I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions.
I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL?
In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD?
When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS?
I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell.
Thanks in advance
__________________________________________________ _______________
Exercise your brain! Try Flexicon!
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-09-2008, 04:43 PM
kiran madala
Windows Active Directory sync Help!
As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now.
The DS server is unable to connect to my AD. I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine?
My currents certificates are as follows.
DS has its own server certificate
AD has its own server certificate
ALL 3 servers AS,DS and AD have the same CA root certificate
----------------------------------------
> From: kirankmadala@hotmail.com
> To: fedora-directory-users@redhat.com
> Date: Wed, 9 Jan 2008 10:35:00 -0400
> Subject: [Fedora-directory-users] Windows Active Directory sync Help!
>
>
> Hello,
>
> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions.
>
> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL?
>
> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD?
>
> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS?
>
>
> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell.
>
> Thanks in advance
> __________________________________________________ _______________
> Exercise your brain! Try Flexicon!
> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
__________________________________________________ _______________
Use fowl language with Chicktionary. Click here to start playing!
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-09-2008, 04:52 PM
Rich Megginson
Windows Active Directory sync Help!
kiran madala wrote:
As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now.
The DS server is unable to connect to my AD.
What error messages are you getting? Check the error log.
You can also try using ldapsearch. Are you using Fedora DS 1.1 or
1.0.4? What OS?
I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine?
You don't need to use cert based client auth. You can use regular
username/password auth over TLS/SSL.
My currents certificates are as follows.
DS has its own server certificate
AD has its own server certificate
ALL 3 servers AS,DS and AD have the same CA root certificate
----------------------------------------
From: kirankmadala@hotmail.com
To: fedora-directory-users@redhat.com
Date: Wed, 9 Jan 2008 10:35:00 -0400
Subject: [Fedora-directory-users] Windows Active Directory sync Help!
Hello,
I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions.
I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL?
In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD?
When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS?
I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell.
Thanks in advance
__________________________________________________ _______________
Exercise your brain! Try Flexicon!
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
__________________________________________________ _______________
Use fowl language with Chicktionary. Click here to start playing!
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-09-2008, 05:03 PM
kiran madala
Windows Active Directory sync Help!
I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?.
The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console.
[Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
[Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_check_authz(): passing [/admin-serv/authenticate] to the userauth handler
[Wed Jan 09 09:15:28 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
[Wed Jan 09 09:15:29 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
[Wed Jan 09 09:15:35 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
[Wed Jan 09 09:15:35 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
[Wed Jan 09 09:15:43 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
[Wed Jan 09 09:15:44 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
----------------------------------------
> Date: Wed, 9 Jan 2008 10:52:05 -0700
> From: rmeggins@redhat.com
> To: fedora-directory-users@redhat.com
> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>
> kiran madala wrote:
>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now.
>>
>> The DS server is unable to connect to my AD.
> What error messages are you getting? Check the error log.
>
> You can also try using ldapsearch. Are you using Fedora DS 1.1 or
> 1.0.4? What OS?
>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine?
>>
> You don't need to use cert based client auth. You can use regular
> username/password auth over TLS/SSL.
>> My currents certificates are as follows.
>>
>> DS has its own server certificate
>> AD has its own server certificate
>> ALL 3 servers AS,DS and AD have the same CA root certificate
>>
>>
>>
>> ----------------------------------------
>>
>>> From: kirankmadala@hotmail.com
>>> To: fedora-directory-users@redhat.com
>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help!
>>>
>>>
>>> Hello,
>>>
>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions.
>>>
>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL?
>>>
>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD?
>>>
>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS?
>>>
>>>
>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell.
>>>
>>> Thanks in advance
>>> __________________________________________________ _______________
>>> Exercise your brain! Try Flexicon!
>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>
>>
>> __________________________________________________ _______________
>> Use fowl language with Chicktionary. Click here to start playing!
>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
__________________________________________________ _______________
Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com!
http://asksantaclaus.spaces.live.com/
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-09-2008, 05:09 PM
Rich Megginson
Windows Active Directory sync Help!
kiran madala wrote:
I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?.
The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console.
[Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
<snip<
Actually, this is the error log for the admin server. The error log for
the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance
is your instance name.
The console might be failing to connect to AD because the console has a
separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need
to add the CA cert in this directory too:
certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc
----------------------------------------
Date: Wed, 9 Jan 2008 10:52:05 -0700
From: rmeggins@redhat.com
To: fedora-directory-users@redhat.com
Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
kiran madala wrote:
As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now.
The DS server is unable to connect to my AD.
What error messages are you getting? Check the error log.
You can also try using ldapsearch. Are you using Fedora DS 1.1 or
1.0.4? What OS?
I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine?
You don't need to use cert based client auth. You can use regular
username/password auth over TLS/SSL.
My currents certificates are as follows.
DS has its own server certificate
AD has its own server certificate
ALL 3 servers AS,DS and AD have the same CA root certificate
----------------------------------------
From: kirankmadala@hotmail.com
To: fedora-directory-users@redhat.com
Date: Wed, 9 Jan 2008 10:35:00 -0400
Subject: [Fedora-directory-users] Windows Active Directory sync Help!
Hello,
I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions.
I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL?
In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD?
When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS?
I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell.
Thanks in advance
__________________________________________________ _______________
Exercise your brain! Try Flexicon!
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
__________________________________________________ _______________
Use fowl language with Chicktionary. Click here to start playing!
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
__________________________________________________ _______________
Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com!
http://asksantaclaus.spaces.live.com/
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-09-2008, 05:12 PM
Rich Megginson
Windows Active Directory sync Help!
kiran madala wrote:
Hello,
I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions.
I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL?
No. TLS/SSL is only required for password sync.
In the replica settings the supplier DN user need to be on both AD and DS
No, only on AD
with should be a Domain admin of the AD?
Domain admin is the easiest way to go - harder but safer would be to
create a special user that has read/write access to the subtree only.
When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS?
I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell.
You should definitely not use o=NetscapeRoot. When you ran setup, it
should have created a suffix for use with users and groups e.g.
dc=netscaper,dc=com
Thanks in advance
__________________________________________________ _______________
Exercise your brain! Try Flexicon!
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-09-2008, 05:36 PM
kiran madala
Windows Active Directory sync Help!
Sorry here is the error log for DS server
[09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.)
It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine.
----------------------------------------
> Date: Wed, 9 Jan 2008 11:09:54 -0700
> From: rmeggins@redhat.com
> To: fedora-directory-users@redhat.com
> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>
> kiran madala wrote:
>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?.
>>
>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console.
>>
>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
>> <snip<
>>
> Actually, this is the error log for the admin server. The error log for
> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance
> is your instance name.
>
> The console might be failing to connect to AD because the console has a
> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need
> to add the CA cert in this directory too:
>
> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc
>
>> ----------------------------------------
>>
>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>> From: rmeggins@redhat.com
>>> To: fedora-directory-users@redhat.com
>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>>>
>>> kiran madala wrote:
>>>
>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now.
>>>>
>>>> The DS server is unable to connect to my AD.
>>>>
>>> What error messages are you getting? Check the error log.
>>>
>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or
>>> 1.0.4? What OS?
>>>
>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine?
>>>>
>>>>
>>> You don't need to use cert based client auth. You can use regular
>>> username/password auth over TLS/SSL.
>>>
>>>> My currents certificates are as follows.
>>>>
>>>> DS has its own server certificate
>>>> AD has its own server certificate
>>>> ALL 3 servers AS,DS and AD have the same CA root certificate
>>>>
>>>>
>>>>
>>>> ----------------------------------------
>>>>
>>>>
>>>>> From: kirankmadala@hotmail.com
>>>>> To: fedora-directory-users@redhat.com
>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help!
>>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions.
>>>>>
>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL?
>>>>>
>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD?
>>>>>
>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS?
>>>>>
>>>>>
>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell.
>>>>>
>>>>> Thanks in advance
>>>>> __________________________________________________ _______________
>>>>> Exercise your brain! Try Flexicon!
>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>
>>>>>
>>>> __________________________________________________ _______________
>>>> Use fowl language with Chicktionary. Click here to start playing!
>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>
>> __________________________________________________ _______________
>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com!
>> http://asksantaclaus.spaces.live.com/
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
__________________________________________________ _______________
Introducing the City @ Live! Take a tour!
http://getyourliveid.ca/?icid=LIVEIDENCA006
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-09-2008, 05:43 PM
Rich Megginson
Windows Active Directory sync Help!
kiran madala wrote:
Sorry here is the error log for DS server
[09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.)
It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine.
Did you configure the agreement to use SSL? Error 91 means some sort of
connection problem, or invalid argument to the LDAP API e.g. you are
attempting to use LDAP on the secure port instead of LDAPS.
You can verify that TLS/SSL is working by using ldapsearch from the
command line. On the directory server machine:
/usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P
/etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*"
Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
----------------------------------------
Date: Wed, 9 Jan 2008 11:09:54 -0700
From: rmeggins@redhat.com
To: fedora-directory-users@redhat.com
Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
kiran madala wrote:
I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?.
The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console.
[Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
<snip<
Actually, this is the error log for the admin server. The error log for
the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance
is your instance name.
The console might be failing to connect to AD because the console has a
separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need
to add the CA cert in this directory too:
certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc
----------------------------------------
Date: Wed, 9 Jan 2008 10:52:05 -0700
From: rmeggins@redhat.com
To: fedora-directory-users@redhat.com
Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
kiran madala wrote:
As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now.
The DS server is unable to connect to my AD.
What error messages are you getting? Check the error log.
You can also try using ldapsearch. Are you using Fedora DS 1.1 or
1.0.4? What OS?
I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine?
You don't need to use cert based client auth. You can use regular
username/password auth over TLS/SSL.
My currents certificates are as follows.
DS has its own server certificate
AD has its own server certificate
ALL 3 servers AS,DS and AD have the same CA root certificate
----------------------------------------
From: kirankmadala@hotmail.com
To: fedora-directory-users@redhat.com
Date: Wed, 9 Jan 2008 10:35:00 -0400
Subject: [Fedora-directory-users] Windows Active Directory sync Help!
Hello,
I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions.
I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL?
In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD?
When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS?
I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell.
Thanks in advance
__________________________________________________ _______________
Exercise your brain! Try Flexicon!
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
__________________________________________________ _______________
Use fowl language with Chicktionary. Click here to start playing!
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
__________________________________________________ _______________
Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com!
http://asksantaclaus.spaces.live.com/
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
__________________________________________________ _______________
Introducing the City @ Live! Take a tour!
http://getyourliveid.ca/?icid=LIVEIDENCA006
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-09-2008, 08:03 PM
kiran madala
Windows Active Directory sync Help!
I keep getting these errors when trying to initiate sync
The LDAP search is not installed on my machine so i could not do a search
----------------------------------------
> Date: Wed, 9 Jan 2008 11:43:49 -0700
> From: rmeggins@redhat.com
> To: fedora-directory-users@redhat.com
> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>
> kiran madala wrote:
>> Sorry here is the error log for DS server
>>
>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.)
>>
>> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine.
>>
> Did you configure the agreement to use SSL? Error 91 means some sort of
> connection problem, or invalid argument to the LDAP API e.g. you are
> attempting to use LDAP on the secure port instead of LDAPS.
>
> You can verify that TLS/SSL is working by using ldapsearch from the
> command line. On the directory server machine:
> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P
> /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*"
>
> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>>
>> ----------------------------------------
>>
>>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>>> From: rmeggins@redhat.com
>>> To: fedora-directory-users@redhat.com
>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>>>
>>> kiran madala wrote:
>>>
>>>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?.
>>>>
>>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console.
>>>>
>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
>>>> <snip<
>>>>
>>>>
>>> Actually, this is the error log for the admin server. The error log for
>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance
>>> is your instance name.
>>>
>>> The console might be failing to connect to AD because the console has a
>>> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need
>>> to add the CA cert in this directory too:
>>>
>>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc
>>>
>>>
>>>> ----------------------------------------
>>>>
>>>>
>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>>> From: rmeggins@redhat.com
>>>>> To: fedora-directory-users@redhat.com
>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>>>>>
>>>>> kiran madala wrote:
>>>>>
>>>>>
>>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now.
>>>>>>
>>>>>> The DS server is unable to connect to my AD.
>>>>>>
>>>>>>
>>>>> What error messages are you getting? Check the error log.
>>>>>
>>>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or
>>>>> 1.0.4? What OS?
>>>>>
>>>>>
>>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine?
>>>>>>
>>>>>>
>>>>>>
>>>>> You don't need to use cert based client auth. You can use regular
>>>>> username/password auth over TLS/SSL.
>>>>>
>>>>>
>>>>>> My currents certificates are as follows.
>>>>>>
>>>>>> DS has its own server certificate
>>>>>> AD has its own server certificate
>>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>> From: kirankmadala@hotmail.com
>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help!
>>>>>>>
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions.
>>>>>>>
>>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL?
>>>>>>>
>>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD?
>>>>>>>
>>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS?
>>>>>>>
>>>>>>>
>>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell.
>>>>>>>
>>>>>>> Thanks in advance
>>>>>>> __________________________________________________ _______________
>>>>>>> Exercise your brain! Try Flexicon!
>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> __________________________________________________ _______________
>>>>>> Use fowl language with Chicktionary. Click here to start playing!
>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>>>
>>>>>>
>>>> __________________________________________________ _______________
>>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com!
>>>> http://asksantaclaus.spaces.live.com/
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>
>> __________________________________________________ _______________
>> Introducing the City @ Live! Take a tour!
>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-09-2008, 08:23 PM
kiran madala
Windows Active Directory sync Help!
Also the console give me thsi error when Icick on manage certificates on the DS server and never opens up. It works fine on AS server
Exception during event dispatch:
java.lang.NullPointerException
at com.netscape.management.client.security.Certificat eDialog.(Unknown Source)
at com.netscape.management.client.security.Certificat eDialog.(Unknown Source)
at com.netscape.admin.dirserv.task.KeyCert.run(Unknow n Source)
at com.netscape.management.client.TaskModel.actionObj ectRun(Unknown Source)
at com.netscape.management.client.TaskPage$TaskList$B uttonMouseListener.mouseClicked(Unknown Source)
at java.awt.AWTEventMulticaster.mouseClicked(libgcj.s o.7rh)
at java.awt.Component.processMouseEvent(libgcj.so.7rh )
at java.awt.Component.processEvent(libgcj.so.7rh)
at java.awt.Container.processEvent(libgcj.so.7rh)
at java.awt.Component.dispatchEventImpl(libgcj.so.7rh )
at java.awt.Container.dispatchEventImpl(libgcj.so.7rh )
at java.awt.Component.dispatchEvent(libgcj.so.7rh)
at java.awt.LightweightDispatcher.handleMouseEvent(li bgcj.so.7rh)
at java.awt.LightweightDispatcher.dispatchEvent(libgc j.so.7rh)
at java.awt.Container.dispatchEventImpl(libgcj.so.7rh )
at java.awt.Window.dispatchEventImpl(libgcj.so.7rh)
at java.awt.Component.dispatchEvent(libgcj.so.7rh)
at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh)
at java.awt.EventDispatchThread.run(libgcj.so.7rh)
Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException
at com.netscape.management.client.comm.HttpChannel.ru n(Unknown Source)
at java.lang.Thread.run(libgcj.so.7rh)
Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException
at com.netscape.management.client.comm.HttpChannel.ru n(Unknown Source)
at java.lang.Thread.run(libgcj.so.7rh)
----------------------------------------
> From: kirankmadala@hotmail.com
> To: fedora-directory-users@redhat.com
> Subject: RE: [Fedora-directory-users] Windows Active Directory sync Help!
> Date: Wed, 9 Jan 2008 17:03:18 -0400
>
>
> I keep getting these errors when trying to initiate sync
>
> [09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function argument.)
> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL client authentication failed: LDAP error -1 (Unknown error)
>
> The LDAP search is not installed on my machine so i could not do a search
> ----------------------------------------
>> Date: Wed, 9 Jan 2008 11:43:49 -0700
>> From: rmeggins@redhat.com
>> To: fedora-directory-users@redhat.com
>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>>
>> kiran madala wrote:
>>> Sorry here is the error log for DS server
>>>
>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.)
>>>
>>> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine.
>>>
>> Did you configure the agreement to use SSL? Error 91 means some sort of
>> connection problem, or invalid argument to the LDAP API e.g. you are
>> attempting to use LDAP on the secure port instead of LDAPS.
>>
>> You can verify that TLS/SSL is working by using ldapsearch from the
>> command line. On the directory server machine:
>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P
>> /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*"
>>
>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>>>
>>> ----------------------------------------
>>>
>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>>>> From: rmeggins@redhat.com
>>>> To: fedora-directory-users@redhat.com
>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>>>>
>>>> kiran madala wrote:
>>>>
>>>>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?.
>>>>>
>>>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console.
>>>>>
>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
>>>>> <snip<
>>>>>
>>>>>
>>>> Actually, this is the error log for the admin server. The error log for
>>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance
>>>> is your instance name.
>>>>
>>>> The console might be failing to connect to AD because the console has a
>>>> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need
>>>> to add the CA cert in this directory too:
>>>>
>>>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc
>>>>
>>>>
>>>>> ----------------------------------------
>>>>>
>>>>>
>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>>>> From: rmeggins@redhat.com
>>>>>> To: fedora-directory-users@redhat.com
>>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>>>>>>
>>>>>> kiran madala wrote:
>>>>>>
>>>>>>
>>>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now.
>>>>>>>
>>>>>>> The DS server is unable to connect to my AD.
>>>>>>>
>>>>>>>
>>>>>> What error messages are you getting? Check the error log.
>>>>>>
>>>>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or
>>>>>> 1.0.4? What OS?
>>>>>>
>>>>>>
>>>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> You don't need to use cert based client auth. You can use regular
>>>>>> username/password auth over TLS/SSL.
>>>>>>
>>>>>>
>>>>>>> My currents certificates are as follows.
>>>>>>>
>>>>>>> DS has its own server certificate
>>>>>>> AD has its own server certificate
>>>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ----------------------------------------
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> From: kirankmadala@hotmail.com
>>>>>>>> To: fedora-directory-users@redhat.com
>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help!
>>>>>>>>
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions.
>>>>>>>>
>>>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL?
>>>>>>>>
>>>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD?
>>>>>>>>
>>>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS?
>>>>>>>>
>>>>>>>>
>>>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell.
>>>>>>>>
>>>>>>>> Thanks in advance
>>>>>>>> __________________________________________________ _______________
>>>>>>>> Exercise your brain! Try Flexicon!
>>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> __________________________________________________ _______________
>>>>>>> Use fowl language with Chicktionary. Click here to start playing!
>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> __________________________________________________ _______________
>>>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com!
>>>>> http://asksantaclaus.spaces.live.com/
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>>>
>>>
>>> __________________________________________________ _______________
>>> Introducing the City @ Live! Take a tour!
>>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>
>
> __________________________________________________ _______________
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
__________________________________________________ _______________
Exercise your brain! Try Flexicon!
http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Windows Active Directory sync Help!
