[Fedora-directory-users] Re: Hosed sync with AD

[David Boreham]

Daniel Shackelford wrote:

> Anyone able to address the other questions about ssl?  I was able to 
> use the system version of ldapsearch to connect securely to my domain 
> controller from the FDS box.  I can also connect the same way to FDS.  
> I have read that the -81 error means that there is a problem with my 
> server cert, or the ca cert that was used to create it.  I have 2 
> server certs signed by different CAs (nothing self-signed), and I have 
> tried them both.  The CA certs are installed, and seem to be fine.  I 
> even exported on to use on the local openldap in order to test 
> connections to the domain controller without a problem.

I don't have any insight off the top of my head beyond what you've 
already tried.
You could take a packet trace with ethereal or the like and see if 
there's anything
interesting in the SSL handshake.

> Is FDS dependent on specific versions of libssl3.so or ?...  The thing 
> that confuses me the most is that it all seems to be working fine in 
> every other case.  I am still not sure there isn't a problem with my 
> Win2003 domain controller...

FDS should be used with the version of NSS that it was built against.
There will be some minor functionality differences between NSS releases
and bug fixes, but I wouldn't expect much sensitivity to NSS version
as far as basic functionality like this goes.

Bottom line is that if you can use the 'ldapsearch' command (the Mozilla
version that ships with FDS), pointed at the same cert database that the
server is using, to connect to your AD, then FDS's Winsync code should
be able to connect too : the code paths are essentially identical.