FDS and Active directory Sync

08-13-2008, 09:35 PM

Vipul Ramani wrote:

HI All,

I am tryting to sync FDS and ADC. I have done everything

http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_ Sync-Step_1_Configure_SSL

But some how it does not work ....

i am getting error in FDS error log...

5/May/2008:07:45:42 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime
error -5938 - Encountered end of file.)
[15/May/2008:07:46:30 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime
error -5938 - Encountered end of file.)
[15/May/2008:07:48:06 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime
error -5938 - Encountered end of file.)
[15/May/2008:07:51:18 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime
error -5938 - Encountered end of file.)
[15/May/2008:07:56:18 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime
error -5938 - Encountered end of file.)
[15/May/2008:08:01:18 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime
error -5938 - Encountered end of file.)
Looks like you're attempting to do client cert based auth? You probably
want to just do simple password auth over SSL.

from passsync.log
---------------
Ldap bind error in Connect
81:Can't connect to LDAP Server
Can not connect to ldap server in syncPasswords

-------------------------

--
Regards

Vipul Ramani

------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

08-13-2008, 10:17 PM

Can you suggest me good documentation.

I have query
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_ Sync-Step_1_Configure_SSL

-------

Create a new cert8.db and key.db using certutil.exe on the Password Sync machine.

certutil.exe -d . -N
ln -s slapd-serverID-cert8.db cert8.db
ln -s slapd-serverID-key3.db key3.db

this is procedure is creating so much confusion ...

- 1st what do to once* new cert8.db and key.db are created* on windows ADC box
- 2nd ln is not part of windows ???

I changed it ..but now i am getting this error ...

NSMMReplicationPlugin - agmt="cn=adc" (192:636): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -5938 (Encountered end of file.)

On Wed, Aug 13, 2008 at 1:29 PM, Vipul Ramani <vipulramani@gmail.com> wrote:

HI All,

I am tryting to sync FDS and ADC. I have done everything

http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_ Sync-Step_1_Configure_SSL

But some how it does not work ....

i am getting error in FDS error log...

5/May/2008:07:45:42 -0400] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error -5938 - Encountered end of file.)

[15/May/2008:07:46:30 -0400] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error -5938 - Encountered end of file.)
[15/May/2008:07:48:06 -0400] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error -5938 - Encountered end of file.)

[15/May/2008:07:51:18 -0400] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error -5938 - Encountered end of file.)
[15/May/2008:07:56:18 -0400] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error -5938 - Encountered end of file.)

[15/May/2008:08:01:18 -0400] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error -5938 - Encountered end of file.)

from passsync.log
---------------

*
Ldap bind error in Connect

81:Can't connect to LDAP Server
* Can not connect to ldap server in syncPasswords

-------------------------
--
Regards

Vipul Ramani

--
Regards

Vipul Ramani

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

08-13-2008, 10:28 PM

Vipul Ramani wrote:

Can you suggest me good documentation.

I have query
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_ Sync-Step_1_Configure_SSL

-------

1.

Create a new |cert8.db| and |key.db| using |certutil.exe| on the
*Password Sync* machine.

certutil.exe -d . -N
ln -s slapd-/|serverID|/-cert8.db cert8.db
ln -s slapd-/|serverID|/-key3.db key3.db

this is procedure is creating so much confusion ...

- 1st what do to once new cert8.db and key.db are created on windows
ADC box

- 2nd ln is not part of windows ???

Looks like a doc bug. You don't need to do the ln steps.

*
I changed it ..but now i am getting this error ... *

NSMMReplicationPlugin - agmt="cn=adc" (192:636): Simple bind failed,
LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable
Runtime error -5938 (Encountered end of file.)

Has the active directory been configured to use SSL?

On Wed, Aug 13, 2008 at 1:29 PM, Vipul Ramani <vipulramani@gmail.com
<mailto:vipulramani@gmail.com>> wrote:

HI All,

I am tryting to sync FDS and ADC. I have done everything

http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_ Sync-Step_1_Configure_SSL

But some how it does not work ....

i am getting error in FDS error log...

5/May/2008:07:45:42 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable
Runtime error -5938 - Encountered end of file.)
[15/May/2008:07:46:30 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable
Runtime error -5938 - Encountered end of file.)
[15/May/2008:07:48:06 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable
Runtime error -5938 - Encountered end of file.)
[15/May/2008:07:51:18 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable
Runtime error -5938 - Encountered end of file.)
[15/May/2008:07:56:18 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable
Runtime error -5938 - Encountered end of file.)
[15/May/2008:08:01:18 -0400] - SSL alert:
ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable
Runtime error -5938 - Encountered end of file.)

from passsync.log
---------------
Ldap bind error in Connect
81:Can't connect to LDAP Server
Can not connect to ldap server in syncPasswords

-------------------------

--
Regards

Vipul Ramani

--
Regards

Vipul Ramani

------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

08-13-2008, 10:39 PM

Hi Rich,

yes it is enable . then also getting same error .. I am able to connect using LDAP Browser. is there any other way debug in to depth to resolve this problem...

( not firewall no accesslist or nothing is kinda blocking... )

Can you suggest me* is document i have to follow ... i tried fedora , redhat but if , i m following step by step it does not work .....
--
Regards

Vipul Ramani

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

08-13-2008, 10:42 PM

Vipul Ramani wrote:

Hi Rich,

yes it is enable . then also getting same error .. I am able to
connect using LDAP Browser. is there any other way debug in to depth
to resolve this problem...

( not firewall no accesslist or nothing is kinda blocking... )

Can you suggest me is document i have to follow ... i tried fedora ,
redhat but if , i m following step by step it does not work .....

See if ldapsearch from the command line works:
/usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P
/etc/dirsrv/slapd-yourinstance -D
"cn=administrator,cn=users,dc=yourdomain,dc=co m" -w thepassword -s base
-b "" "objectclass=*"

--
Regards

Vipul Ramani

------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

08-13-2008, 10:53 PM

Hi Rich,

I did it ..but i am getting the error.*

I run from my directory server ....

[root@linux1 ~]# /usr/lib/mozldap/ldapsearch -h 192.168.1.200 -p 636* -Z -P /etc/dirsrv/slapd-linux1 -D "cn=administrator,cn=users,dc=tf-lab,dc=exp,dc=com" -w ABC123@ -s base -b "" "objectclass=*"

ldap_simple_bind: Can't contact LDAP server
******* SSL error -5938 (Encountered end of file.)
[root@linux1 ~]#

On Wed, Aug 13, 2008 at 2:39 PM, Vipul Ramani <vipulramani@gmail.com> wrote:

Hi Rich,

yes it is enable . then also getting same error .. I am able to connect using LDAP Browser. is there any other way debug in to depth to resolve this problem...

( not firewall no accesslist or nothing is kinda blocking... )

Can you suggest me* is document i have to follow ... i tried fedora , redhat but if , i m following step by step it does not work .....
--
Regards

Vipul Ramani

--
Regards

Vipul Ramani

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

08-13-2008, 10:57 PM

Vipul Ramani wrote:

Hi Rich,

I did it ..but i am getting the error.

I run from my directory server ....

[root@linux1 ~]# /usr/lib/mozldap/ldapsearch -h 192.168.1.200
<http://192.168.1.200> -p 636 -Z -P /etc/dirsrv/slapd-linux1 -D
"cn=administrator,cn=users,dc=tf-lab,dc=exp,dc=com" -w ABC123@ -s base
-b "" "objectclass=*"

ldap_simple_bind: Can't contact LDAP server
SSL error -5938 (Encountered end of file.)
[root@linux1 ~]#
For one, it probably won't work to use -h IPaddress - in order to do the
cert validation, it needs the FQDN of the windows host - that FQDN must
be the value of the leftmost cn= in the AD server cert subjectDN.

But this error indicates it's not even getting that far. Either AD is
not listening on 636, or there is some sort of network/firewall problem.

On Wed, Aug 13, 2008 at 2:39 PM, Vipul Ramani <vipulramani@gmail.com
<mailto:vipulramani@gmail.com>> wrote:

Hi Rich,

yes it is enable . then also getting same error .. I am able to
connect using LDAP Browser. is there any other way debug in to
depth to resolve this problem...

( not firewall no accesslist or nothing is kinda blocking... )

Can you suggest me is document i have to follow ... i tried
fedora , redhat but if , i m following step by step it does not
work .....

--
Regards

Vipul Ramani

--
Regards

Vipul Ramani

------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

08-13-2008, 11:22 PM

Cheers , Rich

yes , your right ... i tried with hostname instead of ip address.*

I created new windows sync aggreement. But this time i did not selected SSL connecition.. then replication is happening.. but i noticed..there is userPassword field is missing in all users ( which are replicated from ADC ) .. why it is so ... SSL is mandatory to copy password from ...ADC to FDS ??

Why userPassword ( windows password attribute not repliacated on LDAP ??? ) .

I made some progress..

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

08-13-2008, 11:30 PM

Vipul Ramani wrote:

Cheers , Rich

yes , your right ... i tried with hostname instead of ip address.

I created new windows sync aggreement. But this time i did not
selected SSL connecition.. then replication is happening.. but i
noticed..there is userPassword field is missing in all users ( which
are replicated from ADC ) .. why it is so ... SSL is mandatory to copy
password from ...ADC to FDS ??

Yes

Why userPassword ( windows password attribute not repliacated on LDAP
??? ) .

AD requires an SSL connection for password changes

I made some progress..

------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

08-14-2008, 12:15 AM

Cheers, Rich ,

Great only thing is now i have to find out how to enable SSL on ADC ..and most of thing will be done .... it is sync over 389 port ..but only password attribute is not replicated ..due to SSL is not enable on ADC ...

anyways thanks for your gr8 ...help

I feel i will create documentation stepwise and share with community ....

On Wed, Aug 13, 2008 at 3:22 PM, Vipul Ramani <vipulramani@gmail.com> wrote:

Cheers , Rich

yes , your right ... i tried with hostname instead of ip address.*

I created new windows sync aggreement. But this time i did not selected SSL connecition.. then replication is happening.. but i noticed..there is userPassword field is missing in all users ( which are replicated from ADC ) .. why it is so ... SSL is mandatory to copy password from ...ADC to FDS ??

Why userPassword ( windows password attribute not repliacated on LDAP ??? ) .

I made some progress..

--
Regards

Vipul Ramani

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users