FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 07-31-2008, 09:18 AM
"Groot, Mathijs de (IDT Competence Java)"
 
Default Unable to SSL with Windows Sync Agreement

Hello everyone,


*


I can use some help with setting up the Windows Sync.


*


Ill give some context first, im trying to sync user, groups
and passwords from a Windows 2003 server with Active Directory with a Red Hat
enterprise 5, Red Hat Directory Server 8.0.


It is a test environment with where I can access and
configure the servers easily.


*


But ive got some problems setting a new Windows Sync
Agreement.


*


It comes down to the following:


I can’t get an SSL connection* with the a new* Windows
Sync Agreement, from the Red Hat DS to the Windows AD server.


*


In the Windows Sync Server info screen I get the following
message when clicking on next:*


"unable to contact Active Directory server,
continue"


(Windows Sync Server info screen located In the Directory
Server Console ->* Configuration tab ->* Replication -> userRoot ->
highlight the database -> Object -> New Windows Sync Agreement -> The
second screen reads Windows Sync Server Info)


*


But when I uncheck the checkbox “Using encrypted SSL
connection” the connection works and the Windows AD server is reached.


So this concludes (and ive tested) that the Windows Server
and domain is reachable and the Bind DN is valid, and entered values are
correct.


*


The SSL connection seems to be setup correctly, the checks
(ldapsearch query) described by the fedora manual outputs the correct result.
Following:





http://directory.fedoraproject.org/wiki/Howto:WindowsSync



Testing your Configuration


Test to make sure you can talk SSL from Fedora Directory to
AD


This is how you test to verify that the Windows side SSL is
enabled properly:


ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT
Hostname> -p <AD SSL port> -D "<sync manager user>”
-w < sync manager password> -s <scope> -b "<AD
base>" "<filter>"





My ldapsearch query:


/usr/lib64/mozldap/dapsearch -Z -P
/etc/dirsrv/slapd-<instance>/cert8.db -h compute.domain.com -p 636 -D
"CN=Administrator,CN=Users,DC=domain,DC=com"* -w <pwd> -s base
-b "dc=domain,dc=com" "objectclass=top"


*


But strangely enough there is not network traffic at all
when the SSL* connection is checked!


(when clicking on next and the message "unable to
contact Active Directory server, continue" appears)


*


Ive done the following actions to make to monitor it:


*


First I’ve disabled SELinux, in case that blocks
something (just for testing).


*


watch the tcp ip traffic with:


tcpdump -nn -p port not ssh and ip host <Red Hat IP
number>


Here I can see that, when I don’t use the SSL
connection, there is traffic towards my Widows AD, but when ive check the SSL
option, there is no traffic at all, nothing.


*


As well when I look at the iptables:


added an extra line: iptables -I OUTPUT* 1 -d <Windows AD
IP number> -j ACCEPT


watch -d iptables -L –nv


*


I see the same result, traffic when I don’t use the
SSL option and no traffic at all when the SSL option is checked.


*


How can I get the message "unable to contact Active
Directory server, continue" when there is no outgoing request from my Red
Hat server.


*


Ive made certificates at both sides (Windows and Red Hat)
and exported and imported these certificated to the other server.


*


Please advice on following steps I can take, what the
problem can be and how it is possible that there is no traffic at all.


*


Thanks in advanced.


*


Matt


*


*


Mathijs
A. de Groot

Consultant - Software Engineer

_________________________________________


Logica -
Releasing your potential


George Hintzenweg 89

3068 AX Rotterdam

Postbus 8566

3009 AN*Rotterdam

Nederland

T:* +31 (0) 10 253 7000

D: * +31(0) 70 37 56627

E: math.de.groot@logica.com

www.logica.com



Logica Nederland B.V.

Registered office in
Amstelveen, The Netherlands

Registration Number Chamber of Commerce: 33136004


*




This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.





--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 08-07-2008, 01:02 PM
Sebastian Tabarce
 
Default Unable to SSL with Windows Sync Agreement

Mathisj,

If I'm not mistaking, in order for the two servers to be able to talk with each other, they need to have certificates signed by Certificate Authorities recognized by the two servers (meaning, the certificates of these root CAs must be installed on the two servers). Even more straightforward is to generate certificate requests for both servers and get them signed by the same root CA.


--- On Thu, 7/31/08, Groot, Mathijs de (IDT Competence Java) <math.de.groot@logica.com> wrote:
From: Groot, Mathijs de (IDT Competence Java) <math.de.groot@logica.com>
Subject: [Fedora-directory-users] Unable to SSL with Windows
Sync Agreement
To: fedora-directory-users@redhat.com
Date: Thursday, July 31, 2008, 12:18 PM










Hello everyone,


*


I can use some help with setting up the Windows Sync.


*


Ill give some context first, im trying to sync user, groups
and passwords from a Windows 2003 server with Active Directory with a Red Hat
enterprise 5, Red Hat Directory Server 8.0.


It is a test environment with where I can access and
configure the servers easily.


*


But ive got some problems setting a new Windows Sync
Agreement.


*


It comes down to the following:


I can’t get an SSL connection* with the a new* Windows
Sync Agreement, from the Red Hat DS to the Windows AD server.


*


In the Windows Sync Server info screen I get the following
message when clicking on next:*


"unable to contact Active Directory server,
continue"


(Windows Sync Server info screen located In the Directory
Server Console ->* Configuration tab ->* Replication -> userRoot ->
highlight the database -> Object -> New Windows Sync Agreement -> The
second screen reads Windows Sync Server Info)


*


But when I uncheck the checkbox “Using encrypted SSL
connection” the connection works and the Windows AD server is reached.


So this concludes (and ive tested) that the Windows Server
and domain is reachable and the Bind DN is valid, and entered values are
correct.


*


The SSL connection seems to be setup correctly, the checks
(ldapsearch query) described by the fedora manual outputs the correct result.
Following:





http://directory.fedoraproject.org/wiki/Howto:WindowsSync



Testing your Configuration


Test to make sure you can talk SSL from Fedora Directory to
AD


This is how you test to verify that the Windows side SSL is
enabled properly:


ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT
Hostname> -p <AD SSL port> -D "<sync manager user>”
-w < sync manager password> -s <scope> -b "<AD
base>" "<filter>"





My ldapsearch query:


/usr/lib64/mozldap/dapsearch -Z -P
/etc/dirsrv/slapd-<instance>/cert8.db -h compute.domain.com -p 636 -D
"CN=Administrator,CN=Users,DC=domain,DC=com"* -w <pwd> -s base
-b "dc=domain,dc=com" "objectclass=top"


*


But strangely enough there is not network traffic at all
when the SSL* connection is checked!


(when clicking on next and the message "unable to
contact Active Directory server, continue" appears)


*


Ive done the following actions to make to monitor it:


*


First I’ve disabled SELinux, in case that blocks
something (just for testing).


*


watch the tcp ip traffic with:


tcpdump -nn -p port not ssh and ip host <Red Hat IP
number>


Here I can see that, when I don’t use the SSL
connection, there is traffic towards my Widows AD, but when ive check the SSL
option, there is no traffic at all, nothing.


*


As well when I look at the iptables:


added an extra line: iptables -I OUTPUT* 1 -d <Windows AD
IP number> -j ACCEPT


watch -d iptables -L –nv


*


I see the same result, traffic when I don’t use the
SSL option and no traffic at all when the SSL option is checked.


*


How can I get the message "unable to contact Active
Directory server, continue" when there is no outgoing request from my Red
Hat server.


*


Ive made certificates at both sides (Windows and Red Hat)
and exported and imported these certificated to the other server.


*


Please advice on following steps I can take, what the
problem can be and how it is possible that there is no traffic at all.


*


Thanks in advanced.


*


Matt


*


*


Mathijs
A. de Groot

Consultant - Software Engineer

_________________________________________


Logica -
Releasing your potential


George Hintzenweg 89

3068 AX Rotterdam

Postbus 8566

3009 AN*Rotterdam

Nederland

T:* +31 (0) 10 253 7000

D: * +31(0) 70 37 56627

E: math.de.groot@logica.com

www.logica.com



Logica Nederland B.V.

Registered office in
Amstelveen, The Netherlands

Registration Number Chamber of Commerce: 33136004


*




This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users





--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 08-07-2008, 02:19 PM
"Groot, Mathijs de (IDT Competence Java)"
 
Default Unable to SSL with Windows Sync Agreement

Hi Sebastian,


*


Thanks for your reply.


*


We’ve created the CA and Server certificates on Red Hat
Directory Server


(like described in: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_certutil.html
) **


And created a server certificate on the Windows Server (http://support.microsoft.com/kb/931351)


*


The CA and Server certificates are exchanged between the both
Servers and are trusted, like the certutil output shows:


*


On the Red Hat Directory (rhds.grep):


#
certutil -L -d .


************************* *****
Certificate Nickname


************************* *****
Trust Attributes


************************* *****
SSL,S/MIME,JAR/XPI


rhds_ds_ca_cert*********
******CTu,u,u


parijs_server_cert************
,,


rhds_server_cert********
******u,u,u


parijs_ca_cert****************
CT,,


*


on the Windows Active Directory (parijs.gem):


C:Program
FilesRed Hat Directory Password Synchronization>certutil -L -d .


rhds_ds_ca_cert***************** **********************
CT,C,C


rhds_ds_server_cert*************** *********
***********Pu,Pu,Pu


*


And the ldapsearch in the command line from the Red Hat server over
SSL works with the use of the certificate database, the following command returns
entries of Windows Active Directory:


/usr/lib64/mozldap/ldapsearch
-Z -P /etc/dirsrv/slapd-rhds/cert8.db -h adsync.parijs.gem -p 636 -D
"CN=Administrator,CN=Users,DC=parijs,DC=gem"* -w - -s base -b
"dc=parijs,dc=gem" "objectclass=top"


*


Note that I’m using a Red Hat Enterprise 64 bits version
and a Windows 2003 32bits.


*


Do you’ve got any suggestions why there are no outgoing
tcp/ip packages from the Red hat Directory Server when the *new Windows Sync*
Agreement is configured and the message is shown that the Red Hat server is unable
to contact Active Directory server?


*


Mathijs.


*


*


*




From:
fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Sebastian
Tabarce

Sent: donderdag 7 augustus 2008 15:03

To: General discussion list for the Fedora Directory server project.

Subject: Re: [Fedora-directory-users] Unable to SSL with Windows Sync
Agreement




*





Mathisj,



If I'm not mistaking, in order for the two servers to be able to talk with
each other, they need to have certificates signed by Certificate Authorities
recognized by the two servers (meaning, the certificates of these root CAs
must be installed on the two servers). Even more straightforward is to
generate certificate requests for both servers and get them signed by the
same root CA.





--- On Thu, 7/31/08, Groot, Mathijs de (IDT Competence Java) <math.de.groot@logica.com>
wrote:

From: Groot, Mathijs de (IDT
Competence Java) <math.de.groot@logica.com>

Subject: [Fedora-directory-users] Unable to SSL with Windows Sync Agreement

To: fedora-directory-users@redhat.com

Date: Thursday, July 31, 2008, 12:18 PM



Hello
everyone,

*

I
can use some help with setting up the Windows Sync.

*

Ill
give some context first, im trying to sync user, groups and passwords from a
Windows 2003 server with Active Directory with a Red Hat enterprise 5, Red
Hat Directory Server 8.0.

It
is a test environment with where I can access and configure the servers
easily.

*

But
ive got some problems setting a new Windows Sync Agreement.

*

It
comes down to the following:

I
can’t get an SSL connection* with the a new* Windows Sync
Agreement, from the Red Hat DS to the Windows AD server.

*

In
the Windows Sync Server info screen I get the following message when clicking
on next:*

"unable
to contact Active Directory server, continue"

(Windows
Sync Server info screen located In the Directory Server Console ->*
Configuration tab ->* Replication -> userRoot -> highlight the
database -> Object -> New Windows Sync Agreement -> The second
screen reads Windows Sync Server Info)

*

But
when I uncheck the checkbox “Using encrypted SSL connection” the
connection works and the Windows AD server is reached.

So
this concludes (and ive tested) that the Windows Server and domain is
reachable and the Bind DN is valid, and entered values are correct.

*

The
SSL connection seems to be setup correctly, the checks (ldapsearch query)
described by the fedora manual outputs the correct result. Following:



http://directory.fedoraproject.org/wiki/Howto:WindowsSync


Testing
your Configuration

Test
to make sure you can talk SSL from Fedora Directory to AD

This
is how you test to verify that the Windows side SSL is enabled properly:

ldapsearch
-Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port>
-D "<sync manager user>” -w < sync manager password>
-s <scope> -b "<AD base>" "<filter>"



My
ldapsearch query:

/usr/lib64/mozldap/dapsearch
-Z -P /etc/dirsrv/slapd-<instance>/cert8.db -h compute.domain.com -p
636 -D "CN=Administrator,CN=Users,DC=domain,DC=com"* -w
<pwd> -s base -b "dc=domain,dc=com"
"objectclass=top"

*

But
strangely enough there is not network traffic at all when the SSL*
connection is checked!

(when
clicking on next and the message "unable to contact Active Directory
server, continue" appears)

*

Ive
done the following actions to make to monitor it:

*

First
I’ve disabled SELinux, in case that blocks something (just for
testing).

*

watch
the tcp ip traffic with:

tcpdump
-nn -p port not ssh and ip host <Red Hat IP number>

Here
I can see that, when I don’t use the SSL connection, there is traffic
towards my Widows AD, but when ive check the SSL option, there is no traffic
at all, nothing.

*

As
well when I look at the iptables:

added
an extra line: iptables -I OUTPUT* 1 -d <Windows AD IP number> -j
ACCEPT

watch
-d iptables -L –nv

*

I
see the same result, traffic when I don’t use the SSL option and no
traffic at all when the SSL option is checked.

*

How
can I get the message "unable to contact Active Directory server,
continue" when there is no outgoing request from my Red Hat server.

*

Ive
made certificates at both sides (Windows and Red Hat) and exported and
imported these certificated to the other server.

*

Please
advice on following steps I can take, what the problem can be and how it is
possible that there is no traffic at all.

*

Thanks
in advanced.

*

Matt

*

*

Mathijs A. de Groot

Consultant - Software Engineer

_________________________________________

Logica -
Releasing your potential

George Hintzenweg 89

3068 AX Rotterdam

Postbus 8566

3009 AN*Rotterdam

Nederland

T:* +31 (0) 10 253 7000

D: * +31(0) 70 37 56627

E: math.de.groot@logica.com

www.logica.com



Logica Nederland B.V.

Registered office in
Amstelveen, The Netherlands

Registration Number Chamber of Commerce: 33136004

*



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any attachment
and all copies and inform the sender. Thank you.


--

Fedora-directory-users mailing list

Fedora-directory-users@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-directory-users



*




This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.





--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 08-08-2008, 09:29 AM
"Groot, Mathijs de (IDT Competence Java)"
 
Default Unable to SSL with Windows Sync Agreement

Hi Sebastian,


*


Thanks for your suggestion.


*


I’m assuming that when the CA is trusted for Server and Client
certificates (CT) the server certificates signed by that CA are automatically
trusted peer as well.


I have made the trust changes to the certificates and imported the
third windows certificate as well, my (clean installed) windows Server has
three certificates, the last one added is the domain certificate. the CA and
Server certificates should be sufficient according to the manual.




Red Hat Directory Server (gemeente.grep)


#
certutil -L -d .


Certificate
Nickname ******Trust Attributes


********************
******SSL,S/MIME,JAR/XPI


*


gemeente_ds_ca_cert*******
CTu,u,u


gemeente_ds_server_cert***
u,u,u


parijs_ca_cert************
CT,,


parijs_domain_cert********
P,P,P


parijs_server_cert********
P,P,P


*


*


Windows Active Directory (parijs.gem) unchanged

C:Program
FilesRed Hat Directory Password Synchronization>certutil -L -d .

rhds_ds_ca_cert******** ***** CT,C,C

rhds_ds_server_cert********** Pu,Pu,Pu


*


In the mean while, I’ve run some extra test to check the connectivity
between the Red Hat and Windows Server, but all of the following test outputs
the expected result of the query


These search queries are executed from the Red Hat Directory
Server.


*


#/usr/lib64/mozldap/dapsearch
-Z -P /etc/dirsrv/slapd-rhds/cert8.db -h adsync.parijs.gem -p 636 -D
"CN=Administrator,CN=Users,DC=parijs,DC=gem"* -w <pwd> -s
base -b "dc=parijs,dc=gem" "objectclass=top"


#/usr/lib64/mozldap/ldapsearch
-x -ZZ -b 'dc=gemeente,dc=grep' -D "cn=Directory Manager" –w <pwd>
'(objectclass=*)'


#
/usr/lib64/mozldap/ldapsearch -x -ZZ -h adsync.parijs.gem -b 'dc=parijs,dc=gem'
-D "CN=Administrator,CN=Users,DC=parijs,DC=gem" -w <pwd> '(objectclass=*)'


*


*


But there are still no outgoing tcp/ip packages from the Red Hat
Directory Server when the *new Windows Sync* Agreement is configured
and the message is shown that the Red Hat server is unable to contact Active
Directory server.


*


Problem summary:


I can’t get an SSL connection* with the a new*
Windows Sync Agreement, from the Red Hat DS to the Windows AD server.


Ldapsearch queries over SSL seems to work fine, *But
strangely enough there is not network traffic at all when the SSL*
connection is checked!


(when clicking on next and the message "unable to contact
Active Directory server, continue" appears). See emails below for more
information.


*


*


Does anyone has a suggestion how to trouble shoot this problem?


*


*


Mathijs de Groot


*


*




From: Sebastian Tabarce
[mailto:blue_moon_ro@yahoo.com]

Sent: donderdag 7 augustus 2008 20:23

To: Groot, Mathijs de (IDT Competence Java)

Subject: RE: [Fedora-directory-users] Unable to SSL with Windows Sync
Agreement




*





Hi Mathijs,



From what you showed us, it seems that while RHDS is a trusted peer of Active
Directory, Active Directory is not a trusted peer of RHDS. This might be a
reason for RHDS to not even try to establish a sync with AD. Other then this,
I have no other ideas for now. I'm not an experimented RHDS admin, but maybe
others will be of more help.



Good luck,

Sebastian



--- On Thu, 8/7/08, Groot, Mathijs de (IDT Competence Java) <math.de.groot@logica.com>
wrote:

From: Groot, Mathijs de (IDT
Competence Java) <math.de.groot@logica.com>

Subject: RE: [Fedora-directory-users] Unable to SSL with Windows Sync
Agreement

To: blue_moon_ro@yahoo.com, "General discussion list for the Fedora
Directory server project." <fedora-directory-users@redhat.com>

Date: Thursday, August 7, 2008, 5:19 PM



Hi
Sebastian,

*

Thanks
for your reply.

*

We’ve
created the CA and Server certificates on Red Hat Directory Server

(like
described in: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_certutil.html
) **

And
created a server certificate on the Windows Server (http://support.microsoft.com/kb/931351)

*

The
CA and Server certificates are exchanged between the both Servers and are
trusted, like the certutil output shows:

*

On
the Red Hat Directory (rhds.grep):

# certutil -L -d .

************************* *****
Certificate Nickname

************************* *****
Trust Attributes

************************* *****
SSL,S/MIME,JAR/XPI

rhds_ds_ca_cert*********
******CTu,u,u

parijs_server_cert************
,,

rhds_server_cert********
******u,u,u

parijs_ca_cert****************
CT,,

*

on
the Windows Active Directory (parijs.gem):

C:Program FilesRed Hat
Directory Password Synchronization>certutil -L -d .

rhds_ds_ca_cert***************** **********************
CT,C,C

rhds_ds_server_cert*************** *********
***********Pu,Pu,Pu

*

And
the ldapsearch in the command line from the Red Hat server over SSL works
with the use of the certificate database, the following command returns
entries of Windows Active Directory:

/usr/lib64/mozldap/ldapsearch
-Z -P /etc/dirsrv/slapd-rhds/cert8.db -h adsync.parijs.gem -p 636 -D
"CN=Administrator,CN=Users,DC=parijs,DC=gem"* -w - -s base -b
"dc=parijs,dc=gem" "objectclass=top"

*

Note
that I’m using a Red Hat Enterprise 64 bits version and a Windows 2003
32bits.

*

Do
you’ve got any suggestions why there are no outgoing tcp/ip packages
from the Red hat Directory Server when the *new Windows Sync*
Agreement is configured and the message is shown that the Red Hat server is
unable to contact Active Directory server?

*

Mathijs

*

*


From:
fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Sebastian
Tabarce

Sent: donderdag 7 augustus 2008 15:03

To: General discussion list for the Fedora Directory server project.

Subject: Re: [Fedora-directory-users] Unable to SSL with Windows Sync
Agreement


*




Mathisj,



If I'm not mistaking, in order for the two servers to be able to talk with
each other, they need to have certificates signed by Certificate
Authorities recognized by the two servers (meaning, the certificates of
these root CAs must be installed on the two servers). Even more
straightforward is to generate certificate requests for both servers and
get them signed by the same root CA.





--- On Thu, 7/31/08, Groot, Mathijs de (IDT Competence Java) <math.de.groot@logica.com>
wrote:

From:
Groot, Mathijs de (IDT Competence Java) <math.de.groot@logica.com>

Subject: [Fedora-directory-users] Unable to SSL with Windows Sync Agreement

To: fedora-directory-users@redhat.com

Date: Thursday, July 31, 2008, 12:18 PM



Hello everyone,

*

I can use some help with setting up the Windows Sync.

*

Ill give some context first, im trying to sync user, groups and
passwords from a Windows 2003 server with Active Directory with a Red Hat
enterprise 5, Red Hat Directory Server 8.0.

It is a test environment with where I can access and configure the
servers easily.

*

But ive got some problems setting a new Windows Sync Agreement.

*

It comes down to the following:

I can’t get an SSL connection* with the a new*
Windows Sync Agreement, from the Red Hat DS to the Windows AD server.

*

In the Windows Sync Server info screen I get the following message
when clicking on next:*

"unable to contact Active Directory server, continue"

(Windows Sync Server info screen located In the Directory Server
Console ->* Configuration tab ->* Replication ->
userRoot -> highlight the database -> Object -> New Windows Sync
Agreement -> The second screen reads Windows Sync Server Info)

*

But when I uncheck the checkbox “Using encrypted SSL
connection” the connection works and the Windows AD server is
reached.

So this concludes (and ive tested) that the Windows Server and domain
is reachable and the Bind DN is valid, and entered values are correct.

*

The SSL connection seems to be setup correctly, the checks
(ldapsearch query) described by the fedora manual outputs the correct
result. Following:



http://directory.fedoraproject.org/wiki/Howto:WindowsSync


Testing your Configuration

Test to make sure you can talk SSL from Fedora Directory to AD

This is how you test to verify that the Windows side SSL is enabled
properly:

ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p
<AD SSL port> -D "<sync manager user>” -w < sync
manager password> -s <scope> -b "<AD base>"
"<filter>"



My ldapsearch query:

/usr/lib64/mozldap/dapsearch -Z -P
/etc/dirsrv/slapd-<instance>/cert8.db -h compute.domain.com -p 636 -D
"CN=Administrator,CN=Users,DC=domain,DC=com"* -w <pwd>
-s base -b "dc=domain,dc=com" "objectclass=top"

*

But strangely enough there is not network traffic at all when the
SSL* connection is checked!

(when clicking on next and the message "unable to contact Active
Directory server, continue" appears)

*

Ive done the following actions to make to monitor it:

*

First I’ve disabled SELinux, in case that blocks something
(just for testing).

*

watch the tcp ip traffic with:

tcpdump -nn -p port not ssh and ip host <Red Hat IP number>

Here I can see that, when I don’t use the SSL connection, there
is traffic towards my Widows AD, but when ive check the SSL option, there
is no traffic at all, nothing.

*

As well when I look at the iptables:

added an extra line: iptables -I OUTPUT* 1 -d <Windows AD IP
number> -j ACCEPT

watch -d iptables -L –nv

*

I see the same result, traffic when I don’t use the SSL option
and no traffic at all when the SSL option is checked.

*

How can I get the message "unable to contact Active Directory
server, continue" when there is no outgoing request from my Red Hat
server.

*

Ive made certificates at both sides (Windows and Red Hat) and
exported and imported these certificated to the other server.

*

Please advice on following steps I can take, what the problem can be
and how it is possible that there is no traffic at all.

*

Thanks in advanced.

*

Matt

*

*

Mathijs
A. de Groot

Consultant - Software Engineer

_________________________________________

Logica -
Releasing your potential

George
Hintzenweg 89

3068 AX Rotterdam

Postbus 8566

3009 AN*Rotterdam

Nederland

T:* +31 (0) 10 253 7000

D: * +31(0) 70 37 56627

E: math.de.groot@logica.com

www.logica.com



Logica Nederland B.V.

Registered office in
Amstelveen, The Netherlands

Registration Number Chamber of Commerce: 33136004

*



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.


--



Fedora-directory-users mailing list



Fedora-directory-users@redhat.com



https://www.redhat.com/mailman/listinfo/fedora-directory-users


*



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any attachment
and all copies and inform the sender. Thank you.






*




This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.





--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 

Thread Tools




All times are GMT. The time now is 09:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org