HI All,
I am tryting to sync FDS and ADC. I have done everything
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Step_1_Configure_SSL
But some how it does not work ....
i am getting error in FDS error log...
5/May/2008:07:45:42 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime
error
-5938 - Encountered end of file.)
[15/May/2008:07:46:30 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime
error
-5938 - Encountered end of file.)
[15/May/2008:07:48:06 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime
error
-5938 - Encountered end of file.)
[15/May/2008:07:51:18 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime
error
-5938 - Encountered end of file.)
[15/May/2008:07:56:18 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime
error
-5938 - Encountered end of file.)
[15/May/2008:08:01:18 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime
error
-5938 - Encountered end of file.)
from passsync.log
---------------
Ldap bind error in Connect
81:Can''t connect to LDAP Server
Can not connect to ldap server in syncPasswords
-------------------------
--
Regards
Vipul Ramani
Rich Megginson
2008-Aug-13 20:35 UTC
Re: [Fedora-directory-users] FDS and Active directory Sync
Vipul Ramani wrote:> > HI All, > > I am tryting to sync FDS and ADC. I have done everything > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Step_1_Configure_SSL > > But some how it does not work .... > > i am getting error in FDS error log... > > 5/May/2008:07:45:42 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime > error -5938 - Encountered end of file.) > [15/May/2008:07:46:30 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime > error -5938 - Encountered end of file.) > [15/May/2008:07:48:06 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime > error -5938 - Encountered end of file.) > [15/May/2008:07:51:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime > error -5938 - Encountered end of file.) > [15/May/2008:07:56:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime > error -5938 - Encountered end of file.) > [15/May/2008:08:01:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime > error -5938 - Encountered end of file.)Looks like you''re attempting to do client cert based auth? You probably want to just do simple password auth over SSL.> > > from passsync.log > --------------- > Ldap bind error in Connect > 81:Can''t connect to LDAP Server > Can not connect to ldap server in syncPasswords > > ------------------------- > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Vipul Ramani
2008-Aug-13 21:17 UTC
[Fedora-directory-users] Re: FDS and Active directory Sync
Can you suggest me good documentation. I have query http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Step_1_Configure_SSL ------- 1. Create a new cert8.db and key.db using certutil.exe on the *Password Sync * machine. certutil.exe -d . -N ln -s slapd-*serverID*-cert8.db cert8.db ln -s slapd-*serverID*-key3.db key3.db this is procedure is creating so much confusion ... - 1st what do to once new cert8.db and key.db are created on windows ADC box - 2nd ln is not part of windows ??? * I changed it ..but now i am getting this error ... * NSMMReplicationPlugin - agmt="cn=adc" (192:636): Simple bind failed, LDAP sdk error 81 (Can''t contact LDAP server), Netscape Portable Runtime error -5938 (Encountered end of file.) On Wed, Aug 13, 2008 at 1:29 PM, Vipul Ramani <vipulramani@gmail.com> wrote:> > HI All, > > I am tryting to sync FDS and ADC. I have done everything > > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Step_1_Configure_SSL > > But some how it does not work .... > > i am getting error in FDS error log... > > 5/May/2008:07:45:42 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error > -5938 - Encountered end of file.) > [15/May/2008:07:46:30 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error > -5938 - Encountered end of file.) > [15/May/2008:07:48:06 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error > -5938 - Encountered end of file.) > [15/May/2008:07:51:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error > -5938 - Encountered end of file.) > [15/May/2008:07:56:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error > -5938 - Encountered end of file.) > [15/May/2008:08:01:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error > -5938 - Encountered end of file.) > > > from passsync.log > --------------- > Ldap bind error in Connect > 81:Can''t connect to LDAP Server > Can not connect to ldap server in syncPasswords > > ------------------------- > > -- > Regards > > Vipul Ramani > >-- Regards Vipul Ramani
Rich Megginson
2008-Aug-13 21:28 UTC
Re: [Fedora-directory-users] Re: FDS and Active directory Sync
Vipul Ramani wrote:> > > Can you suggest me good documentation. > > I have query > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Step_1_Configure_SSL > > ------- > > 1. > > Create a new |cert8.db| and |key.db| using |certutil.exe| on the > *Password Sync* machine. > > certutil.exe -d . -N > ln -s slapd-/|serverID|/-cert8.db cert8.db > ln -s slapd-/|serverID|/-key3.db key3.db > > > > this is procedure is creating so much confusion ... > > > - 1st what do to once new cert8.db and key.db are created on windows > ADC box > - 2nd ln is not part of windows ???Looks like a doc bug. You don''t need to do the ln steps.> > * > I changed it ..but now i am getting this error ... * > > > NSMMReplicationPlugin - agmt="cn=adc" (192:636): Simple bind failed, > LDAP sdk error 81 (Can''t contact LDAP server), Netscape Portable > Runtime error -5938 (Encountered end of file.)Has the active directory been configured to use SSL?> > > On Wed, Aug 13, 2008 at 1:29 PM, Vipul Ramani <vipulramani@gmail.com > <mailto:vipulramani@gmail.com>> wrote: > > > HI All, > > I am tryting to sync FDS and ADC. I have done everything > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Step_1_Configure_SSL > > But some how it does not work .... > > i am getting error in FDS error log... > > 5/May/2008:07:45:42 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable > Runtime error -5938 - Encountered end of file.) > [15/May/2008:07:46:30 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable > Runtime error -5938 - Encountered end of file.) > [15/May/2008:07:48:06 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable > Runtime error -5938 - Encountered end of file.) > [15/May/2008:07:51:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable > Runtime error -5938 - Encountered end of file.) > [15/May/2008:07:56:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable > Runtime error -5938 - Encountered end of file.) > [15/May/2008:08:01:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable > Runtime error -5938 - Encountered end of file.) > > > from passsync.log > --------------- > Ldap bind error in Connect > 81:Can''t connect to LDAP Server > Can not connect to ldap server in syncPasswords > > ------------------------- > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Vipul Ramani
2008-Aug-13 21:39 UTC
[Fedora-directory-users] Re: FDS and Active directory Sync
Hi Rich, yes it is enable . then also getting same error .. I am able to connect using LDAP Browser. is there any other way debug in to depth to resolve this problem... ( not firewall no accesslist or nothing is kinda blocking... ) Can you suggest me is document i have to follow ... i tried fedora , redhat but if , i m following step by step it does not work ..... -- Regards Vipul Ramani
Rich Megginson
2008-Aug-13 21:42 UTC
Re: [Fedora-directory-users] Re: FDS and Active directory Sync
Vipul Ramani wrote:> > Hi Rich, > > yes it is enable . then also getting same error .. I am able to > connect using LDAP Browser. is there any other way debug in to depth > to resolve this problem... > > ( not firewall no accesslist or nothing is kinda blocking... ) > > Can you suggest me is document i have to follow ... i tried fedora , > redhat but if , i m following step by step it does not work .....See if ldapsearch from the command line works: /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P /etc/dirsrv/slapd-yourinstance -D "cn=administrator,cn=users,dc=yourdomain,dc=com" -w thepassword -s base -b "" "objectclass=*"> > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Vipul Ramani
2008-Aug-13 21:53 UTC
[Fedora-directory-users] Re: FDS and Active directory Sync
Hi Rich,
I did it ..but i am getting the error. :(
I run from my directory server ....
[root@linux1 ~]# /usr/lib/mozldap/ldapsearch -h 192.168.1.200 -p 636 -Z -P
/etc/dirsrv/slapd-linux1 -D
"cn=administrator,cn=users,dc=tf-lab,dc=exp,dc=com" -w ABC123@ -s base
-b ""
"objectclass=*"
ldap_simple_bind: Can''t contact LDAP server
SSL error -5938 (Encountered end of file.)
[root@linux1 ~]#
On Wed, Aug 13, 2008 at 2:39 PM, Vipul Ramani <vipulramani@gmail.com>
wrote:
>
> Hi Rich,
>
> yes it is enable . then also getting same error .. I am able to connect
> using LDAP Browser. is there any other way debug in to depth to resolve
this
> problem...
>
> ( not firewall no accesslist or nothing is kinda blocking... )
>
> Can you suggest me is document i have to follow ... i tried fedora ,
> redhat but if , i m following step by step it does not work .....
>
> --
> Regards
>
> Vipul Ramani
>
>
--
Regards
Vipul Ramani
Rich Megginson
2008-Aug-13 21:57 UTC
Re: [Fedora-directory-users] Re: FDS and Active directory Sync
Vipul Ramani wrote:> Hi Rich, > > I did it ..but i am getting the error. :( > > I run from my directory server .... > > [root@linux1 ~]# /usr/lib/mozldap/ldapsearch -h 192.168.1.200 > <http://192.168.1.200> -p 636 -Z -P /etc/dirsrv/slapd-linux1 -D > "cn=administrator,cn=users,dc=tf-lab,dc=exp,dc=com" -w ABC123@ -s base > -b "" "objectclass=*" > ldap_simple_bind: Can''t contact LDAP server > SSL error -5938 (Encountered end of file.) > [root@linux1 ~]#For one, it probably won''t work to use -h IPaddress - in order to do the cert validation, it needs the FQDN of the windows host - that FQDN must be the value of the leftmost cn= in the AD server cert subjectDN. But this error indicates it''s not even getting that far. Either AD is not listening on 636, or there is some sort of network/firewall problem.> > > On Wed, Aug 13, 2008 at 2:39 PM, Vipul Ramani <vipulramani@gmail.com > <mailto:vipulramani@gmail.com>> wrote: > > > Hi Rich, > > yes it is enable . then also getting same error .. I am able to > connect using LDAP Browser. is there any other way debug in to > depth to resolve this problem... > > ( not firewall no accesslist or nothing is kinda blocking... ) > > Can you suggest me is document i have to follow ... i tried > fedora , redhat but if , i m following step by step it does not > work ..... > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Vipul Ramani
2008-Aug-13 22:22 UTC
[Fedora-directory-users] Re: FDS and Active directory Sync
Cheers , Rich yes , your right ... i tried with hostname instead of ip address. I created new windows sync aggreement. But this time i did not selected SSL connecition.. then replication is happening.. but i noticed..there is userPassword field is missing in all users ( which are replicated from ADC ) .. why it is so ... SSL is mandatory to copy password from ...ADC to FDS ?? Why userPassword ( windows password attribute not repliacated on LDAP ??? ) . I made some progress..
Rich Megginson
2008-Aug-13 22:30 UTC
Re: [Fedora-directory-users] Re: FDS and Active directory Sync
Vipul Ramani wrote:> > Cheers , Rich > > yes , your right ... i tried with hostname instead of ip address. > > I created new windows sync aggreement. But this time i did not > selected SSL connecition.. then replication is happening.. but i > noticed..there is userPassword field is missing in all users ( which > are replicated from ADC ) .. why it is so ... SSL is mandatory to copy > password from ...ADC to FDS ??Yes> > Why userPassword ( windows password attribute not repliacated on LDAP > ??? ) .AD requires an SSL connection for password changes> > > I made some progress.. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Vipul Ramani
2008-Aug-13 23:15 UTC
[Fedora-directory-users] Re: FDS and Active directory Sync
Cheers, Rich , Great only thing is now i have to find out how to enable SSL on ADC ..and most of thing will be done .... it is sync over 389 port ..but only password attribute is not replicated ..due to SSL is not enable on ADC ... anyways thanks for your gr8 ...help I feel i will create documentation stepwise and share with community .... On Wed, Aug 13, 2008 at 3:22 PM, Vipul Ramani <vipulramani@gmail.com> wrote:> > Cheers , Rich > > yes , your right ... i tried with hostname instead of ip address. > > I created new windows sync aggreement. But this time i did not selected SSL > connecition.. then replication is happening.. but i noticed..there is > userPassword field is missing in all users ( which are replicated from ADC ) > .. why it is so ... SSL is mandatory to copy password from ...ADC to FDS ?? > > Why userPassword ( windows password attribute not repliacated on LDAP ??? ) > . > > > I made some progress.. > > >-- Regards Vipul Ramani
Vipul Ramani
2008-Aug-14 00:01 UTC
[Fedora-directory-users] Re: FDS and Active directory Sync
Rich , Do really need CA certification on ADC server to enable SSL on ADC ... is not possible way to work out we can install self signed certified which was signed my FDS ( linux server ) and we can install in to ADC and make it SSL enable ?? is there any way to work around ??? On Wed, Aug 13, 2008 at 4:15 PM, Vipul Ramani <vipulramani@gmail.com> wrote:> Cheers, Rich , > > Great only thing is now i have to find out how to enable SSL on ADC ..and > most of thing will be done .... it is sync over 389 port ..but only password > attribute is not replicated ..due to SSL is not enable on ADC ... > > > anyways thanks for your gr8 ...help > > I feel i will create documentation stepwise and share with community .... > > > > > On Wed, Aug 13, 2008 at 3:22 PM, Vipul Ramani <vipulramani@gmail.com>wrote: > >> >> Cheers , Rich >> >> yes , your right ... i tried with hostname instead of ip address. >> >> I created new windows sync aggreement. But this time i did not selected >> SSL connecition.. then replication is happening.. but i noticed..there is >> userPassword field is missing in all users ( which are replicated from ADC ) >> .. why it is so ... SSL is mandatory to copy password from ...ADC to FDS ?? >> >> Why userPassword ( windows password attribute not repliacated on LDAP ??? >> ) . >> >> >> I made some progress.. >> >> >> > > > -- > Regards > > Vipul Ramani > >-- Regards Vipul Ramani
Rich Megginson
2008-Aug-14 01:23 UTC
Re: [Fedora-directory-users] Re: FDS and Active directory Sync
Vipul Ramani wrote:> Rich , > > Do really need CA certification on ADC server to enable SSL on ADC ... > is not possible way to work out we can install self signed certified > which was signed my FDS ( linux server ) and we can install in to ADC > and make it SSL enable ??I''m not sure. Firstly, there is http://directory.fedoraproject.org/wiki/Howto:WindowsSync In order for AD to be an SSL server, you have to generate a server cert from a CA or CA cert. I don''t know much about this part. The easiest way is probably to use MS Cert Server to issue the AD SSL server cert. If you do that, you''ll also have to get the CA cert because you must install that CA cert in the Fedora DS cert db. In Windows sync (except for the password part), Fedora DS is the client side of SSL, so it must have the CA cert of the CA that issued the AD server cert. For passsync, passsync is the client side of of SSL, so it must have the CA cert of the CA that issued the Fedora DS SSL server cert.> > is there any way to work around ??? > > > > On Wed, Aug 13, 2008 at 4:15 PM, Vipul Ramani <vipulramani@gmail.com > <mailto:vipulramani@gmail.com>> wrote: > > Cheers, Rich , > > Great only thing is now i have to find out how to enable SSL on > ADC ..and most of thing will be done .... it is sync over 389 port > ..but only password attribute is not replicated ..due to SSL is > not enable on ADC ... > > > anyways thanks for your gr8 ...help > > I feel i will create documentation stepwise and share with > community .... > > > > > > On Wed, Aug 13, 2008 at 3:22 PM, Vipul Ramani > <vipulramani@gmail.com <mailto:vipulramani@gmail.com>> wrote: > > > Cheers , Rich > > yes , your right ... i tried with hostname instead of ip > address. > > I created new windows sync aggreement. But this time i did not > selected SSL connecition.. then replication is happening.. but > i noticed..there is userPassword field is missing in all users > ( which are replicated from ADC ) .. why it is so ... SSL is > mandatory to copy password from ...ADC to FDS ?? > > Why userPassword ( windows password attribute not repliacated > on LDAP ??? ) . > > > I made some progress.. > > > > > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Nathan Kinder
2008-Aug-14 15:21 UTC
Re: [Fedora-directory-users] Re: FDS and Active directory Sync
Vipul Ramani wrote:> Rich , > > Do really need CA certification on ADC server to enable SSL on ADC ... > is not possible way to work out we can install self signed certified > which was signed my FDS ( linux server ) and we can install in to ADC > and make it SSL enable ??Yes, you can do this. See this article: http://support.microsoft.com/kb/321051 -NGK> > is there any way to work around ??? > > > > On Wed, Aug 13, 2008 at 4:15 PM, Vipul Ramani <vipulramani@gmail.com > <mailto:vipulramani@gmail.com>> wrote: > > Cheers, Rich , > > Great only thing is now i have to find out how to enable SSL on > ADC ..and most of thing will be done .... it is sync over 389 port > ..but only password attribute is not replicated ..due to SSL is > not enable on ADC ... > > > anyways thanks for your gr8 ...help > > I feel i will create documentation stepwise and share with > community .... > > > > > > On Wed, Aug 13, 2008 at 3:22 PM, Vipul Ramani > <vipulramani@gmail.com <mailto:vipulramani@gmail.com>> wrote: > > > Cheers , Rich > > yes , your right ... i tried with hostname instead of ip > address. > > I created new windows sync aggreement. But this time i did not > selected SSL connecition.. then replication is happening.. but > i noticed..there is userPassword field is missing in all users > ( which are replicated from ADC ) .. why it is so ... SSL is > mandatory to copy password from ...ADC to FDS ?? > > Why userPassword ( windows password attribute not repliacated > on LDAP ??? ) . > > > I made some progress.. > > > > > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >