[Fedora-directory-users] Windows Active Directory sync Help!

Rich Megginson rmeggins at redhat.com
Wed Jan 9 18:43:49 UTC 2008 

kiran madala wrote:
> Sorry here is the error log for DS server
>
> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.)
>
> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. 
>   
Did you configure the agreement to use SSL?  Error 91 means some sort of 
connection problem, or invalid argument to the LDAP API e.g. you are 
attempting to use LDAP on the secure port instead of LDAPS.

You can verify that TLS/SSL is working by using ldapsearch from the 
command line.  On the directory server machine:
/usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P 
/etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*"

Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>
> ----------------------------------------
>   
>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>> From: rmeggins at redhat.com
>> To: fedora-directory-users at redhat.com
>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>>
>> kiran madala wrote:
>>     
>>> I am using  Fedora 1.1 on Fedora 6 x86 machine.  When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?".  Also in the domain controller host field can I specify the IP address of the machine?. 
>>>
>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am  runnign the remote DS console.
>>>
>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
>>> <snip<
>>>   
>>>       
>> Actually, this is the error log for the admin server.  The error log for 
>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance 
>> is your instance name.
>>
>> The console might be failing to connect to AD because the console has a 
>> separate key/cert db under ~/.fedora-idm-console (in 1.1).  You may need 
>> to add the CA cert in this directory too:
>>
>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc
>>
>>     
>>> ----------------------------------------
>>>   
>>>       
>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>> From: rmeggins at redhat.com
>>>> To: fedora-directory-users at redhat.com
>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>>>>
>>>> kiran madala wrote:
>>>>     
>>>>         
>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges.  But I have other issues now.
>>>>>
>>>>> The DS server is unable to connect to my AD.
>>>>>       
>>>>>           
>>>> What error messages are you getting?  Check the error log.
>>>>
>>>> You can also try using ldapsearch.  Are you using Fedora DS 1.1 or 
>>>> 1.0.4?  What OS?
>>>>     
>>>>         
>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine?
>>>>>   
>>>>>       
>>>>>           
>>>> You don't need to use cert based client auth.  You can use regular 
>>>> username/password auth over TLS/SSL.
>>>>     
>>>>         
>>>>> My currents certificates are as follows.
>>>>>
>>>>> DS has its own server certificate
>>>>> AD has its own server  certificate
>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate
>>>>>
>>>>>
>>>>>
>>>>> ----------------------------------------
>>>>>   
>>>>>       
>>>>>           
>>>>>> From: kirankmadala at hotmail.com
>>>>>> To: fedora-directory-users at redhat.com
>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help!
>>>>>>
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions.
>>>>>>
>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL?
>>>>>>
>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD?
>>>>>>
>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS?
>>>>>>
>>>>>>
>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell.
>>>>>>
>>>>>> Thanks in advance
>>>>>> _________________________________________________________________
>>>>>> Exercise your brain! Try Flexicon!
>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>     
>>>>>>         
>>>>>>             
>>>>> _________________________________________________________________
>>>>> Use fowl language with Chicktionary. Click here to start playing!
>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>>       
>>>>>           
>>> _________________________________________________________________
>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com!
>>> http://asksantaclaus.spaces.live.com/
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>>       
>
> _________________________________________________________________
> Introducing the City @ Live! Take a tour!
> http://getyourliveid.ca/?icid=LIVEIDENCA006
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080109/65def8b5/attachment.bin>

More information about the Fedora-directory-users mailing list