On 03/27/2013 09:53 AM, alexandre wrote:
Yes I understand that.
To resume, I have a server-cert and a CA cert in my 389DS. I have a CA
cert in my active directory.
So I need server cert in my AD !?
No. AD only needs the CA cert of the CA that issued the 389DS server cert.
I don't really understand "But you must generate cert for DS on AD
CA", if I did a request by web-enrollment from my 389DS, and install
it on my 389DS, it's good like that ?
Yes. But PassSync doesn't use the Windows/AD Trusted Cert store, so you
still have to export that CA cert and install it using certutil, as
described in the documentation for setting up PassSync.
Thanks a lot !
Alex
2013/3/27 Grzegorz Dwornicki <gd1...@gmail.com <mailto:gd1...@gmail.com>>
Yes and that button allows you to install server cert (again
generated in your case on AD CA) . CA tab allows you to install CA
cert.
Greg.
27 mar 2013 16:33, "alexandre" <axel0fe...@gmail.com
<mailto:axel0fe...@gmail.com>> napisał(a):
Sorry my capture is not on the mail, it's the point
12.2.1. 4.c.Go to the *CA Certs* tab, and click *Install*
at the bottom of the window.
On this link:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html
Thanks
2013/3/27 alexandre <axel0fe...@gmail.com
<mailto:axel0fe...@gmail.com>>
Thanks for the new Link !
@Rich Megginson "It's not the 389DS server certificate,
but the CA certificate for the CA that issued the 389DS
server certificate, that you need for PassSync"
@Grzegorz Dwornicki "But you must generate cert for DS on
AD CA. Then you need to import this cert with AD CA cert
on DS"
Sorry I don't understand "CA certificate for the CA that
issued the 389DS server certificate", I have to export
this one below to the AD? (it's empty on this capture, but
with CA certificate on my directory server):
@Grzegorz Dwornicki --> do you have a procedure to do that
? I don't find in redhat documentation. (when you said AD
CA, do you consider that AD CA = Authority installed on my
AD ?)
Many thanks, for your answers. And your patience about my
translation problems.
Best regards,
Alex
2013/3/27 Grzegorz Dwornicki <gd1...@gmail.com
<mailto:gd1...@gmail.com>>
I had missunderstood you im this case. No you don't
need to create second CA. But you must generate cert
for DS on AD CA. Then you need to import this cert
with AD CA cert on DS
Greg.
27 mar 2013 15:41, "alexandre" <axel0fe...@gmail.com
<mailto:axel0fe...@gmail.com>> napisał(a):
I'm really impressed by the reactivity of this
list !!!
Sorry my understanding is not perfect because i'm
french, so I don't have any CA in my DS, I have
one CA (installed on my domain controller).
Do I need to install a CA in my DS ? (when I write
CA for me it means a Authority).
Alex
2013/3/27 Grzegorz Dwornicki <gd1...@gmail.com
<mailto:gd1...@gmail.com>>
If you have diferent CA in AD vs DS then you
need to do this import.
AD by default don't use LDAPS or STARTSSL soo
you need to install ms cert CA stuff.
Greg.
27 mar 2013 15:07, "alexandre"
<axel0fe...@gmail.com
<mailto:axel0fe...@gmail.com>> napisał(a):
Hello,
I try to follow this procedure :
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html
Everything works fine, except I don't
understand right this line:
"Import the CA certificate from Directory
Server into Active Directory. Click
*Trusted Root CA*, then *Import*, and
browse for the Directory Server CA
certificate."
For me CA certificate, it's a certificate
from the Authority, so in my Active
Directory the certificate from the
authority is already know in the Trusted
Root CA.
So, do I need to import 389DS server
certificate in my active directory ?
And finally, there is no indication to do
that, someone can help me to pass through ?
Thanks in advance.
Best regards,
Alex
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
