[Fedora-directory-users] Winsync woes

David Boreham david_list at boreham.org
Tue Aug 2 14:32:03 UTC 2005 

Dimitri Yioulos wrote:

>Hello to all.
>
>I recently installed FDS on a CentOS 3 box.  My network authenticates to a 
>win2k3 AD box.  I'd like to use the Winsync feature of FDS to keep it 
>automatically updated.
>
>Firstly, FDS does work, to the extent that I populated ou=People, and can see 
>and use those entries in Kmail.  I've followed the Admin manual regarding 
>installation and configuration of Winsync on both the FDS and AD boxes, but  
>I can't get it to work.  I receive an error "81- LDAP error: can't contact 
>LDAP server".  By now, it's entirely probable that I've munged up the 
>configuration, having tried so many tweaks.
>
>I'm really not sure where to begin in terms of providing info to you so that 
>you can help me out.  With your kind indulgence, it might be better for you 
>to ask me questions about my setup, and we can go from there (I realize 
>that's a bassackwards way to ask for help, but ...).
>
>Here, at least, are some basics:  I obtained server and CA certs from 
>CACert.org, and plugged those into FDS.  I created the user Admin on both the 
>FDS and ADS boxes.  I created a Replica Agreement. I ran the Winsync utility 
>on the ADS box. I'm trying to use port 636.
>  
>
One tip: try to get the thing working without SSL first.
SSL is only _required_ to propagate password changes
from FDS to AD (without SSL everything else will work
but password changes themselves will fail). It will be much
(much !) easier to diagnose your configuration once you
know that everything is correct except SSL is not enabled.
You can then proceed to do battle with SSL alone.

>I do have a couple of questions:  what's the proper way to specify a Supplier 
>DN, and should I use "SSL client authentication" or simple authentication" in 
>the Replica Agreement?
>  
>
I think you can use either, but unless you know why you need client 
auth, just use simple auth.

The supplier DN isn't actually used in winsync, so you can give any DN 
(or the DN
that you'd use for any other replication that you are doing : the 
supplier DNs are
a property of the server in general, not winsync). The UI does force you 
to enter
something before it will enable the replica.

Some other ideas: enable replication logging to get more verbose messages
from the server as to what it thinks its doing in winsync. Use a sniffer 
such as
ethereal or tcpdump to see if the server is connecting to AD (it sounds
like it is not at present, but that might be due to an SSL config issue).
Again, disabling SSL makes sniffing the traffic much easier.

More information about the Fedora-directory-users mailing list