>>>>> ----------------------------------------
>>>>>   
>>>>>       
>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>>>> From: rmeggins@redhat.com
>>>>>> To: fedora-directory-users@redhat.com
>>>>>> Subject: Re: [Fedora-directory-users] Windows Active
Directory sync Help!
>>>>>>
>>>>>> kiran madala wrote:
>>>>>>     
>>>>>>         
>>>>>>> As far I understand by reading docs again that the
user specified in the Syn agreement and Bind DN should be same and exist on
Active directory with Domain Admin privileges.  But I have other issues now.
>>>>>>>
>>>>>>> The DS server is unable to connect to my AD.
>>>>>>>       
>>>>>>>           
>>>>>> What error messages are you getting?  Check the error
log.
>>>>>>
>>>>>> You can also try using ldapsearch.  Are you using
Fedora DS 1.1 or
>>>>>> 1.0.4?  What OS?
>>>>>>     
>>>>>>         
>>>>>>> I enabled SSL by copying the same root certificate
into AD and also generating a server certificate and opened up ports in
firewall. Am I missing something like allowing client Authentication on the AD
machine?
>>>>>>>   
>>>>>>>       
>>>>>>>           
>>>>>> You don''t need to use cert based client auth. 
You can use regular
>>>>>> username/password auth over TLS/SSL.
>>>>>>     
>>>>>>         
>>>>>>> My currents certificates are as follows.
>>>>>>>
>>>>>>> DS has its own server certificate
>>>>>>> AD has its own server  certificate
>>>>>>> ALL 3 servers AS,DS and AD have the same CA root
certificate
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ----------------------------------------
>>>>>>>   
>>>>>>>       
>>>>>>>           
>>>>>>>> From: kirankmadala@hotmail.com
>>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>>>>> Subject: [Fedora-directory-users] Windows
Active Directory sync Help!
>>>>>>>>
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I am trying to sync the DS with AD. Since I am
new to AD and DS I have few questions.
>>>>>>>>
>>>>>>>> I want to synchronize only users and groups so
Is it necessary to enable SSL on Active Directory and connect to Active
directory through SSL?
>>>>>>>>
>>>>>>>> In the replica settings the supplier DN user
need to be on both AD and DS with should be a Domain admin of the AD?
>>>>>>>>
>>>>>>>> When trying to synchronize with AD the bind DN
(In screen shot) user should be in both AD and DS?
>>>>>>>>
>>>>>>>>
>>>>>>>> I have attached the screen shot of my final DS
agreement window. I believe currently it is defined to synchronize users what
changes I need to make it synchronize groups aswell.
>>>>>>>>
>>>>>>>> Thanks in advance
>>>>>>>>
_________________________________________________________________
>>>>>>>> Exercise your brain! Try Flexicon!
>>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>     
>>>>>>>>         
>>>>>>>>             
>>>>>>>
_________________________________________________________________
>>>>>>> Use fowl language with Chicktionary. Click here to
start playing!
>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>   
>>>>>>>       
>>>>>>>           
>>>>>
_________________________________________________________________
>>>>> Read what Santa`s been up to! For all the latest, visit
asksantaclaus.spaces.live.com!
>>>>> http://asksantaclaus.spaces.live.com/
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>>       
>>>
>>> _________________________________________________________________
>>> Introducing the City @ Live! Take a tour!
>>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>> 
> 
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it''s
FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
_________________________________________________________________
Exercise your brain! Try Flexicon!
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig

I have few more questions 

There are 2 different ways to create and import certificates described in the
document http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html and
described in fedora documentation using certutil which one should i be using.

The cacert.asc should be in the configuration folders of both DS and AS server?
I don''t have it in neither of them now because I installed the CA from
the console.

The pupose of doing this is to get the groups and users information from Active
Directory and store in our own database through Fedora DS. Is This possible? by
editing script or anyways?

Thank you. 


----------------------------------------
> From: kirankmadala@hotmail.com
> To: fedora-directory-users@redhat.com
> Subject: RE: [Fedora-directory-users] Windows Active Directory sync Help!
> Date: Wed, 9 Jan 2008 17:23:14 -0400
> 
> 
> Also the console give me thsi error when Icick on manage certificates on
the DS server and never opens up. It works fine on AS server
> 
> Exception during event dispatch:
> java.lang.NullPointerException
>    at com.netscape.management.client.security.CertificateDialog.(Unknown
Source)
>    at com.netscape.management.client.security.CertificateDialog.(Unknown
Source)
>    at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source)
>    at com.netscape.management.client.TaskModel.actionObjectRun(Unknown
Source)
>    at
com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown
Source)
>    at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh)
>    at java.awt.Component.processMouseEvent(libgcj.so.7rh)
>    at java.awt.Component.processEvent(libgcj.so.7rh)
>    at java.awt.Container.processEvent(libgcj.so.7rh)
>    at java.awt.Component.dispatchEventImpl(libgcj.so.7rh)
>    at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>    at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>    at java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh)
>    at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh)
>    at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>    at java.awt.Window.dispatchEventImpl(libgcj.so.7rh)
>    at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>    at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh)
>    at java.awt.EventDispatchThread.run(libgcj.so.7rh)
> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/"
java.lang.NullPointerException
>    at com.netscape.management.client.comm.HttpChannel.run(Unknown Source)
>    at java.lang.Thread.run(libgcj.so.7rh)
> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/"
java.lang.NullPointerException
>    at com.netscape.management.client.comm.HttpChannel.run(Unknown Source)
>    at java.lang.Thread.run(libgcj.so.7rh)
> 
> 
> 
> ----------------------------------------
>> From: kirankmadala@hotmail.com
>> To: fedora-directory-users@redhat.com
>> Subject: RE: [Fedora-directory-users] Windows Active Directory sync
Help!
>> Date: Wed, 9 Jan 2008 17:03:18 -0400
>> 
>> 
>> I keep getting these errors when trying to initiate sync 
>> 
>> [09/Jan/2008:16:00:12 -0500] - SSL alert:
ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable
Runtime error -5987 - Invalid function argument.)
>> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD
Sync" (netsweep-41a75e:636): Replication bind with SSL client
authentication failed: LDAP error -1 (Unknown error)
>> 
>> The LDAP search is not installed on my machine so i could not do a
search
>> ----------------------------------------
>>> Date: Wed, 9 Jan 2008 11:43:49 -0700
>>> From: rmeggins@redhat.com
>>> To: fedora-directory-users@redhat.com
>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync
Help!
>>> 
>>> kiran madala wrote:
>>>> Sorry here is the error log for DS server
>>>>
>>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin -
agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk
error 91 (Can''t connect to the LDAP server), Netscape Portable Runtime
error -5987 (Invalid function argument.)
>>>>
>>>> It cannot connect to AD. I imported the CA certificate into the
Installation folder of the console in the windows xp machine.
>>>>   
>>> Did you configure the agreement to use SSL?  Error 91 means some
sort of
>>> connection problem, or invalid argument to the LDAP API e.g. you
are
>>> attempting to use LDAP on the secure port instead of LDAPS.
>>> 
>>> You can verify that TLS/SSL is working by using ldapsearch from the
>>> command line.  On the directory server machine:
>>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P 
>>> /etc/dirsrv/slapd-instancename -s base -b ""
"objectclass=*"
>>> 
>>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>>>>
>>>> ----------------------------------------
>>>>   
>>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>>>>> From: rmeggins@redhat.com
>>>>> To: fedora-directory-users@redhat.com
>>>>> Subject: Re: [Fedora-directory-users] Windows Active
Directory sync Help!
>>>>>
>>>>> kiran madala wrote:
>>>>>     
>>>>>> I am using  Fedora 1.1 on Fedora 6 x86 machine.  When i
fill in the entries and click next a message pops up saying "Unable to
connet to Active Directory server, continue?".  Also in the domain
controller host field can I specify the IP address of the machine?.
>>>>>>
>>>>>> The error log for DS server is below. The IP is the
windows xp machine on whcih I am  runnign the remote DS console.
>>>>>>
>>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client
192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve
192.168.8.241
>>>>>> <snip<
>>>>>>   
>>>>>>       
>>>>> Actually, this is the error log for the admin server.  The
error log for
>>>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE
where instance
>>>>> is your instance name.
>>>>>
>>>>> The console might be failing to connect to AD because the
console has a
>>>>> separate key/cert db under ~/.fedora-idm-console (in 1.1). 
You may need
>>>>> to add the CA cert in this directory too:
>>>>>
>>>>> certutil -A -d ~/.fedora-idm-console -n "CA
certificate" -t "CT,," -a -i /path/to/cacert.asc
>>>>>
>>>>>     
>>>>>> ----------------------------------------
>>>>>>   
>>>>>>       
>>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>>>>> From: rmeggins@redhat.com
>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>> Subject: Re: [Fedora-directory-users] Windows
Active Directory sync Help!
>>>>>>>
>>>>>>> kiran madala wrote:
>>>>>>>     
>>>>>>>         
>>>>>>>> As far I understand by reading docs again that
the user specified in the Syn agreement and Bind DN should be same and exist on
Active directory with Domain Admin privileges.  But I have other issues now.
>>>>>>>>
>>>>>>>> The DS server is unable to connect to my AD.
>>>>>>>>       
>>>>>>>>           
>>>>>>> What error messages are you getting?  Check the
error log.
>>>>>>>
>>>>>>> You can also try using ldapsearch.  Are you using
Fedora DS 1.1 or
>>>>>>> 1.0.4?  What OS?
>>>>>>>     
>>>>>>>         
>>>>>>>> I enabled SSL by copying the same root
certificate into AD and also generating a server certificate and opened up ports
in firewall. Am I missing something like allowing client Authentication on the
AD machine?
>>>>>>>>   
>>>>>>>>       
>>>>>>>>           
>>>>>>> You don''t need to use cert based client
auth.  You can use regular
>>>>>>> username/password auth over TLS/SSL.
>>>>>>>     
>>>>>>>         
>>>>>>>> My currents certificates are as follows.
>>>>>>>>
>>>>>>>> DS has its own server certificate
>>>>>>>> AD has its own server  certificate
>>>>>>>> ALL 3 servers AS,DS and AD have the same CA
root certificate
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ----------------------------------------
>>>>>>>>   
>>>>>>>>       
>>>>>>>>           
>>>>>>>>> From: kirankmadala@hotmail.com
>>>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>>>>>> Subject: [Fedora-directory-users] Windows
Active Directory sync Help!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I am trying to sync the DS with AD. Since I
am new to AD and DS I have few questions.
>>>>>>>>>
>>>>>>>>> I want to synchronize only users and groups
so Is it necessary to enable SSL on Active Directory and connect to Active
directory through SSL?
>>>>>>>>>
>>>>>>>>> In the replica settings the supplier DN
user need to be on both AD and DS with should be a Domain admin of the AD?
>>>>>>>>>
>>>>>>>>> When trying to synchronize with AD the bind
DN (In screen shot) user should be in both AD and DS?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have attached the screen shot of my final
DS agreement window. I believe currently it is defined to synchronize users what
changes I need to make it synchronize groups aswell.
>>>>>>>>>
>>>>>>>>> Thanks in advance
>>>>>>>>>
_________________________________________________________________
>>>>>>>>> Exercise your brain! Try Flexicon!
>>>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>>     
>>>>>>>>>         
>>>>>>>>>             
>>>>>>>>
_________________________________________________________________
>>>>>>>> Use fowl language with Chicktionary. Click here
to start playing!
>>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>   
>>>>>>>>       
>>>>>>>>           
>>>>>>
_________________________________________________________________
>>>>>> Read what Santa`s been up to! For all the latest, visit
asksantaclaus.spaces.live.com!
>>>>>> http://asksantaclaus.spaces.live.com/
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>>       
>>>>
>>>>
_________________________________________________________________
>>>> Introducing the City @ Live! Take a tour!
>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>> 
>> 
>> _________________________________________________________________
>> Express yourself instantly with MSN Messenger! Download today
it''s FREE!
>> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>> 
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 
> _________________________________________________________________
> Exercise your brain! Try Flexicon!
> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
_________________________________________________________________
Read what Santa`s been up to! For all the latest, visit
asksantaclaus.spaces.live.com!
http://asksantaclaus.spaces.live.com/

kiran madala wrote:
> I keep getting these errors when trying to initiate sync 
>
> [09/Jan/2008:16:00:12 -0500] - SSL alert:
ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable
Runtime error -5987 - Invalid function argument.)
> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD
Sync" (netsweep-41a75e:636): Replication bind with SSL client
authentication failed: LDAP error -1 (Unknown error)
>   
You have configured it to use SSL Client Auth.  You should disable this 
and just use TLS/SSL with simple username/password bind.
> The LDAP search is not installed on my machine so i could not do a search
>   
yum install mozldap-tools
> ----------------------------------------
>   
>> Date: Wed, 9 Jan 2008 11:43:49 -0700
>> From: rmeggins@redhat.com
>> To: fedora-directory-users@redhat.com
>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync
Help!
>>
>> kiran madala wrote:
>>     
>>> Sorry here is the error log for DS server
>>>
>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin -
agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk
error 91 (Can''t connect to the LDAP server), Netscape Portable Runtime
error -5987 (Invalid function argument.)
>>>
>>> It cannot connect to AD. I imported the CA certificate into the
Installation folder of the console in the windows xp machine.
>>>   
>>>       
>> Did you configure the agreement to use SSL?  Error 91 means some sort
of
>> connection problem, or invalid argument to the LDAP API e.g. you are 
>> attempting to use LDAP on the secure port instead of LDAPS.
>>
>> You can verify that TLS/SSL is working by using ldapsearch from the 
>> command line.  On the directory server machine:
>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P 
>> /etc/dirsrv/slapd-instancename -s base -b ""
"objectclass=*"
>>
>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>>     
>>> ----------------------------------------
>>>   
>>>       
>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>>>> From: rmeggins@redhat.com
>>>> To: fedora-directory-users@redhat.com
>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory
sync Help!
>>>>
>>>> kiran madala wrote:
>>>>     
>>>>         
>>>>> I am using  Fedora 1.1 on Fedora 6 x86 machine.  When i
fill in the entries and click next a message pops up saying "Unable to
connet to Active Directory server, continue?".  Also in the domain
controller host field can I specify the IP address of the machine?.
>>>>>
>>>>> The error log for DS server is below. The IP is the windows
xp machine on whcih I am  runnign the remote DS console.
>>>>>
>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241]
admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
>>>>> <snip<
>>>>>   
>>>>>       
>>>>>           
>>>> Actually, this is the error log for the admin server.  The
error log for
>>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where
instance
>>>> is your instance name.
>>>>
>>>> The console might be failing to connect to AD because the
console has a
>>>> separate key/cert db under ~/.fedora-idm-console (in 1.1).  You
may need
>>>> to add the CA cert in this directory too:
>>>>
>>>> certutil -A -d ~/.fedora-idm-console -n "CA
certificate" -t "CT,," -a -i /path/to/cacert.asc
>>>>
>>>>     
>>>>         
>>>>> ----------------------------------------
>>>>>   
>>>>>       
>>>>>           
>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>>>> From: rmeggins@redhat.com
>>>>>> To: fedora-directory-users@redhat.com
>>>>>> Subject: Re: [Fedora-directory-users] Windows Active
Directory sync Help!
>>>>>>
>>>>>> kiran madala wrote:
>>>>>>     
>>>>>>         
>>>>>>             
>>>>>>> As far I understand by reading docs again that the
user specified in the Syn agreement and Bind DN should be same and exist on
Active directory with Domain Admin privileges.  But I have other issues now.
>>>>>>>
>>>>>>> The DS server is unable to connect to my AD.
>>>>>>>       
>>>>>>>           
>>>>>>>               
>>>>>> What error messages are you getting?  Check the error
log.
>>>>>>
>>>>>> You can also try using ldapsearch.  Are you using
Fedora DS 1.1 or
>>>>>> 1.0.4?  What OS?
>>>>>>     
>>>>>>         
>>>>>>             
>>>>>>> I enabled SSL by copying the same root certificate
into AD and also generating a server certificate and opened up ports in
firewall. Am I missing something like allowing client Authentication on the AD
machine?
>>>>>>>   
>>>>>>>       
>>>>>>>           
>>>>>>>               
>>>>>> You don''t need to use cert based client auth. 
You can use regular
>>>>>> username/password auth over TLS/SSL.
>>>>>>     
>>>>>>         
>>>>>>             
>>>>>>> My currents certificates are as follows.
>>>>>>>
>>>>>>> DS has its own server certificate
>>>>>>> AD has its own server  certificate
>>>>>>> ALL 3 servers AS,DS and AD have the same CA root
certificate
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ----------------------------------------
>>>>>>>   
>>>>>>>       
>>>>>>>           
>>>>>>>               
>>>>>>>> From: kirankmadala@hotmail.com
>>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>>>>> Subject: [Fedora-directory-users] Windows
Active Directory sync Help!
>>>>>>>>
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I am trying to sync the DS with AD. Since I am
new to AD and DS I have few questions.
>>>>>>>>
>>>>>>>> I want to synchronize only users and groups so
Is it necessary to enable SSL on Active Directory and connect to Active
directory through SSL?
>>>>>>>>
>>>>>>>> In the replica settings the supplier DN user
need to be on both AD and DS with should be a Domain admin of the AD?
>>>>>>>>
>>>>>>>> When trying to synchronize with AD the bind DN
(In screen shot) user should be in both AD and DS?
>>>>>>>>
>>>>>>>>
>>>>>>>> I have attached the screen shot of my final DS
agreement window. I believe currently it is defined to synchronize users what
changes I need to make it synchronize groups aswell.
>>>>>>>>
>>>>>>>> Thanks in advance
>>>>>>>>
_________________________________________________________________
>>>>>>>> Exercise your brain! Try Flexicon!
>>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>     
>>>>>>>>         
>>>>>>>>             
>>>>>>>>                 
>>>>>>>
_________________________________________________________________
>>>>>>> Use fowl language with Chicktionary. Click here to
start playing!
>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>   
>>>>>>>       
>>>>>>>           
>>>>>>>               
>>>>>
_________________________________________________________________
>>>>> Read what Santa`s been up to! For all the latest, visit
asksantaclaus.spaces.live.com!
>>>>> http://asksantaclaus.spaces.live.com/
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>>       
>>>>>           
>>> _________________________________________________________________
>>> Introducing the City @ Live! Take a tour!
>>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>>       
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it''s
FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

kiran madala wrote:
> I have few more questions 
>
> There are 2 different ways to create and import certificates described in
the document http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html and
described in fedora documentation using certutil which one should i be using.
>   
Use the console if you can, otherwise use the command line tools.  The 
console really assumes you are in an enterprise environment which has a 
real CA, which you can actually submit cert requests to and receive 
certs from.
> The cacert.asc should be in the configuration folders of both DS and AS
server? I don''t have it in neither of them now because I installed the
CA from the console.
>   
You can export the CA cert from the cert db using the console I think, 
and definitely using the command line.
http://directory.fedoraproject.org/wiki/Howto:SSL#Export_the_CA_cert
> The pupose of doing this is to get the groups and users information from
Active Directory and store in our own database through Fedora DS. Is This
possible? by editing script or anyways?
>   
You do not have to use TLS/SSL with windows sync - only if you will be 
using the password sync component.
> Thank you. 
>
>
> ----------------------------------------
>   
>> From: kirankmadala@hotmail.com
>> To: fedora-directory-users@redhat.com
>> Subject: RE: [Fedora-directory-users] Windows Active Directory sync
Help!
>> Date: Wed, 9 Jan 2008 17:23:14 -0400
>>
>>
>> Also the console give me thsi error when Icick on manage certificates
on the DS server and never opens up. It works fine on AS server
>>
>> Exception during event dispatch:
>> java.lang.NullPointerException
>>    at
com.netscape.management.client.security.CertificateDialog.(Unknown Source)
>>    at
com.netscape.management.client.security.CertificateDialog.(Unknown Source)
>>    at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source)
>>    at com.netscape.management.client.TaskModel.actionObjectRun(Unknown
Source)
>>    at
com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown
Source)
>>    at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh)
>>    at java.awt.Component.processMouseEvent(libgcj.so.7rh)
>>    at java.awt.Component.processEvent(libgcj.so.7rh)
>>    at java.awt.Container.processEvent(libgcj.so.7rh)
>>    at java.awt.Component.dispatchEventImpl(libgcj.so.7rh)
>>    at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>>    at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>>    at java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh)
>>    at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh)
>>    at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>>    at java.awt.Window.dispatchEventImpl(libgcj.so.7rh)
>>    at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>>    at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh)
>>    at java.awt.EventDispatchThread.run(libgcj.so.7rh)
>> Exception in thread
"http://248.8.168.192.in-addr.arpa.dev:9830/"
java.lang.NullPointerException
>>    at com.netscape.management.client.comm.HttpChannel.run(Unknown
Source)
>>    at java.lang.Thread.run(libgcj.so.7rh)
>> Exception in thread
"http://248.8.168.192.in-addr.arpa.dev:9830/"
java.lang.NullPointerException
>>    at com.netscape.management.client.comm.HttpChannel.run(Unknown
Source)
>>    at java.lang.Thread.run(libgcj.so.7rh)
>>
>>
>>
>> ----------------------------------------
>>     
>>> From: kirankmadala@hotmail.com
>>> To: fedora-directory-users@redhat.com
>>> Subject: RE: [Fedora-directory-users] Windows Active Directory sync
Help!
>>> Date: Wed, 9 Jan 2008 17:03:18 -0400
>>>
>>>
>>> I keep getting these errors when trying to initiate sync 
>>>
>>> [09/Jan/2008:16:00:12 -0500] - SSL alert:
ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable
Runtime error -5987 - Invalid function argument.)
>>> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin -
agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL
client authentication failed: LDAP error -1 (Unknown error)
>>>
>>> The LDAP search is not installed on my machine so i could not do a
search
>>> ----------------------------------------
>>>       
>>>> Date: Wed, 9 Jan 2008 11:43:49 -0700
>>>> From: rmeggins@redhat.com
>>>> To: fedora-directory-users@redhat.com
>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory
sync Help!
>>>>
>>>> kiran madala wrote:
>>>>         
>>>>> Sorry here is the error log for DS server
>>>>>
>>>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin -
agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk
error 91 (Can''t connect to the LDAP server), Netscape Portable Runtime
error -5987 (Invalid function argument.)
>>>>>
>>>>> It cannot connect to AD. I imported the CA certificate into
the Installation folder of the console in the windows xp machine.
>>>>>   
>>>>>           
>>>> Did you configure the agreement to use SSL?  Error 91 means
some sort of
>>>> connection problem, or invalid argument to the LDAP API e.g.
you are
>>>> attempting to use LDAP on the secure port instead of LDAPS.
>>>>
>>>> You can verify that TLS/SSL is working by using ldapsearch from
the
>>>> command line.  On the directory server machine:
>>>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P 
>>>> /etc/dirsrv/slapd-instancename -s base -b ""
"objectclass=*"
>>>>
>>>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>>>>         
>>>>> ----------------------------------------
>>>>>   
>>>>>           
>>>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>>>>>> From: rmeggins@redhat.com
>>>>>> To: fedora-directory-users@redhat.com
>>>>>> Subject: Re: [Fedora-directory-users] Windows Active
Directory sync Help!
>>>>>>
>>>>>> kiran madala wrote:
>>>>>>     
>>>>>>             
>>>>>>> I am using  Fedora 1.1 on Fedora 6 x86 machine. 
When i fill in the entries and click next a message pops up saying "Unable
to connet to Active Directory server, continue?".  Also in the domain
controller host field can I specify the IP address of the machine?.
>>>>>>>
>>>>>>> The error log for DS server is below. The IP is the
windows xp machine on whcih I am  runnign the remote DS console.
>>>>>>>
>>>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client
192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve
192.168.8.241
>>>>>>> <snip<
>>>>>>>   
>>>>>>>       
>>>>>>>               
>>>>>> Actually, this is the error log for the admin server. 
The error log for
>>>>>> the directory server is in
/var/log/dirsrv/slapd-INSTANCE where instance
>>>>>> is your instance name.
>>>>>>
>>>>>> The console might be failing to connect to AD because
the console has a
>>>>>> separate key/cert db under ~/.fedora-idm-console (in
1.1).  You may need
>>>>>> to add the CA cert in this directory too:
>>>>>>
>>>>>> certutil -A -d ~/.fedora-idm-console -n "CA
certificate" -t "CT,," -a -i /path/to/cacert.asc
>>>>>>
>>>>>>     
>>>>>>             
>>>>>>> ----------------------------------------
>>>>>>>   
>>>>>>>       
>>>>>>>               
>>>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>>>>>> From: rmeggins@redhat.com
>>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>>> Subject: Re: [Fedora-directory-users] Windows
Active Directory sync Help!
>>>>>>>>
>>>>>>>> kiran madala wrote:
>>>>>>>>     
>>>>>>>>         
>>>>>>>>                 
>>>>>>>>> As far I understand by reading docs again
that the user specified in the Syn agreement and Bind DN should be same and
exist on Active directory with Domain Admin privileges.  But I have other issues
now.
>>>>>>>>>
>>>>>>>>> The DS server is unable to connect to my
AD.
>>>>>>>>>       
>>>>>>>>>           
>>>>>>>>>                   
>>>>>>>> What error messages are you getting?  Check the
error log.
>>>>>>>>
>>>>>>>> You can also try using ldapsearch.  Are you
using Fedora DS 1.1 or
>>>>>>>> 1.0.4?  What OS?
>>>>>>>>     
>>>>>>>>         
>>>>>>>>                 
>>>>>>>>> I enabled SSL by copying the same root
certificate into AD and also generating a server certificate and opened up ports
in firewall. Am I missing something like allowing client Authentication on the
AD machine?
>>>>>>>>>   
>>>>>>>>>       
>>>>>>>>>           
>>>>>>>>>                   
>>>>>>>> You don''t need to use cert based
client auth.  You can use regular
>>>>>>>> username/password auth over TLS/SSL.
>>>>>>>>     
>>>>>>>>         
>>>>>>>>                 
>>>>>>>>> My currents certificates are as follows.
>>>>>>>>>
>>>>>>>>> DS has its own server certificate
>>>>>>>>> AD has its own server  certificate
>>>>>>>>> ALL 3 servers AS,DS and AD have the same CA
root certificate
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----------------------------------------
>>>>>>>>>   
>>>>>>>>>       
>>>>>>>>>           
>>>>>>>>>                   
>>>>>>>>>> From: kirankmadala@hotmail.com
>>>>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>>>>>>> Subject: [Fedora-directory-users]
Windows Active Directory sync Help!
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> I am trying to sync the DS with AD.
Since I am new to AD and DS I have few questions.
>>>>>>>>>>
>>>>>>>>>> I want to synchronize only users and
groups so Is it necessary to enable SSL on Active Directory and connect to
Active directory through SSL?
>>>>>>>>>>
>>>>>>>>>> In the replica settings the supplier DN
user need to be on both AD and DS with should be a Domain admin of the AD?
>>>>>>>>>>
>>>>>>>>>> When trying to synchronize with AD the
bind DN (In screen shot) user should be in both AD and DS?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I have attached the screen shot of my
final DS agreement window. I believe currently it is defined to synchronize
users what changes I need to make it synchronize groups aswell.
>>>>>>>>>>
>>>>>>>>>> Thanks in advance
>>>>>>>>>>
_________________________________________________________________
>>>>>>>>>> Exercise your brain! Try Flexicon!
>>>>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>>>     
>>>>>>>>>>         
>>>>>>>>>>             
>>>>>>>>>>                     
>>>>>>>>>
_________________________________________________________________
>>>>>>>>> Use fowl language with Chicktionary. Click
here to start playing!
>>>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>   
>>>>>>>>>       
>>>>>>>>>           
>>>>>>>>>                   
>>>>>>>
_________________________________________________________________
>>>>>>> Read what Santa`s been up to! For all the latest,
visit asksantaclaus.spaces.live.com!
>>>>>>> http://asksantaclaus.spaces.live.com/
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>   
>>>>>>>       
>>>>>>>               
>>>>>
_________________________________________________________________
>>>>> Introducing the City @ Live! Take a tour!
>>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>>           
>>> _________________________________________________________________
>>> Express yourself instantly with MSN Messenger! Download today
it''s FREE!
>>> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>       
>> _________________________________________________________________
>> Exercise your brain! Try Flexicon!
>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>     
>
> _________________________________________________________________
> Read what Santa`s been up to! For all the latest, visit
asksantaclaus.spaces.live.com!
> http://asksantaclaus.spaces.live.com/
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

kiran madala wrote:
> Also the console give me thsi error when Icick on manage certificates on
the DS server and never opens up. It works fine on AS server
>   
Looks like a bug.  Are you using the IcedTea java on Fedora
8?
> Exception during event dispatch:
> java.lang.NullPointerException
>    at com.netscape.management.client.security.CertificateDialog.(Unknown
Source)
>    at com.netscape.management.client.security.CertificateDialog.(Unknown
Source)
>    at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source)
>    at com.netscape.management.client.TaskModel.actionObjectRun(Unknown
Source)
>    at
com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown
Source)
>    at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh)
>    at java.awt.Component.processMouseEvent(libgcj.so.7rh)
>    at java.awt.Component.processEvent(libgcj.so.7rh)
>    at java.awt.Container.processEvent(libgcj.so.7rh)
>    at java.awt.Component.dispatchEventImpl(libgcj.so.7rh)
>    at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>    at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>    at java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh)
>    at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh)
>    at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>    at java.awt.Window.dispatchEventImpl(libgcj.so.7rh)
>    at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>    at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh)
>    at java.awt.EventDispatchThread.run(libgcj.so.7rh)
> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/"
java.lang.NullPointerException
>    at com.netscape.management.client.comm.HttpChannel.run(Unknown Source)
>    at java.lang.Thread.run(libgcj.so.7rh)
> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/"
java.lang.NullPointerException
>    at com.netscape.management.client.comm.HttpChannel.run(Unknown Source)
>    at java.lang.Thread.run(libgcj.so.7rh)
>
>
>
> ----------------------------------------
>   
>> From: kirankmadala@hotmail.com
>> To: fedora-directory-users@redhat.com
>> Subject: RE: [Fedora-directory-users] Windows Active Directory sync
Help!
>> Date: Wed, 9 Jan 2008 17:03:18 -0400
>>
>>
>> I keep getting these errors when trying to initiate sync 
>>
>> [09/Jan/2008:16:00:12 -0500] - SSL alert:
ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable
Runtime error -5987 - Invalid function argument.)
>> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD
Sync" (netsweep-41a75e:636): Replication bind with SSL client
authentication failed: LDAP error -1 (Unknown error)
>>
>> The LDAP search is not installed on my machine so i could not do a
search
>> ----------------------------------------
>>     
>>> Date: Wed, 9 Jan 2008 11:43:49 -0700
>>> From: rmeggins@redhat.com
>>> To: fedora-directory-users@redhat.com
>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync
Help!
>>>
>>> kiran madala wrote:
>>>       
>>>> Sorry here is the error log for DS server
>>>>
>>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin -
agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk
error 91 (Can''t connect to the LDAP server), Netscape Portable Runtime
error -5987 (Invalid function argument.)
>>>>
>>>> It cannot connect to AD. I imported the CA certificate into the
Installation folder of the console in the windows xp machine.
>>>>   
>>>>         
>>> Did you configure the agreement to use SSL?  Error 91 means some
sort of
>>> connection problem, or invalid argument to the LDAP API e.g. you
are
>>> attempting to use LDAP on the secure port instead of LDAPS.
>>>
>>> You can verify that TLS/SSL is working by using ldapsearch from the
>>> command line.  On the directory server machine:
>>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P 
>>> /etc/dirsrv/slapd-instancename -s base -b ""
"objectclass=*"
>>>
>>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>>>       
>>>> ----------------------------------------
>>>>   
>>>>         
>>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>>>>> From: rmeggins@redhat.com
>>>>> To: fedora-directory-users@redhat.com
>>>>> Subject: Re: [Fedora-directory-users] Windows Active
Directory sync Help!
>>>>>
>>>>> kiran madala wrote:
>>>>>     
>>>>>           
>>>>>> I am using  Fedora 1.1 on Fedora 6 x86 machine.  When i
fill in the entries and click next a message pops up saying "Unable to
connet to Active Directory server, continue?".  Also in the domain
controller host field can I specify the IP address of the machine?.
>>>>>>
>>>>>> The error log for DS server is below. The IP is the
windows xp machine on whcih I am  runnign the remote DS console.
>>>>>>
>>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client
192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve
192.168.8.241
>>>>>> <snip<
>>>>>>   
>>>>>>       
>>>>>>             
>>>>> Actually, this is the error log for the admin server.  The
error log for
>>>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE
where instance
>>>>> is your instance name.
>>>>>
>>>>> The console might be failing to connect to AD because the
console has a
>>>>> separate key/cert db under ~/.fedora-idm-console (in 1.1). 
You may need
>>>>> to add the CA cert in this directory too:
>>>>>
>>>>> certutil -A -d ~/.fedora-idm-console -n "CA
certificate" -t "CT,," -a -i /path/to/cacert.asc
>>>>>
>>>>>     
>>>>>           
>>>>>> ----------------------------------------
>>>>>>   
>>>>>>       
>>>>>>             
>>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>>>>> From: rmeggins@redhat.com
>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>> Subject: Re: [Fedora-directory-users] Windows
Active Directory sync Help!
>>>>>>>
>>>>>>> kiran madala wrote:
>>>>>>>     
>>>>>>>         
>>>>>>>               
>>>>>>>> As far I understand by reading docs again that
the user specified in the Syn agreement and Bind DN should be same and exist on
Active directory with Domain Admin privileges.  But I have other issues now.
>>>>>>>>
>>>>>>>> The DS server is unable to connect to my AD.
>>>>>>>>       
>>>>>>>>           
>>>>>>>>                 
>>>>>>> What error messages are you getting?  Check the
error log.
>>>>>>>
>>>>>>> You can also try using ldapsearch.  Are you using
Fedora DS 1.1 or
>>>>>>> 1.0.4?  What OS?
>>>>>>>     
>>>>>>>         
>>>>>>>               
>>>>>>>> I enabled SSL by copying the same root
certificate into AD and also generating a server certificate and opened up ports
in firewall. Am I missing something like allowing client Authentication on the
AD machine?
>>>>>>>>   
>>>>>>>>       
>>>>>>>>           
>>>>>>>>                 
>>>>>>> You don''t need to use cert based client
auth.  You can use regular
>>>>>>> username/password auth over TLS/SSL.
>>>>>>>     
>>>>>>>         
>>>>>>>               
>>>>>>>> My currents certificates are as follows.
>>>>>>>>
>>>>>>>> DS has its own server certificate
>>>>>>>> AD has its own server  certificate
>>>>>>>> ALL 3 servers AS,DS and AD have the same CA
root certificate
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ----------------------------------------
>>>>>>>>   
>>>>>>>>       
>>>>>>>>           
>>>>>>>>                 
>>>>>>>>> From: kirankmadala@hotmail.com
>>>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>>>>>> Subject: [Fedora-directory-users] Windows
Active Directory sync Help!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I am trying to sync the DS with AD. Since I
am new to AD and DS I have few questions.
>>>>>>>>>
>>>>>>>>> I want to synchronize only users and groups
so Is it necessary to enable SSL on Active Directory and connect to Active
directory through SSL?
>>>>>>>>>
>>>>>>>>> In the replica settings the supplier DN
user need to be on both AD and DS with should be a Domain admin of the AD?
>>>>>>>>>
>>>>>>>>> When trying to synchronize with AD the bind
DN (In screen shot) user should be in both AD and DS?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have attached the screen shot of my final
DS agreement window. I believe currently it is defined to synchronize users what
changes I need to make it synchronize groups aswell.
>>>>>>>>>
>>>>>>>>> Thanks in advance
>>>>>>>>>
_________________________________________________________________
>>>>>>>>> Exercise your brain! Try Flexicon!
>>>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>>     
>>>>>>>>>         
>>>>>>>>>             
>>>>>>>>>                   
>>>>>>>>
_________________________________________________________________
>>>>>>>> Use fowl language with Chicktionary. Click here
to start playing!
>>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>   
>>>>>>>>       
>>>>>>>>           
>>>>>>>>                 
>>>>>>
_________________________________________________________________
>>>>>> Read what Santa`s been up to! For all the latest, visit
asksantaclaus.spaces.live.com!
>>>>>> http://asksantaclaus.spaces.live.com/
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>>       
>>>>>>             
>>>>
_________________________________________________________________
>>>> Introducing the City @ Live! Take a tour!
>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>>         
>> _________________________________________________________________
>> Express yourself instantly with MSN Messenger! Download today
it''s FREE!
>> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>     
>
> _________________________________________________________________
> Exercise your brain! Try Flexicon!
> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

I am using Java 1.4 on Fedora 6 with fedora ds1.1 
----------------------------------------
> Date: Wed, 9 Jan 2008 18:33:47 -0700
> From: rmeggins@redhat.com
> To: fedora-directory-users@redhat.com
> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
> 
> kiran madala wrote:
>> Also the console give me thsi error when Icick on manage certificates
on the DS server and never opens up. It works fine on AS server
>>   
> Looks like a bug.  Are you using the IcedTea java on Fedora 8?
>> Exception during event dispatch:
>> java.lang.NullPointerException
>>    at
com.netscape.management.client.security.CertificateDialog.(Unknown Source)
>>    at
com.netscape.management.client.security.CertificateDialog.(Unknown Source)
>>    at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source)
>>    at com.netscape.management.client.TaskModel.actionObjectRun(Unknown
Source)
>>    at
com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown
Source)
>>    at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh)
>>    at java.awt.Component.processMouseEvent(libgcj.so.7rh)
>>    at java.awt.Component.processEvent(libgcj.so.7rh)
>>    at java.awt.Container.processEvent(libgcj.so.7rh)
>>    at java.awt.Component.dispatchEventImpl(libgcj.so.7rh)
>>    at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>>    at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>>    at java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh)
>>    at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh)
>>    at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>>    at java.awt.Window.dispatchEventImpl(libgcj.so.7rh)
>>    at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>>    at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh)
>>    at java.awt.EventDispatchThread.run(libgcj.so.7rh)
>> Exception in thread
"http://248.8.168.192.in-addr.arpa.dev:9830/"
java.lang.NullPointerException
>>    at com.netscape.management.client.comm.HttpChannel.run(Unknown
Source)
>>    at java.lang.Thread.run(libgcj.so.7rh)
>> Exception in thread
"http://248.8.168.192.in-addr.arpa.dev:9830/"
java.lang.NullPointerException
>>    at com.netscape.management.client.comm.HttpChannel.run(Unknown
Source)
>>    at java.lang.Thread.run(libgcj.so.7rh)
>>
>>
>>
>> ----------------------------------------
>>   
>>> From: kirankmadala@hotmail.com
>>> To: fedora-directory-users@redhat.com
>>> Subject: RE: [Fedora-directory-users] Windows Active Directory sync
Help!
>>> Date: Wed, 9 Jan 2008 17:03:18 -0400
>>>
>>>
>>> I keep getting these errors when trying to initiate sync 
>>>
>>> [09/Jan/2008:16:00:12 -0500] - SSL alert:
ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable
Runtime error -5987 - Invalid function argument.)
>>> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin -
agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL
client authentication failed: LDAP error -1 (Unknown error)
>>>
>>> The LDAP search is not installed on my machine so i could not do a
search
>>> ----------------------------------------
>>>     
>>>> Date: Wed, 9 Jan 2008 11:43:49 -0700
>>>> From: rmeggins@redhat.com
>>>> To: fedora-directory-users@redhat.com
>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory
sync Help!
>>>>
>>>> kiran madala wrote:
>>>>       
>>>>> Sorry here is the error log for DS server
>>>>>
>>>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin -
agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk
error 91 (Can''t connect to the LDAP server), Netscape Portable Runtime
error -5987 (Invalid function argument.)
>>>>>
>>>>> It cannot connect to AD. I imported the CA certificate into
the Installation folder of the console in the windows xp machine.
>>>>>   
>>>>>         
>>>> Did you configure the agreement to use SSL?  Error 91 means
some sort of
>>>> connection problem, or invalid argument to the LDAP API e.g.
you are
>>>> attempting to use LDAP on the secure port instead of LDAPS.
>>>>
>>>> You can verify that TLS/SSL is working by using ldapsearch from
the
>>>> command line.  On the directory server machine:
>>>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P 
>>>> /etc/dirsrv/slapd-instancename -s base -b ""
"objectclass=*"
>>>>
>>>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>>>>       
>>>>> ----------------------------------------
>>>>>   
>>>>>         
>>>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>>>>>> From: rmeggins@redhat.com
>>>>>> To: fedora-directory-users@redhat.com
>>>>>> Subject: Re: [Fedora-directory-users] Windows Active
Directory sync Help!
>>>>>>
>>>>>> kiran madala wrote:
>>>>>>     
>>>>>>           
>>>>>>> I am using  Fedora 1.1 on Fedora 6 x86 machine. 
When i fill in the entries and click next a message pops up saying "Unable
to connet to Active Directory server, continue?".  Also in the domain
controller host field can I specify the IP address of the machine?.
>>>>>>>
>>>>>>> The error log for DS server is below. The IP is the
windows xp machine on whcih I am  runnign the remote DS console.
>>>>>>>
>>>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client
192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve
192.168.8.241
>>>>>>> <snip<
>>>>>>>   
>>>>>>>       
>>>>>>>             
>>>>>> Actually, this is the error log for the admin server. 
The error log for
>>>>>> the directory server is in
/var/log/dirsrv/slapd-INSTANCE where instance
>>>>>> is your instance name.
>>>>>>
>>>>>> The console might be failing to connect to AD because
the console has a
>>>>>> separate key/cert db under ~/.fedora-idm-console (in
1.1).  You may need
>>>>>> to add the CA cert in this directory too:
>>>>>>
>>>>>> certutil -A -d ~/.fedora-idm-console -n "CA
certificate" -t "CT,," -a -i /path/to/cacert.asc
>>>>>>
>>>>>>     
>>>>>>           
>>>>>>> ----------------------------------------
>>>>>>>   
>>>>>>>       
>>>>>>>             
>>>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>>>>>> From: rmeggins@redhat.com
>>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>>> Subject: Re: [Fedora-directory-users] Windows
Active Directory sync Help!
>>>>>>>>
>>>>>>>> kiran madala wrote:
>>>>>>>>     
>>>>>>>>         
>>>>>>>>               
>>>>>>>>> As far I understand by reading docs again
that the user specified in the Syn agreement and Bind DN should be same and
exist on Active directory with Domain Admin privileges.  But I have other issues
now.
>>>>>>>>>
>>>>>>>>> The DS server is unable to connect to my
AD.
>>>>>>>>>       
>>>>>>>>>           
>>>>>>>>>                 
>>>>>>>> What error messages are you getting?  Check the
error log.
>>>>>>>>
>>>>>>>> You can also try using ldapsearch.  Are you
using Fedora DS 1.1 or
>>>>>>>> 1.0.4?  What OS?
>>>>>>>>     
>>>>>>>>         
>>>>>>>>               
>>>>>>>>> I enabled SSL by copying the same root
certificate into AD and also generating a server certificate and opened up ports
in firewall. Am I missing something like allowing client Authentication on the
AD machine?
>>>>>>>>>   
>>>>>>>>>       
>>>>>>>>>           
>>>>>>>>>                 
>>>>>>>> You don''t need to use cert based
client auth.  You can use regular
>>>>>>>> username/password auth over TLS/SSL.
>>>>>>>>     
>>>>>>>>         
>>>>>>>>               
>>>>>>>>> My currents certificates are as follows.
>>>>>>>>>
>>>>>>>>> DS has its own server certificate
>>>>>>>>> AD has its own server  certificate
>>>>>>>>> ALL 3 servers AS,DS and AD have the same CA
root certificate
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----------------------------------------
>>>>>>>>>   
>>>>>>>>>       
>>>>>>>>>           
>>>>>>>>>                 
>>>>>>>>>> From: kirankmadala@hotmail.com
>>>>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>>>>>>> Subject: [Fedora-directory-users]
Windows Active Directory sync Help!
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> I am trying to sync the DS with AD.
Since I am new to AD and DS I have few questions.
>>>>>>>>>>
>>>>>>>>>> I want to synchronize only users and
groups so Is it necessary to enable SSL on Active Directory and connect to
Active directory through SSL?
>>>>>>>>>>
>>>>>>>>>> In the replica settings the supplier DN
user need to be on both AD and DS with should be a Domain admin of the AD?
>>>>>>>>>>
>>>>>>>>>> When trying to synchronize with AD the
bind DN (In screen shot) user should be in both AD and DS?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I have attached the screen shot of my
final DS agreement window. I believe currently it is defined to synchronize
users what changes I need to make it synchronize groups aswell.
>>>>>>>>>>
>>>>>>>>>> Thanks in advance
>>>>>>>>>>
_________________________________________________________________
>>>>>>>>>> Exercise your brain! Try Flexicon!
>>>>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>>>     
>>>>>>>>>>         
>>>>>>>>>>             
>>>>>>>>>>                   
>>>>>>>>>
_________________________________________________________________
>>>>>>>>> Use fowl language with Chicktionary. Click
here to start playing!
>>>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>   
>>>>>>>>>       
>>>>>>>>>           
>>>>>>>>>                 
>>>>>>>
_________________________________________________________________
>>>>>>> Read what Santa`s been up to! For all the latest,
visit asksantaclaus.spaces.live.com!
>>>>>>> http://asksantaclaus.spaces.live.com/
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>   
>>>>>>>       
>>>>>>>             
>>>>>
_________________________________________________________________
>>>>> Introducing the City @ Live! Take a tour!
>>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>>         
>>> _________________________________________________________________
>>> Express yourself instantly with MSN Messenger! Download today
it''s FREE!
>>> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>     
>>
>> _________________________________________________________________
>> Exercise your brain! Try Flexicon!
>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
> 
_________________________________________________________________
Discover new ways to stay in touch with Windows Live! Visit the City @ Live
today!
http://getyourliveid.ca/?icid=LIVEIDENCA006

Thank you the sync works fine. My actual task is to store the AD users and
groups in our company database through the fedora-ds. I was wondering if this is
possible,

Like  AD-->FDS-->Own database

IS this a possibility?. If it is then how would I do it?
----------------------------------------
> Date: Wed, 9 Jan 2008 18:31:40 -0700
> From: rmeggins@redhat.com
> To: fedora-directory-users@redhat.com
> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
> 
> kiran madala wrote:
>> I have few more questions 
>>
>> There are 2 different ways to create and import certificates described
in the document http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html
and described in fedora documentation using certutil which one should i be
using.
>>   
> Use the console if you can, otherwise use the command line tools.  The 
> console really assumes you are in an enterprise environment which has a 
> real CA, which you can actually submit cert requests to and receive 
> certs from.
>> The cacert.asc should be in the configuration folders of both DS and AS
server? I don''t have it in neither of them now because I installed the
CA from the console.
>>   
> You can export the CA cert from the cert db using the console I think, 
> and definitely using the command line.
> http://directory.fedoraproject.org/wiki/Howto:SSL#Export_the_CA_cert
>> The pupose of doing this is to get the groups and users information
from Active Directory and store in our own database through Fedora DS. Is This
possible? by editing script or anyways?
>>   
> You do not have to use TLS/SSL with windows sync - only if you will be 
> using the password sync component.
>> Thank you. 
>>
>>
>> ----------------------------------------
>>   
>>> From: kirankmadala@hotmail.com
>>> To: fedora-directory-users@redhat.com
>>> Subject: RE: [Fedora-directory-users] Windows Active Directory sync
Help!
>>> Date: Wed, 9 Jan 2008 17:23:14 -0400
>>>
>>>
>>> Also the console give me thsi error when Icick on manage
certificates on the DS server and never opens up. It works fine on AS server
>>>
>>> Exception during event dispatch:
>>> java.lang.NullPointerException
>>>    at
com.netscape.management.client.security.CertificateDialog.(Unknown Source)
>>>    at
com.netscape.management.client.security.CertificateDialog.(Unknown Source)
>>>    at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source)
>>>    at
com.netscape.management.client.TaskModel.actionObjectRun(Unknown Source)
>>>    at
com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown
Source)
>>>    at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh)
>>>    at java.awt.Component.processMouseEvent(libgcj.so.7rh)
>>>    at java.awt.Component.processEvent(libgcj.so.7rh)
>>>    at java.awt.Container.processEvent(libgcj.so.7rh)
>>>    at java.awt.Component.dispatchEventImpl(libgcj.so.7rh)
>>>    at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>>>    at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>>>    at
java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh)
>>>    at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh)
>>>    at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>>>    at java.awt.Window.dispatchEventImpl(libgcj.so.7rh)
>>>    at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>>>    at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh)
>>>    at java.awt.EventDispatchThread.run(libgcj.so.7rh)
>>> Exception in thread
"http://248.8.168.192.in-addr.arpa.dev:9830/"
java.lang.NullPointerException
>>>    at com.netscape.management.client.comm.HttpChannel.run(Unknown
Source)
>>>    at java.lang.Thread.run(libgcj.so.7rh)
>>> Exception in thread
"http://248.8.168.192.in-addr.arpa.dev:9830/"
java.lang.NullPointerException
>>>    at com.netscape.management.client.comm.HttpChannel.run(Unknown
Source)
>>>    at java.lang.Thread.run(libgcj.so.7rh)
>>>
>>>
>>>
>>> ----------------------------------------
>>>     
>>>> From: kirankmadala@hotmail.com
>>>> To: fedora-directory-users@redhat.com
>>>> Subject: RE: [Fedora-directory-users] Windows Active Directory
sync Help!
>>>> Date: Wed, 9 Jan 2008 17:03:18 -0400
>>>>
>>>>
>>>> I keep getting these errors when trying to initiate sync 
>>>>
>>>> [09/Jan/2008:16:00:12 -0500] - SSL alert:
ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable
Runtime error -5987 - Invalid function argument.)
>>>> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin -
agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL
client authentication failed: LDAP error -1 (Unknown error)
>>>>
>>>> The LDAP search is not installed on my machine so i could not
do a search
>>>> ----------------------------------------
>>>>       
>>>>> Date: Wed, 9 Jan 2008 11:43:49 -0700
>>>>> From: rmeggins@redhat.com
>>>>> To: fedora-directory-users@redhat.com
>>>>> Subject: Re: [Fedora-directory-users] Windows Active
Directory sync Help!
>>>>>
>>>>> kiran madala wrote:
>>>>>         
>>>>>> Sorry here is the error log for DS server
>>>>>>
>>>>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin -
agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk
error 91 (Can''t connect to the LDAP server), Netscape Portable Runtime
error -5987 (Invalid function argument.)
>>>>>>
>>>>>> It cannot connect to AD. I imported the CA certificate
into the Installation folder of the console in the windows xp machine.
>>>>>>   
>>>>>>           
>>>>> Did you configure the agreement to use SSL?  Error 91 means
some sort of
>>>>> connection problem, or invalid argument to the LDAP API
e.g. you are
>>>>> attempting to use LDAP on the secure port instead of LDAPS.
>>>>>
>>>>> You can verify that TLS/SSL is working by using ldapsearch
from the
>>>>> command line.  On the directory server machine:
>>>>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P 
>>>>> /etc/dirsrv/slapd-instancename -s base -b ""
"objectclass=*"
>>>>>
>>>>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>>>>>         
>>>>>> ----------------------------------------
>>>>>>   
>>>>>>           
>>>>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>>>>>>> From: rmeggins@redhat.com
>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>> Subject: Re: [Fedora-directory-users] Windows
Active Directory sync Help!
>>>>>>>
>>>>>>> kiran madala wrote:
>>>>>>>     
>>>>>>>             
>>>>>>>> I am using  Fedora 1.1 on Fedora 6 x86 machine.
When i fill in the entries and click next a message pops up saying "Unable
to connet to Active Directory server, continue?".  Also in the domain
controller host field can I specify the IP address of the machine?.
>>>>>>>>
>>>>>>>> The error log for DS server is below. The IP is
the windows xp machine on whcih I am  runnign the remote DS console.
>>>>>>>>
>>>>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client
192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve
192.168.8.241
>>>>>>>> <snip<
>>>>>>>>   
>>>>>>>>       
>>>>>>>>               
>>>>>>> Actually, this is the error log for the admin
server.  The error log for
>>>>>>> the directory server is in
/var/log/dirsrv/slapd-INSTANCE where instance
>>>>>>> is your instance name.
>>>>>>>
>>>>>>> The console might be failing to connect to AD
because the console has a
>>>>>>> separate key/cert db under ~/.fedora-idm-console
(in 1.1).  You may need
>>>>>>> to add the CA cert in this directory too:
>>>>>>>
>>>>>>> certutil -A -d ~/.fedora-idm-console -n "CA
certificate" -t "CT,," -a -i /path/to/cacert.asc
>>>>>>>
>>>>>>>     
>>>>>>>             
>>>>>>>> ----------------------------------------
>>>>>>>>   
>>>>>>>>       
>>>>>>>>               
>>>>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>>>>>>> From: rmeggins@redhat.com
>>>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>>>> Subject: Re: [Fedora-directory-users]
Windows Active Directory sync Help!
>>>>>>>>>
>>>>>>>>> kiran madala wrote:
>>>>>>>>>     
>>>>>>>>>         
>>>>>>>>>                 
>>>>>>>>>> As far I understand by reading docs
again that the user specified in the Syn agreement and Bind DN should be same
and exist on Active directory with Domain Admin privileges.  But I have other
issues now.
>>>>>>>>>>
>>>>>>>>>> The DS server is unable to connect to
my AD.
>>>>>>>>>>       
>>>>>>>>>>           
>>>>>>>>>>                   
>>>>>>>>> What error messages are you getting?  Check
the error log.
>>>>>>>>>
>>>>>>>>> You can also try using ldapsearch.  Are you
using Fedora DS 1.1 or
>>>>>>>>> 1.0.4?  What OS?
>>>>>>>>>     
>>>>>>>>>         
>>>>>>>>>                 
>>>>>>>>>> I enabled SSL by copying the same root
certificate into AD and also generating a server certificate and opened up ports
in firewall. Am I missing something like allowing client Authentication on the
AD machine?
>>>>>>>>>>   
>>>>>>>>>>       
>>>>>>>>>>           
>>>>>>>>>>                   
>>>>>>>>> You don''t need to use cert based
client auth.  You can use regular
>>>>>>>>> username/password auth over TLS/SSL.
>>>>>>>>>     
>>>>>>>>>         
>>>>>>>>>                 
>>>>>>>>>> My currents certificates are as
follows.
>>>>>>>>>>
>>>>>>>>>> DS has its own server certificate
>>>>>>>>>> AD has its own server  certificate
>>>>>>>>>> ALL 3 servers AS,DS and AD have the
same CA root certificate
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
----------------------------------------
>>>>>>>>>>   
>>>>>>>>>>       
>>>>>>>>>>           
>>>>>>>>>>                   
>>>>>>>>>>> From: kirankmadala@hotmail.com
>>>>>>>>>>> To:
fedora-directory-users@redhat.com
>>>>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00
-0400
>>>>>>>>>>> Subject: [Fedora-directory-users]
Windows Active Directory sync Help!
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> I am trying to sync the DS with AD.
Since I am new to AD and DS I have few questions.
>>>>>>>>>>>
>>>>>>>>>>> I want to synchronize only users
and groups so Is it necessary to enable SSL on Active Directory and connect to
Active directory through SSL?
>>>>>>>>>>>
>>>>>>>>>>> In the replica settings the
supplier DN user need to be on both AD and DS with should be a Domain admin of
the AD?
>>>>>>>>>>>
>>>>>>>>>>> When trying to synchronize with AD
the bind DN (In screen shot) user should be in both AD and DS?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I have attached the screen shot of
my final DS agreement window. I believe currently it is defined to synchronize
users what changes I need to make it synchronize groups aswell.
>>>>>>>>>>>
>>>>>>>>>>> Thanks in advance
>>>>>>>>>>>
_________________________________________________________________
>>>>>>>>>>> Exercise your brain! Try Flexicon!
>>>>>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>>>>     
>>>>>>>>>>>         
>>>>>>>>>>>             
>>>>>>>>>>>                     
>>>>>>>>>>
_________________________________________________________________
>>>>>>>>>> Use fowl language with Chicktionary.
Click here to start playing!
>>>>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>   
>>>>>>>>>>       
>>>>>>>>>>           
>>>>>>>>>>                   
>>>>>>>>
_________________________________________________________________
>>>>>>>> Read what Santa`s been up to! For all the
latest, visit asksantaclaus.spaces.live.com!
>>>>>>>> http://asksantaclaus.spaces.live.com/
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>   
>>>>>>>>       
>>>>>>>>               
>>>>>>
_________________________________________________________________
>>>>>> Introducing the City @ Live! Take a tour!
>>>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>>           
>>>>
_________________________________________________________________
>>>> Express yourself instantly with MSN Messenger! Download today
it''s FREE!
>>>> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>       
>>> _________________________________________________________________
>>> Exercise your brain! Try Flexicon!
>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>     
>>
>> _________________________________________________________________
>> Read what Santa`s been up to! For all the latest, visit
asksantaclaus.spaces.live.com!
>> http://asksantaclaus.spaces.live.com/
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
> 
_________________________________________________________________
Introducing the City @ Live! Take a tour!
http://getyourliveid.ca/?icid=LIVEIDENCA006

kiran madala wrote:
> I am using Java 1.4 on Fedora 6 with fedora ds1.1 
>   
The stack trace below shows (libgcj.so.7rh) which means it is using the 
gcj free java.  You must install a proprietary Java in order to run the 
console if you are not using Fedora 8.  See 
http://directory.fedoraproject.org/wiki/Install_Guide#Java_is_required_for_the_console
> ----------------------------------------
>   
>> Date: Wed, 9 Jan 2008 18:33:47 -0700
>> From: rmeggins@redhat.com
>> To: fedora-directory-users@redhat.com
>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync
Help!
>>
>> kiran madala wrote:
>>     
>>> Also the console give me thsi error when Icick on manage
certificates on the DS server and never opens up. It works fine on AS server
>>>   
>>>       
>> Looks like a bug.  Are you using the IcedTea java on Fedora 8?
>>     
>>> Exception during event dispatch:
>>> java.lang.NullPointerException
>>>    at
com.netscape.management.client.security.CertificateDialog.(Unknown Source)
>>>    at
com.netscape.management.client.security.CertificateDialog.(Unknown Source)
>>>    at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source)
>>>    at
com.netscape.management.client.TaskModel.actionObjectRun(Unknown Source)
>>>    at
com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown
Source)
>>>    at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh)
>>>    at java.awt.Component.processMouseEvent(libgcj.so.7rh)
>>>    at java.awt.Component.processEvent(libgcj.so.7rh)
>>>    at java.awt.Container.processEvent(libgcj.so.7rh)
>>>    at java.awt.Component.dispatchEventImpl(libgcj.so.7rh)
>>>    at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>>>    at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>>>    at
java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh)
>>>    at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh)
>>>    at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>>>    at java.awt.Window.dispatchEventImpl(libgcj.so.7rh)
>>>    at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>>>    at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh)
>>>    at java.awt.EventDispatchThread.run(libgcj.so.7rh)
>>> Exception in thread
"http://248.8.168.192.in-addr.arpa.dev:9830/"
java.lang.NullPointerException
>>>    at com.netscape.management.client.comm.HttpChannel.run(Unknown
Source)
>>>    at java.lang.Thread.run(libgcj.so.7rh)
>>> Exception in thread
"http://248.8.168.192.in-addr.arpa.dev:9830/"
java.lang.NullPointerException
>>>    at com.netscape.management.client.comm.HttpChannel.run(Unknown
Source)
>>>    at java.lang.Thread.run(libgcj.so.7rh)
>>>
>>>
>>>
>>> ----------------------------------------
>>>   
>>>       
>>>> From: kirankmadala@hotmail.com
>>>> To: fedora-directory-users@redhat.com
>>>> Subject: RE: [Fedora-directory-users] Windows Active Directory
sync Help!
>>>> Date: Wed, 9 Jan 2008 17:03:18 -0400
>>>>
>>>>
>>>> I keep getting these errors when trying to initiate sync 
>>>>
>>>> [09/Jan/2008:16:00:12 -0500] - SSL alert:
ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable
Runtime error -5987 - Invalid function argument.)
>>>> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin -
agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL
client authentication failed: LDAP error -1 (Unknown error)
>>>>
>>>> The LDAP search is not installed on my machine so i could not
do a search
>>>> ----------------------------------------
>>>>     
>>>>         
>>>>> Date: Wed, 9 Jan 2008 11:43:49 -0700
>>>>> From: rmeggins@redhat.com
>>>>> To: fedora-directory-users@redhat.com
>>>>> Subject: Re: [Fedora-directory-users] Windows Active
Directory sync Help!
>>>>>
>>>>> kiran madala wrote:
>>>>>       
>>>>>           
>>>>>> Sorry here is the error log for DS server
>>>>>>
>>>>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin -
agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk
error 91 (Can''t connect to the LDAP server), Netscape Portable Runtime
error -5987 (Invalid function argument.)
>>>>>>
>>>>>> It cannot connect to AD. I imported the CA certificate
into the Installation folder of the console in the windows xp machine.
>>>>>>   
>>>>>>         
>>>>>>             
>>>>> Did you configure the agreement to use SSL?  Error 91 means
some sort of
>>>>> connection problem, or invalid argument to the LDAP API
e.g. you are
>>>>> attempting to use LDAP on the secure port instead of LDAPS.
>>>>>
>>>>> You can verify that TLS/SSL is working by using ldapsearch
from the
>>>>> command line.  On the directory server machine:
>>>>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P 
>>>>> /etc/dirsrv/slapd-instancename -s base -b ""
"objectclass=*"
>>>>>
>>>>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>>>>>       
>>>>>           
>>>>>> ----------------------------------------
>>>>>>   
>>>>>>         
>>>>>>             
>>>>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>>>>>>> From: rmeggins@redhat.com
>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>> Subject: Re: [Fedora-directory-users] Windows
Active Directory sync Help!
>>>>>>>
>>>>>>> kiran madala wrote:
>>>>>>>     
>>>>>>>           
>>>>>>>               
>>>>>>>> I am using  Fedora 1.1 on Fedora 6 x86 machine.
When i fill in the entries and click next a message pops up saying "Unable
to connet to Active Directory server, continue?".  Also in the domain
controller host field can I specify the IP address of the machine?.
>>>>>>>>
>>>>>>>> The error log for DS server is below. The IP is
the windows xp machine on whcih I am  runnign the remote DS console.
>>>>>>>>
>>>>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client
192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve
192.168.8.241
>>>>>>>> <snip<
>>>>>>>>   
>>>>>>>>       
>>>>>>>>             
>>>>>>>>                 
>>>>>>> Actually, this is the error log for the admin
server.  The error log for
>>>>>>> the directory server is in
/var/log/dirsrv/slapd-INSTANCE where instance
>>>>>>> is your instance name.
>>>>>>>
>>>>>>> The console might be failing to connect to AD
because the console has a
>>>>>>> separate key/cert db under ~/.fedora-idm-console
(in 1.1).  You may need
>>>>>>> to add the CA cert in this directory too:
>>>>>>>
>>>>>>> certutil -A -d ~/.fedora-idm-console -n "CA
certificate" -t "CT,," -a -i /path/to/cacert.asc
>>>>>>>
>>>>>>>     
>>>>>>>           
>>>>>>>               
>>>>>>>> ----------------------------------------
>>>>>>>>   
>>>>>>>>       
>>>>>>>>             
>>>>>>>>                 
>>>>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>>>>>>> From: rmeggins@redhat.com
>>>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>>>> Subject: Re: [Fedora-directory-users]
Windows Active Directory sync Help!
>>>>>>>>>
>>>>>>>>> kiran madala wrote:
>>>>>>>>>     
>>>>>>>>>         
>>>>>>>>>               
>>>>>>>>>                   
>>>>>>>>>> As far I understand by reading docs
again that the user specified in the Syn agreement and Bind DN should be same
and exist on Active directory with Domain Admin privileges.  But I have other
issues now.
>>>>>>>>>>
>>>>>>>>>> The DS server is unable to connect to
my AD.
>>>>>>>>>>       
>>>>>>>>>>           
>>>>>>>>>>                 
>>>>>>>>>>                     
>>>>>>>>> What error messages are you getting?  Check
the error log.
>>>>>>>>>
>>>>>>>>> You can also try using ldapsearch.  Are you
using Fedora DS 1.1 or
>>>>>>>>> 1.0.4?  What OS?
>>>>>>>>>     
>>>>>>>>>         
>>>>>>>>>               
>>>>>>>>>                   
>>>>>>>>>> I enabled SSL by copying the same root
certificate into AD and also generating a server certificate and opened up ports
in firewall. Am I missing something like allowing client Authentication on the
AD machine?
>>>>>>>>>>   
>>>>>>>>>>       
>>>>>>>>>>           
>>>>>>>>>>                 
>>>>>>>>>>                     
>>>>>>>>> You don''t need to use cert based
client auth.  You can use regular
>>>>>>>>> username/password auth over TLS/SSL.
>>>>>>>>>     
>>>>>>>>>         
>>>>>>>>>               
>>>>>>>>>                   
>>>>>>>>>> My currents certificates are as
follows.
>>>>>>>>>>
>>>>>>>>>> DS has its own server certificate
>>>>>>>>>> AD has its own server  certificate
>>>>>>>>>> ALL 3 servers AS,DS and AD have the
same CA root certificate
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
----------------------------------------
>>>>>>>>>>   
>>>>>>>>>>       
>>>>>>>>>>           
>>>>>>>>>>                 
>>>>>>>>>>                     
>>>>>>>>>>> From: kirankmadala@hotmail.com
>>>>>>>>>>> To:
fedora-directory-users@redhat.com
>>>>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00
-0400
>>>>>>>>>>> Subject: [Fedora-directory-users]
Windows Active Directory sync Help!
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> I am trying to sync the DS with AD.
Since I am new to AD and DS I have few questions.
>>>>>>>>>>>
>>>>>>>>>>> I want to synchronize only users
and groups so Is it necessary to enable SSL on Active Directory and connect to
Active directory through SSL?
>>>>>>>>>>>
>>>>>>>>>>> In the replica settings the
supplier DN user need to be on both AD and DS with should be a Domain admin of
the AD?
>>>>>>>>>>>
>>>>>>>>>>> When trying to synchronize with AD
the bind DN (In screen shot) user should be in both AD and DS?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I have attached the screen shot of
my final DS agreement window. I believe currently it is defined to synchronize
users what changes I need to make it synchronize groups aswell.
>>>>>>>>>>>
>>>>>>>>>>> Thanks in advance
>>>>>>>>>>>
_________________________________________________________________
>>>>>>>>>>> Exercise your brain! Try Flexicon!
>>>>>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>>>>     
>>>>>>>>>>>         
>>>>>>>>>>>             
>>>>>>>>>>>                   
>>>>>>>>>>>                       
>>>>>>>>>>
_________________________________________________________________
>>>>>>>>>> Use fowl language with Chicktionary.
Click here to start playing!
>>>>>>>>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>   
>>>>>>>>>>       
>>>>>>>>>>           
>>>>>>>>>>                 
>>>>>>>>>>                     
>>>>>>>>
_________________________________________________________________
>>>>>>>> Read what Santa`s been up to! For all the
latest, visit asksantaclaus.spaces.live.com!
>>>>>>>> http://asksantaclaus.spaces.live.com/
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>   
>>>>>>>>       
>>>>>>>>             
>>>>>>>>                 
>>>>>>
_________________________________________________________________
>>>>>> Introducing the City @ Live! Take a tour!
>>>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>>         
>>>>>>             
>>>>
_________________________________________________________________
>>>> Express yourself instantly with MSN Messenger! Download today
it''s FREE!
>>>> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>     
>>>>         
>>> _________________________________________________________________
>>> Exercise your brain! Try Flexicon!
>>>
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>>       
>
> _________________________________________________________________
> Discover new ways to stay in touch with Windows Live! Visit the City @ Live
today!
> http://getyourliveid.ca/?icid=LIVEIDENCA006
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

kiran madala wrote:
> Thank you the sync works fine. My actual task is to store the AD users and
groups in our company database through the fedora-ds. I was wondering if this is
possible,
>
> Like  AD-->FDS-->Own database
>
> IS this a possibility?. If it is then how would I do it?
>   
The usual way to do this is to write a script to use ldapsearch to pull 
changes from Fedora DS and write them to your database.

But isn''t it how the fedora ds does the AD sync?. I mean can I just
write the script to connect to AD directly and do ldapsearch for updates?
Alternatively can I do a script to search for the user against his/her group
from the updates obtained by Fedora-ds from AD? IF so what are the docs and
packages i should be looking at?

Thanks in advance
----------------------------------------
> Date: Thu, 10 Jan 2008 10:40:19 -0700
> From: rmeggins@redhat.com
> To: fedora-directory-users@redhat.com
> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
> 
> kiran madala wrote:
>> Thank you the sync works fine. My actual task is to store the AD users
and groups in our company database through the fedora-ds. I was wondering if
this is possible,
>>
>> Like  AD-->FDS-->Own database
>>
>> IS this a possibility?. If it is then how would I do it?
>>   
> The usual way to do this is to write a script to use ldapsearch to pull 
> changes from Fedora DS and write them to your database.
_________________________________________________________________
Introducing the City @ Live! Take a tour!
http://getyourliveid.ca/?icid=LIVEIDENCA006

kiran madala wrote:
> But isn''t it how the fedora ds does the AD sync?. I mean can I
just write the script to connect to AD directly and do ldapsearch for updates?
Yes.  The thing is that Fedora DS will not automatically send changes to 
a database.  You''d have to write a plugin for that.  It''s much
simpler
to just script it - most scripting languages have ODBC/SQL support as 
well as LDAP support.
> Alternatively can I do a script to search for the user against his/her
group from the updates obtained by Fedora-ds from AD?
I''m not sure what you mean by "against his/her
group".
> IF so what are the docs and packages i should be looking at?
>
> Thanks in advance
> ----------------------------------------
>   
>> Date: Thu, 10 Jan 2008 10:40:19 -0700
>> From: rmeggins@redhat.com
>> To: fedora-directory-users@redhat.com
>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync
Help!
>>
>> kiran madala wrote:
>>     
>>> Thank you the sync works fine. My actual task is to store the AD
users and groups in our company database through the fedora-ds. I was wondering
if this is possible,
>>>
>>> Like  AD-->FDS-->Own database
>>>
>>> IS this a possibility?. If it is then how would I do it?
>>>   
>>>       
>> The usual way to do this is to write a script to use ldapsearch to pull
>> changes from Fedora DS and write them to your database.
>>     
>
> _________________________________________________________________
> Introducing the City @ Live! Take a tour!
> http://getyourliveid.ca/?icid=LIVEIDENCA006
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

May be i will just try to write a script to store the sync values from Fedora 
Where can I find the documentation as to how the fedora performs the sync and
where does it store? I mean development wise
----------------------------------------
> Date: Thu, 10 Jan 2008 11:48:00 -0700
> From: rmeggins@redhat.com
> To: fedora-directory-users@redhat.com
> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
> 
> kiran madala wrote:
>> But isn''t it how the fedora ds does the AD sync?. I mean can I
just write the script to connect to AD directly and do ldapsearch for updates?
> Yes.  The thing is that Fedora DS will not automatically send changes to 
> a database.  You''d have to write a plugin for that.  It''s
much simpler
> to just script it - most scripting languages have ODBC/SQL support as 
> well as LDAP support.
>> Alternatively can I do a script to search for the user against his/her
group from the updates obtained by Fedora-ds from AD?
> I''m not sure what you mean by "against his/her group".
>> IF so what are the docs and packages i should be looking at?
>>
>> Thanks in advance
>> ----------------------------------------
>>   
>>> Date: Thu, 10 Jan 2008 10:40:19 -0700
>>> From: rmeggins@redhat.com
>>> To: fedora-directory-users@redhat.com
>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync
Help!
>>>
>>> kiran madala wrote:
>>>     
>>>> Thank you the sync works fine. My actual task is to store the
AD users and groups in our company database through the fedora-ds. I was
wondering if this is possible,
>>>>
>>>> Like  AD-->FDS-->Own database
>>>>
>>>> IS this a possibility?. If it is then how would I do it?
>>>>   
>>>>       
>>> The usual way to do this is to write a script to use ldapsearch to
pull
>>> changes from Fedora DS and write them to your database.
>>>     
>>
>> _________________________________________________________________
>> Introducing the City @ Live! Take a tour!
>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
> 
_________________________________________________________________
Exercise your brain! Try Flexicon!
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig

kiran madala wrote:
> May be i will just try to write a script to store the sync values from
Fedora  Where can I find the documentation as to how the fedora performs the
sync and where does it store? I mean development wise
>   
There are a number of ways to do it, depending on what you are actually 
trying to do.

If you just need to pull changes from AD, one direction only, you could 
use the AD DirSync control.  This is essentially what Fedora DS uses to 
pull changes from AD.  I don''t know if there are any *nix clients with 
built-in DirSync support, but you could create your own with Net::LDAP 
and the ASN.1 creator/parser and BER codec.

There are a number of ways to get changes from Fedora DS.
1) ldapsearch ... (modifyTimestamp>=somevalue)
2) enable audit logging then parse the audit log file
3) enable the Retro changelog and search cn=changelog

These can be used with or without persistent search provided by the 
mozldap ldapsearch command line tool.
> ----------------------------------------
>   
>> Date: Thu, 10 Jan 2008 11:48:00 -0700
>> From: rmeggins@redhat.com
>> To: fedora-directory-users@redhat.com
>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync
Help!
>>
>> kiran madala wrote:
>>     
>>> But isn''t it how the fedora ds does the AD sync?. I mean
can I just write the script to connect to AD directly and do ldapsearch for
updates?
>>>       
>> Yes.  The thing is that Fedora DS will not automatically send changes
to
>> a database.  You''d have to write a plugin for that. 
It''s much simpler
>> to just script it - most scripting languages have ODBC/SQL support as 
>> well as LDAP support.
>>     
>>> Alternatively can I do a script to search for the user against
his/her group from the updates obtained by Fedora-ds from AD?
>>>       
>> I''m not sure what you mean by "against his/her
group".
>>     
>>> IF so what are the docs and packages i should be looking at?
>>>
>>> Thanks in advance
>>> ----------------------------------------
>>>   
>>>       
>>>> Date: Thu, 10 Jan 2008 10:40:19 -0700
>>>> From: rmeggins@redhat.com
>>>> To: fedora-directory-users@redhat.com
>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory
sync Help!
>>>>
>>>> kiran madala wrote:
>>>>     
>>>>         
>>>>> Thank you the sync works fine. My actual task is to store
the AD users and groups in our company database through the fedora-ds. I was
wondering if this is possible,
>>>>>
>>>>> Like  AD-->FDS-->Own database
>>>>>
>>>>> IS this a possibility?. If it is then how would I do it?
>>>>>   
>>>>>       
>>>>>           
>>>> The usual way to do this is to write a script to use ldapsearch
to pull
>>>> changes from Fedora DS and write them to your database.
>>>>     
>>>>         
>>> _________________________________________________________________
>>> Introducing the City @ Live! Take a tour!
>>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>>       
>
> _________________________________________________________________
> Exercise your brain! Try Flexicon!
> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>