Hi,

Â*I am trying to integrate RHDS 8.0 with windows 2003 ADSÂ* on
RHEL5 as per the RHELÂ* documentation for user/group and password
sync from windows ADS.

Â*I am using windows sync and Passsync . But i am facing problem with the certificate creation.



################################################## ########################
Followed the below step in RHDS box runing on rhel5 to setup ssl.
##############################
#############################################


vi pin.txt

secretpw

Create a noise file for the encryption

vi noise.txt
dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlf hjsdk

Create the key and certificate databases database

certutil -N -d . -f pin.txt (results, makes 3 files with db extension)

Generate the encryption key

certutil -G -d . -z noise.txt -f pin.txt

Generate the self-signed CA certificate

certutil -S -n "CA Certificate" -s "cn=CAcert" -x -t "CT,,"
-m 1000 -v 9999 -d . -z noise.txt -f pin.txt

(generates CA certificate and puts into db stores, can be verified with:




certutil –L –d . –n "Certificate Name", where Certificate Name is CA Certificate)

Generate the Directory Server Client Certificate

certutil -S -n "server-cert" -s "cn=ldapproxy.example.com,cn=Directory Server" -c "CA Certificate" -t "u,u,u" -m 1001 -v 9999 -d .

-z noise.txt -f pin.txt
Convert to pkcs12 format (note these files will be used within
the AD system, and the prompted password for the commands below will
need to match password in pin.txt file)

pk12util -d . -o cacert.pk12 -n "CA Certificate"
pk12util -d . -o dscert.pk12 -n "server-cert"

################################################## ################################################## ###########################





After that when i executed ldapsearch -x -ZZ it showing all the entries properly on rhds rhel box,
Â*so its indicates ssl was perfectly configured on RHDS
################################################## ################################################## ##############################





STEPS FOLLOWED ON WINDOWS 2003 ADS BOX to Set up SSL on the Active Directory Server

windows ads domain: example.com
windows FQDN: testing.example.com

Install a certificate authority in the Windows Components section in Add/Remove Programs .
Select the Enterprise Root CA option.
Make sure to use the hostname as the DN serverX and then for
the domain dc=example,dc=com (note, this should resemble your FQDN)
Reboot Windows Machine
Log back in to the box...give it a little while, it's windowsÂ*:-)
Got to Start>>Run>>mmc
Under File>>Add/Remove Snap-in
Click Add, Click Certificates, Click Add, Click Computer Account, Click Next and finish
Go to Trusted Root Certificates>>Certificates>>Right Click>>All Tasks>>Import
Go to where you copied the pk12 files from earlier and import the cacert.pk12Â* [CREATED IN RHDS RUNNING ON rhel ]

Create DB Stores For PassSync in windows 2003 ads server




Copy .pk12 files that were put on Windows system to C:Program FilesRed Hat Directory Password Synchronization
In this directory run certutil -d . -N (from dos command)
This creates empty db stores, next run the following to import your dscert.pk12 into the key store

pk12util -d . -i dscert.pk12

Then give trusted peer status to the server

certutil -d . -M -n server-cert -t "P,P,P"

ERROR



When i executed the above command on windows 2003 ads box it giving me following error



certutil.exe unable to decode trust strings error 0





Also the certificate created from rhel box using certutil



is showing validation dateÂ* and expiration date asÂ* current date and time in bothÂ* CA Cert andÂ*Â* Server-cert



i checked the certificate content by using



certutil –L –d . –n "Certificate Name"certutil –L –d . –n "Server-cert"




Plz help me how to troubleshoot this error.

Regards
lingu




--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users