Hello,
just to explain why I'm in confusion, I saw this line on redhat procedure:
"Import the CA certificate from Directory Server into Active Directory.
Click *Trusted Root CA*, then *Import*, and browse for the Directory Server
CA certificate."
and this one on a website:
"#This exports the server-cert which you will need on the windows AD
pk12util -d . -o servercert.p12 -n Server-Cert"
So I check, and I don't have any "servercert.p12" in my directory server
(/etc/dirsrv/slapd-389/)
I go to install the Password Sync in my Domain Controller, hope it works ;)
Thanks of the community.
2013/3/27 alexandre <axel0felix(a)gmail.com>
Yes you're right, I was speaking for my domain controller (it
have
automatically on the trusted root certification authorithy... And I made a
webenrollment request from my 38ds and install the CA cert on my 389ds...
thanks
Le 27 mars 2013 17:51, "Rich Megginson" <rmeggins(a)redhat.com> a écrit :
On 03/27/2013 10:32 AM, alexandre wrote:
>
> My CA is on my domain controller.
>
>
> Then it is not going to be in the list of "Trusted Root Certification
> Authorities" on the 389 machine unless you install it.
>
> Le 27 mars 2013 17:11, "Rich Megginson" <rmeggins(a)redhat.com> a
écrit :
>
>> On 03/27/2013 10:07 AM, alexandre wrote:
>>
>> Ok now I know where my confusion come from. So just to check, in my
>> case the CA cert that issued the 389DS server cert is automatically in my
>> "Trusted Root Certification Authorities" because my authority is on my
>> domain controller !?
>>
>>
>> I don't know. What is the CA?
>>
>>
>> Thanks !
>> Alex
>>
>>
>> 2013/3/27 Rich Megginson <rmeggins(a)redhat.com>
>>
>>> On 03/27/2013 09:53 AM, alexandre wrote:
>>>
>>> Yes I understand that.
>>>
>>> To resume, I have a server-cert and a CA cert in my 389DS. I have a CA
>>> cert in my active directory.
>>>
>>> So I need server cert in my AD !?
>>>
>>>
>>> No. AD only needs the CA cert of the CA that issued the 389DS server
>>> cert.
>>>
>>>
>>>
>>> I don't really understand "But you must generate cert for DS on AD
>>> CA", if I did a request by web-enrollment from my 389DS, and install it
on
>>> my 389DS, it's good like that ?
>>>
>>>
>>> Yes. But PassSync doesn't use the Windows/AD Trusted Cert store, so
>>> you still have to export that CA cert and install it using certutil, as
>>> described in the documentation for setting up PassSync.
>>>
>>>
>>>
>>> Thanks a lot !
>>> Alex
>>>
>>>
>>> 2013/3/27 Grzegorz Dwornicki <gd1100(a)gmail.com>
>>>
>>>> Yes and that button allows you to install server cert (again generated
>>>> in your case on AD CA) . CA tab allows you to install CA cert.
>>>>
>>>> Greg.
>>>> 27 mar 2013 16:33, "alexandre" <axel0felix(a)gmail.com>
napisał(a):
>>>>
>>>> Sorry my capture is not on the mail, it's the point 12.2.1.
>>>>> 4.c.Go to the *CA Certs* tab, and click *Install* at the bottom of
>>>>> the window.
>>>>> On this link:
>>>>>
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9...
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>> 2013/3/27 alexandre <axel0felix(a)gmail.com>
>>>>>
>>>>>> Thanks for the new Link !
>>>>>>
>>>>>> @Rich Megginson "It's not the 389DS server
certificate, but the
>>>>>> CA certificate for the CA that issued the 389DS server
certificate, that
>>>>>> you need for PassSync"
>>>>>>
>>>>>> @Grzegorz Dwornicki "But you must generate cert for DS on
AD CA.
>>>>>> Then you need to import this cert with AD CA cert on DS"
>>>>>>
>>>>>> Sorry I don't understand "CA certificate for the CA
that issued
>>>>>> the 389DS server certificate", I have to export this one
below to the AD?
>>>>>> (it's empty on this capture, but with CA certificate on my
directory
>>>>>> server):
>>>>>>
>>>>>>
>>>>>>
>>>>>> @Grzegorz Dwornicki --> do you have a procedure to do that ?
I
>>>>>> don't find in redhat documentation. (when you said AD CA, do
you considerthat AD CA = Authority installed on my AD ?)
>>>>>>
>>>>>> Many thanks, for your answers. And your patience about my
>>>>>> translation problems.
>>>>>>
>>>>>> Best regards,
>>>>>> Alex
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2013/3/27 Grzegorz Dwornicki <gd1100(a)gmail.com>
>>>>>>
>>>>>>> I had missunderstood you im this case. No you don't need
to create
>>>>>>> second CA. But you must generate cert for DS on AD CA. Then
you need to
>>>>>>> import this cert with AD CA cert on DS
>>>>>>>
>>>>>>> Greg.
>>>>>>> 27 mar 2013 15:41, "alexandre"
<axel0felix(a)gmail.com> napisał(a):
>>>>>>>
>>>>>>> I'm really impressed by the reactivity of this list
!!!
>>>>>>>>
>>>>>>>> Sorry my understanding is not perfect because i'm
french, so I
>>>>>>>> don't have any CA in my DS, I have one CA (installed
on my domain
>>>>>>>> controller).
>>>>>>>>
>>>>>>>> Do I need to install a CA in my DS ? (when I write CA
for me it
>>>>>>>> means a Authority).
>>>>>>>>
>>>>>>>>
>>>>>>>> Alex
>>>>>>>>
>>>>>>>>
>>>>>>>> 2013/3/27 Grzegorz Dwornicki <gd1100(a)gmail.com>
>>>>>>>>
>>>>>>>>> If you have diferent CA in AD vs DS then you need to
do this
>>>>>>>>> import.
>>>>>>>>>
>>>>>>>>> AD by default don't use LDAPS or STARTSSL soo you
need to install
>>>>>>>>> ms cert CA stuff.
>>>>>>>>>
>>>>>>>>> Greg.
>>>>>>>>> 27 mar 2013 15:07, "alexandre"
<axel0felix(a)gmail.com> napisał(a):
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> I try to follow this procedure :
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8...
>>>>>>>>>>
>>>>>>>>>> Everything works fine, except I don't
understand right this
>>>>>>>>>> line:
>>>>>>>>>>
>>>>>>>>>> "Import the CA certificate from Directory
Server into Active
>>>>>>>>>> Directory. Click *Trusted Root CA*, then
*Import*, and browse
>>>>>>>>>> for the Directory Server CA certificate."
>>>>>>>>>>
>>>>>>>>>> For me CA certificate, it's a certificate
from the Authority,
>>>>>>>>>> so in my Active Directory the certificate from
the authority is already
>>>>>>>>>> know in the Trusted Root CA.
>>>>>>>>>>
>>>>>>>>>> So, do I need to import 389DS server certificate
in my active
>>>>>>>>>> directory ?
>>>>>>>>>>
>>>>>>>>>> And finally, there is no indication to do that,
someone can
>>>>>>>>>> help me to pass through ?
>>>>>>>>>>
>>>>>>>>>> Thanks in advance.
>>>>>>>>>>
>>>>>>>>>> Best regards,
>>>>>>>>>> Alex
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> 389 users mailing list
>>>>>>>>>> 389-users(a)lists.fedoraproject.org
>>>>>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> 389 users mailing list
>>>>>>>>> 389-users(a)lists.fedoraproject.org
>>>>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> 389 users mailing list
>>>>>>>> 389-users(a)lists.fedoraproject.org
>>>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> 389 users mailing list
>>>>>>> 389-users(a)lists.fedoraproject.org
>>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> 389 users mailing list
>>>>> 389-users(a)lists.fedoraproject.org
>>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>
>>>>
>>>> --
>>>> 389 users mailing list
>>>> 389-users(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>
>>>
>>>
>>> --
>>> 389 users mailing
list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>>
>>
>>
>