Re: [389-users] win sync error

Tue, 21 Jun 2011 11:52:58 -0700 

On 06/21/2011 11:52 AM, solarflow99 wrote:
On Tue, Jun 21, 2011 at 1:39 PM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote: 

    On 06/21/2011 11:23 AM, solarflow99 wrote:

    I'm using self signed certs, did I miss something?


        Probably.  There are many steps involved in getting winsync
        to use TLS/SSL to talk to AD, and getting AD PassSync to use
        TLS/SSL to talk to DS.  Which


    From the Docs listed online:
    
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html


    The 8.2 docs are better
    
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync



    and I went over everything else I could possibly find too.  It
    seems in the case of self signed certificates,

    Are you talking about self signed certs for 389 or for AD?



I guess that would be both.  This is all internal so no servers need 
real third party signed certificates, just trying to get it to work.

Ok, I'm confused.  The RHDS 8.2 Admin Guide talks about setting up AD 
for TLS/SSL by installing the MS CA in Enterprise Root CA mode, creating 
a cert request, and using MS CA to issue the AD server cert.  It doesn't 
say anything about creating self signed certs for AD.




    the windows CA has to exported as a .cer file, and imported in
    389 with:  certutil -d . -A -n "AD Cert" -t "CTu,u,u" -i ad-cert.cer

    Yes, that is correct.  So what's the problem?



It wasn't mentioned anywhere, so once I guessed what had to be done, 
now i'm getting a different error:




# /usr/lib64/mozldap/ldapsearch -v -Z -P 
/etc/dirsrv/slapd-ldapserver/cert8.db -h 10.10.10.210 -p 636 -D 
"cn=administrator" -w mypassword -b 
"cn=users,dc=389testdomain,dc=local" "objectclass=*"

ldapsearch: started Tue Jun 21 08:41:15 2011

ldap_init( 10.10.10.210, 636 )
ldaptool_getcertpath -- /etc/dirsrv/slapd-ldapserver/cert8.db
ldaptool_getkeypath -- /etc/dirsrv/slapd-ldapserver/cert8.db
ldaptool_getmodpath -- (null)
ldaptool_getdonglefilename -- (null)
ldap_simple_bind: Invalid credentials

ldap_simple_bind: additional info: 80090308: LdapErr: DSID-0C0903A9, 
comment: AcceptSecurityContext error, data 52e, v1db1

-D "cn=administrator"

You have to use the full DN - something like -D 
"cn=administrator,cn=users,dc=389testdomain,dc=local"



--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





















					Reply via email to