[Fedora-directory-users] AD problem

Nicholas Byrne nicholas.byrne at quadriga.com
Wed Nov 22 15:33:24 UTC 2006 

I also attempted to use the ldp utility on another PC running windows XP 
to query the AD server using ldaps. But no luck here either. Since i can 
connect using ldp util when it is running on the AD server over ssl port 
636 something must  be stopping remote queries on that port, any ideas?

Thanks
Nick

Nicholas Byrne wrote:
> A am fairly new to FDS, I am using fedora-ds-1.0.2-1.RHEL4 and my goal 
> is to setup a syncronisation against a W2K3 based active directory 
> domain controller. I've followed the Howto:SSL to setup SSL on the 
> fedora server which works correctly and i've also followed the 
> "Enabling SSL with Active Directory" section in Howto:WindowsSync 
> using the TinyCA method.
>
> On the AD server I've imported the CA cert and AD server cert i 
> created following the instructions in the howto. I've used ldp 
> (running on the AD server) to query the AD system using SSL and it 
> works after i create a connection on port 636, bind and run a search.
>
> Before complicating matters with PassSync i wanted to try remotely 
> querying the server over SSL to see if that works (non-SSL queries 
> work fine), so i can be sure that the standard sync agreement between 
> FDS and AD will work. I've tried a number of methods, but i always get 
> "ldap_bind: Can't contact LDAP server (-1)". On the system i'm making 
> queries from, i've installed the my CA cert in /etc/openssl/cacerts 
> and configured the following /etc/openldap/ldap.conf with:
>
> TLS_CACERTDIR   /etc/openldap/cacerts/
> TLS_REQCERT     allow
>
> I'd be very grateful for some advice, it's driving me nutty... output 
> of command below -
>
> ldapsearch -v -b dc=tech -s sub -H ldaps://w2k3virtual01.tech -x -W 
> -LLL '(objectclass=user)' -D winsync at tech -d 9
> ldap_initialize( ldaps://w2k3virtual01.tech )
> ldap_create
> ldap_url_parse_ext(ldaps://w2k3virtual01.tech)
> Enter LDAP Password:
> ldap_bind
> ldap_simple_bind
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP w2k3virtual01.tech:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.103.20.50:636
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 0, subject: 
> /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga 
> Certificate Authority/emailAddress=sysadmin at quadriga.com, issuer: 
> /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga 
> Certificate Authority/emailAddress=sysadmin at quadriga.com
> TLS certificate verification: depth: 0, err: 0, subject: 
> /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=w2k3virtual01.tech, 
> issuer: 
> /C=UK/ST=Berkshire/L=Reading/O=Quadriga/OU=Technology/CN=Quadriga 
> Certificate Authority/emailAddress=sysadmin at quadriga.com
> TLS trace: SSL_connect:SSLv3 read server certificate A
> TLS trace: SSL_connect:SSLv3 read server certificate request A
> TLS trace: SSL_connect:SSLv3 read server done A
> TLS trace: SSL_connect:SSLv3 write client certificate A
> TLS trace: SSL_connect:SSLv3 write client key exchange A
> TLS trace: SSL_connect:SSLv3 write change cipher spec A
> TLS trace: SSL_connect:SSLv3 write finished A
> TLS trace: SSL_connect:SSLv3 flush data
> TLS trace: SSL_connect:failed in SSLv3 read finished A
> TLS: can't connect.
> ldap_perror
> ldap_bind: Can't contact LDAP server (-1)
>
>
>
>
> This e-mail is the property of Quadriga Worldwide Ltd, intended for 
> the addressee only and confidential.  Any dissemination, copying or 
> distribution of this message or any attachments is strictly prohibited.
>
> If you have received this message in error, please notify us 
> immediately by replying to the message and deleting it from your 
> computer.
>
> Messages sent to and from Quadriga may be monitored.
>
> Quadriga cannot guarantee any message delivery method is secure or 
> error-free.  Information could be intercepted, corrupted, lost, 
> destroyed, arrive late or incomplete, or contain viruses.
>
> We do not accept responsibility for any errors or omissions in this 
> message and/or attachment that arise as a result of transmission.
>
> You should carry out your own virus checks before opening any attachment.
>
> Any views or opinions presented are solely those of the author and do 
> not necessarily represent those of Quadriga.
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>



This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential.  Any dissemination, copying or distribution of this message or any attachments is strictly prohibited.

If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.

Messages sent to and from Quadriga may be monitored.

Quadriga cannot guarantee any message delivery method is secure or error-free.  Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.

We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission.

You should carry out your own virus checks before opening any attachment.

Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga.

More information about the Fedora-directory-users mailing list