9:01 a.m.
Thank you David.
Anyone able to address the other questions about ssl? I was able to use
the system version of ldapsearch to connect securely to my domain
controller from the FDS box. I can also connect the same way to FDS. I
have read that the -81 error means that there is a problem with my
server cert, or the ca cert that was used to create it. I have 2 server
certs signed by different CAs (nothing self-signed), and I have tried
them both. The CA certs are installed, and seem to be fine. I even
exported on to use on the local openldap in order to test connections to
the domain controller without a problem.
Is FDS dependent on specific versions of libssl3.so or ?... The thing
that confuses me the most is that it all seems to be working fine in
every other case. I am still not sure there isn't a problem with my
Win2003 domain controller...
Ack!
Date: Tue, 31 Jan 2006 15:17:18 -0500
From: Daniel Shackelford <dshackel(a)arbor.edu>
Subject: [Fedora-directory-users] Hosed sync with AD
To: FedoraUsers <fedora-directory-users(a)redhat.com>
Message-ID: <43DFC5CE.1050909(a)arbor.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hello...
Earlier this month we had an issue with one of our domain controllers
(Win2003) and took it down. It was the one the directory server was
pointing to for synchronization. Ever since then, no sync has occurred
and I am back to getting the
-81 (Peer's Certificate issuer is not recognized.)
I have checked the DC, and all looks well. We were merely moving the
logs to another volume, so it should not have an effect on ldap
connections. I did some fiddling and at one point I removed the native
java since I had installed the IBM version. Jessie depended on it, so
that was removed as well. I have since gotten new certs and CA certs,
and installed them, but still no luck on the connection. Certutil no
longer worked, so I installed mozilla-nss, and now it does not work
for other reasons:
NSS_Initialize failed: An I/O error occurred during security authorization.
All certificate management via the console seems to work fine...
So, my questions are:
Is there a way to get my ssl libraries so they line up with what FDS wants?
Was jessie even involved in this issue?
I already have all our data in this directory, so is there a way for me
to get this thing syncing again without a wipe and reinstall?
If I delete the sync agreement, and create a new one, what happens on
the first sync? Will it just pick up where it left off, or will it
choke on all the objects that were a part of the previous sync
agreement? Will I have problems with my data since it has been over 10
days since the last sync?
10:14 a.m.
Daniel Shackelford wrote:
Anyone able to address the other questions about ssl? I was able to
use the system version of ldapsearch to connect securely to my domain
controller from the FDS box. I can also connect the same way to FDS.
I have read that the -81 error means that there is a problem with my
server cert, or the ca cert that was used to create it. I have 2
server certs signed by different CAs (nothing self-signed), and I have
tried them both. The CA certs are installed, and seem to be fine. I
even exported on to use on the local openldap in order to test
connections to the domain controller without a problem.
I don't have any insight off the top of my head beyond what you've
already tried.
You could take a packet trace with ethereal or the like and see if
there's anything
interesting in the SSL handshake.
Is FDS dependent on specific versions of libssl3.so or ?... The
thing
that confuses me the most is that it all seems to be working fine in
every other case. I am still not sure there isn't a problem with my
Win2003 domain controller...
FDS should be used with the version of NSS that it was built against.
There will be some minor functionality differences between NSS releases
and bug fixes, but I wouldn't expect much sensitivity to NSS version
as far as basic functionality like this goes.
Bottom line is that if you can use the 'ldapsearch' command (the Mozilla
version that ships with FDS), pointed at the same cert database that the
server is using, to connect to your AD, then FDS's Winsync code should
be able to connect too : the code paths are essentially identical.
8:46 a.m.
New subject: [Fedora-directory-users] ssl encryption without certs
Hi. Is it possible to protect the passwords & other info during transit with SSL w/o
certificates? I'm not concerned with a MITM attack against the FDS or clients
misrepresenting
themselves, only need to encrypt the password like ssh would. Can I do it without all the
cert
setup business?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
1:11 p.m.
New subject: [Fedora-directory-users] ssl encryption without certs
Susan wrote:
Hi. Is it possible to protect the passwords & other info during
transit with SSL w/o
certificates? I'm not concerned with a MITM attack against the FDS or clients
misrepresenting
themselves, only need to encrypt the password like ssh would. Can I do it without all the
cert
setup business?
SSL and certs are tightly bound. If you cared to set up kerberos, a sasl bind
would get you secure authentication and subsequent transport.
BTW, please start a new thread rather than changing subject text on a reply - it really
messes with threaded mail readers :)
--
Pete
6650
days inactive
6651
days old
389-users@lists.fedoraproject.org
3 comments
4 participants
participants (4)
-
Daniel Shackelford -
David Boreham -
Pete Rowley -
Susan