Subscribe |
Follow meThis article describes how to configure the 389 Directory Server to synchronize entries with an Active Directory Server.
Launching the 389 Management Console
2. Click the + sign corresponding to your server. Next, click the + sign corresponding to Server Group and click Directory Server. Finally, click the Open button in the Directory Server page.Creating the Sync User Account
The sync user account will be used by the replication plugin to update the 389 Directory Server. For security reason, it should not be part of the synchronized sub tree.
1. Click the Directory tab and click the config folder. Next, right click config, select New and click User.
2. Fill in the First Name, Last Name, Common Name, User ID, Password and Confirm Password fields. Click OK when you are done.
3. Note down the distinguished name of the newly created user located in the bottom part of the window.Configuring Replication
The configuration below is for one way synchronization only, from Active Directory to 389 Directory Server. If you need two way synchronization, select Single Master or Multiple Master as the Replica Role and specify a numeric value for Replica ID (ex. 1) instead of using the default which is Dedicated Consumer.
1. Click the Configuration tab and click the Replication folder. In the Supplier Settings page, check Enable Changelog and click the Use default button. Click Save when you are done.
2. Click the + sign corresponding to Replication and click userRoot. Check Enable Replica.
3. Type in the distinguished name of sync user account (uid=SMaster,cn=config in the example above) into the Enter a new Supplier DN field and press Add. Click Save when you are done.Creating a Windows Sync Agreement
To synchronize with Active Directory, you need an Active Directory user account. In the sample below, the fds user account (cn=fds,dc=acme,dc=local) has been created in Active Directory specifically for that purpose. Learn how to create a new user account in Windows Server.
1. Right click userRoot and click New Windows Sync Agreement.
2. In the Agreement Name window, fill in the Name and Description fields and click Next.
3. Fill in the Windows Sync Server Info form and click Next when you are done. See the sample values below.
Connection
If you prefer to enable encrypted SSL connection, you need to install an SSL certificate in 389 Directory Server.If you want the password changes on 389 Directory Server to replicate into the Active Directory Server you need the following
- A working Single Master/Multiple Master replication
- Encrypted SSL connection should be enabled
- The bind account (fds in the example above) must have permission to reset user password. The easiest way to accomplish this is to make the bind account a member of Domain Admins.
If you want the password changes on Active Directory Server to replicate into the 389 Directory Server, see Synch Active Directory Password to FDS.
4. Review the settings in the Summary window and click Done.Starting the Synch Process
1. Right click the newly created agreement and click Initiate Full Re-synchronization.
2. Click the Status tab and click the Replication Status to check if the replication has completed.
3. Click the Error Logs under the Logs folder to check for any synch errors.Check out Active Directory and 389 Directory Server Synchronization Issues for some of the problems you might encounter while implementing this.Visit the forum to ask for help or to give a comment.
***
Posted on 1/1/2009 and last updated on 11/6/2009
Filed under 389 Directory Server , Active Directory
January 10th, 2009 at 2:55 pm
hi consultant
i want just ask you if you have test the synchronization between acive directory and fedora directory and it’s necessary to have LDAPS (SSL) in both directorys?
tanks in advance.
January 13th, 2009 at 12:28 pm
hi again
the password is not sync with Active directory how can I do this
thanks,
January 14th, 2009 at 8:27 am
Hi consultant
Above resource if very helpfull for me Thank you .
But at the end part about ‘Windows Synch Notes’ ,I can`t understand . Can you describe them as above with some pics?
February 5th, 2009 at 12:50 pm
Hi Consultant,
I made sync between AD and FDS successfully with Password.I had tested it with 32 bit windows 2003 OS(AD) and FDS 1.1.2 environment in our Lab .But in one of my customer place they have 64 bit Windows 2003 AD, when i tried the AD->FDS sync UserName only sync not a password. Password sync logs shows (Failed to load entries from file. Password list is empty. Waiting for passhook event).I think passhook.dll is not functioning properly in windows 2003 64 bit.How to overcome this problem.Very urgent please help me.
February 6th, 2009 at 12:09 pm
Hi Saravanan.T,
Sorry but 64 bit PassSync is not available since 64 bit Windows is currently not supported by the Fedora team. See Active Directory in Linux, you probably can bypass Fedora Directory Server and use Active Directory directly instead.
February 7th, 2009 at 10:46 am
Hi Consultant,
Thanks for your quick reply.My customer wants to sync Windows AD users to FDS only because of to reduce Windows AD Users CAL license,Single Sign ON concept(LDAP based application which is pointed to linux FDS where all AD users and FDS users are authenticated).So is there any other option to achieve my previous query and this query or future you will release any option for 64 bit.Please provide me correct solutin for this one.Tones of thanks in advance.
February 9th, 2009 at 2:07 am
Hi Saravanan.T,
The Fedora team do not have any plans to support 64 bit windows, below is a comment from one of its developer.
http://article.gmane.org/gmane.linux.redhat.fedora.directory.user/7902
I do not know any other solution for this.
February 20th, 2009 at 4:16 pm
Hi xwrabit,
Done, I’ve converted the Windows Sync Notes to a separate article.
February 23rd, 2009 at 8:31 am
hi, thankyou so much for your document, it appears to be saving me a lot of time.
1 thing though- for some reason when I go into Configuration-> Replication- it doesnt show anything there. I have followed your document and dont know why this isnt there. Im running CentOS 5.2, just updated to last java.
thanks
February 26th, 2009 at 12:59 am
Hi, does anyone know why I can not see any information in the replication configuration area? I think it might be to do with java, but I did what the document advises me to do with upgrading the java to the latest. I also tried installing centos DS and have the same problem..
if anyone can help, it would be greatly appreciated.
ta
April 13th, 2009 at 8:53 pm
I’ve gone thru and done all the steps but I get a the following error when I try to sync to AD.
“LDAP error: invalid credentials. Error Code: 49″
Also I get a error when configuring the sync agreement saying it cant connect to the Active Directory server. However I can ping the server by shortname and fqdn from any system on the network. Also I notice you create a user called SMaster but use fds as the bind/sync account. Can I get more info on this matter?
April 15th, 2009 at 12:49 pm
I have the same problem as Patrick. “LDAP error: invalid credentials. Error Code: 49″. But I have checked everything 10 times and I have written every password in clear text and copy pasted it into the password field. Can you please give me some hints?
April 15th, 2009 at 10:52 pm
Hi Patrick and Arne,
The replication plugin connects to two servers, Fedora Directory Server and Active Directory Server, that’s why it uses two accounts. Make sure both of them exists.
Replication Plugin to Fedora Directory Server
uid=SMaster,cn=config (exists in FDS)
Replication Plugin to Active Directory Server
cn=fds,dc=acme,dc=local (exists in ADS)
April 16th, 2009 at 5:23 pm
Hi consultant,
I have this two accounts. Both are working fine.
When I run directly from the FDS
[root@ldap1 slapd-ldap1]# ldapsearch -H ldaps://dc1.rack -x -D “cn=syncadm” -s base -b “” objectclass=*
it gives back success:
…
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@ldap1 slapd-ldap1]#
I even don’t need to put in a password as I do have configured the .ldaprc file with the certificate:
[root@ldap1 slapd-ldap1]# cat ~/.ldaprc
# TLS_CACERT /root/CertificateAuthorityRACK-cacert.pem
TLS_REQCERT allow
[root@ldap1 slapd-ldap1]#
The error log file on the FDS gives me the same bloody message hundered times:
[16/Apr/2009:19:15:38 +0200] slapi_ldap_bind – Error: could not read bind results for id [cn=syncadm,dc=w2k3,dc=rack] mech [SIMPLE]: error 49 (Invalid credentials)
So coming back to the manual ldapsearch try it is not working when I run the same command but put in with -w password the password of the AD user:
[root@ldap1 slapd-ldap1]# ldapsearch -H ldaps://dc1.rack -x -D “cn=syncadm” -w password -s base -b “” objectclass=*
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
[root@ldap1 slapd-ldap1]#
I guess we are on the last steps solving this if we can find an answer for the question: Why the login to the AD is possible only without giving the password, but the .pem file.
Furthermore I guess that a workaround would be to let the passowrd field empty while creating the Windows Sync Agreement. Unfortunately this isn’t possible at all as the next button is disabled in that case.
Any Ideas?
April 16th, 2009 at 8:52 pm
I’ve gotten it to work now but i really don’t know what I did to fix it. At least its synced now! Anyways once again thank you! I’ll report updates on this asap.
April 17th, 2009 at 2:34 pm
Hi arne,
It means what it says, the credential is invalid. Not specifying a password to syncadm works because syncadm has a blank password.
April 20th, 2009 at 2:18 pm
Hi consultant,
syncadm does not have a blank password. I have given a password to him at creation time. Moreover I have checked this particular password when I logged in with this credentials to the Windows desktop.
It seems as if it is working with the certificate but not with the password.
Another strange effect is: when I check the checkbox “Check hostname against name in certificate for outbound connections” the error changes into “81 – LDAP error: Can’t contact LDAP server”. It is weired as they are in the same subnet and no firewall etc. is in between…
June 10th, 2009 at 3:57 pm
I get this message and i take on board that it means what it says. Also I am clear that the their are two systems requiring credentials. Which one is the error refering to Active directory or FDS?
June 10th, 2009 at 5:14 pm
Hi mintra,
What error message are you getting and where are you getting it?
July 13th, 2009 at 5:22 pm
Hi
I’ve got same error as Patric and arne: “LDAP error: invalid credentials. Error Code: 49?.
Did You find any solution to this? I’ve tripple rechecked all accounts credentials, and those are fine.
July 15th, 2009 at 2:25 am
I would like to build a system where the FDS authentication is delegated to Active Directory. I do not want the password to be stored in FDS or Synced using PassSync.msi.
I am asking the community if anyone has come this way? I am trying to put together the pieces of this puzzle with PAM, Pass-through Authentication, Winbind, Windows ADAM and ADFS, Samba etc.