| User | Post |
|
5:49 am
June 2, 2010
|
Murasakiiru
| | |
| Member | posts 10 | |
|
|
Hi,
I'm trying to install two servers (389 and AD directory) for now, I've a question.
Can you explain me this error lines into my PassSync.log :
06/02/10 11:33:18: Ldap bind error in Connect
32: No such object
06/02/10 11:33:18: Can not connect to ldap server in SyncPasswords
My PassSync configuration :
Host Name : fedora389.synchro389.lan (my fqdn 389 server)
Port Number : 636
User Name : uid=SMaster,cn=config (user is created in my 389 server)
Password : SMaster password
Cert Token : (empty because I don't know the password that the "setupssl2.sh" script take)
Search Base : (empty too)
I hope my english is not so bad  (french guy)
Thanks in advance for helping me.
Mura.
|
|
|
6:30 am
June 3, 2010
|
consultant
| | |
| Admin
| posts 341 | |
|
|
There should be a pwdfile.txt in /etc/dirsrv/slapd-xxx created by seupssl2.sh.
|
|
|
8:17 am
June 3, 2010
|
Murasakiiru
| | |
| Member | posts 10 | |
|
|
Yep there is a pwdfile:
b48dacd668f40405e652b4b2281e9a1102dd62b7
Should I put this in the cert token input. ?
|
|
|
10:39 pm
June 3, 2010
|
consultant
| | |
| Admin
| posts 341 | |
|
|
|
5:10 am
June 4, 2010
|
Murasakiiru
| | |
| Member | posts 10 | |
|
|
Post edited 1:11 pm – June 4, 2010 by Murasakiiru
Well I did as you said. Now for testing I run this command in my 389 server :
/usr/lib/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-fedora389/cert8.db -h AD_server_IP -p 636 -D "cn=administrateur,cn=users,dc=synchro389,dc=lan" -w password -s base -b "cn=users,dc=synchro389,dc=lan" "objectclass=*"
Supposing the syntax is correct, it returns me this :
ldap_simple_bind: Can't contact LDAP server
SSL error -8179 (Peer's Certificate issuer is not recognized.)
I also captured frames with Wireshark and a TLS frame says that :
Alert (Level: Fatal, Description: Unknown CA)
Hope I give you pertinent informations and thanks for the help
|
|
|
7:29 am
June 4, 2010
|
consultant
| | |
| Admin
| posts 341 | |
|
|
That really won't work. PassSync works by
1. Capturing password changes in the Windows Server
2. Connect to 389 Directory Server and update the password
If you want to do the opposite, 389 Directory password change to Active Directory see 389 Directory and Active Directory SSL Synchronization
|
|
|
9:27 am
June 4, 2010
|
Murasakiiru
| | |
| Member | posts 10 | |
|
|
For my project, I need to do the synchronization in the two ways. So if a password is changed in the 389DS, no software need to be added and if a password is changed to AD we need PassSync ? Is that right ?
Maybe I should restart to the beginning. Could you links me to your how-to the steps to do :
Enabling SSL (389 and AD server)
Create the synchronization
Tests
I've read all your how-to for 389/AD but I don't really know which way to go.
Thanks
|
|
|
10:57 am
June 4, 2010
|
consultant
| | |
| Admin
| posts 341 | |
|
|
For my project, I need to do the synchronization in the two ways. So if a
password is changed in the 389DS, no software need to be added and if a
password is changed to AD we need PassSync ? Is that right ?
That's right. See 389 Directory Server Howto and in the Synchronizing with Active Directory section just follow the links 1, 2, and 3.
|
|
|
11:23 am
June 15, 2010
|
Murasakiiru
| | |
| Member | posts 10 | |
|
|
Hi,
Sorry for my absence last week (I was in my training week)
So this week I try to follow your how-to. I did some synchronizations without problems.
I create a certificate with my AD server (in windows 2008) so I follow approximately the method for enable ssl on AD, export the certificate and this.
And now I've got this error message when I click the "Done" button in the summary page of my Windows Sync Agreement :
LDAP server is unwilling to perform
SSL frames captured with wireshark.
Mura.
|
|
|
9:25 pm
June 15, 2010
|
consultant
| | |
| Admin
| posts 341 | |
|
|
In the 389 Directory and Active Directory SSL Synchronization article, there is a test step there. We're you able to pass it?
|
|
|
3:39 am
June 16, 2010
|
Murasakiiru
| | |
| Member | posts 10 | |
|
|
The SSL test command doesn't work. It returns :
ldap_simple_bind: Can't contact LDAP server
SSL error -8179 (Peer's Certificate issuer is not recognized.)
|
|
|
8:49 am
June 16, 2010
|
Murasakiiru
| | |
| Member | posts 10 | |
|
|
Before I create a new windows sync agreement for try SSL, I had a "windows sync agreement" without SSL that worked. And now it doesn't want to do "full resynchronization" :
12 Total update aborted: Replication agreement for agmt="cn=sync_ssl_off" (ad:389) can not be updated while the replica is disabled.
But my "Replica Settings" seems good :
Enable Replica is on.
Replica Role : Multiple Master.
Current Supplier DNs : uid=SMaster,cn=config
|
|
|
11:18 am
June 16, 2010
|
Murasakiiru
| | |
| Member | posts 10 | |
|
|
After testing, it seems I just need to uncheck/check the "enable replica" button to work again my synchronization without SSL.
|
|
|
5:57 am
June 29, 2010
|
Murasakiiru
| | |
| Member | posts 10 | |
|
|
Hi,
I'm happy today, the SSL test is just passing. But I don't know if it really works because I can always see in captured frames : "Unknown CA".
Can you give me a procedure to test the password changes.
Thanks
Mura
|
|
|
5:09 am
July 16, 2010
|
Murasakiiru
| | |
| Member | posts 10 | |
|
|
I just find how to resolve my "Unknwon CA" issue. I think I didn't know very well how the certificates works. And it was difficult to auto-sign it.
The RedHat Documentation is very interesting link to the part that help me to resolv my problem.
And I used TinyCA to sign my certificates.
|
|
Subscribe |
Follow me
Login 
Register 
Search 
Home
Reply to Post
Add a New Topic
Quote and Reply 
Topic RSS 
