Thank you David.
Anyone able to address the other questions about ssl? I was able to use the system version of ldapsearch to connect securely to my domain controller from the FDS box. I can also connect the same way to FDS. I have read that the -81 error means that there is a problem with my server cert, or the ca cert that was used to create it. I have 2 server certs signed by different CAs (nothing self-signed), and I have tried them both. The CA certs are installed, and seem to be fine. I even exported on to use on the local openldap in order to test connections to the domain controller without a problem.
Is FDS dependent on specific versions of libssl3.so or ?... The thing that confuses me the most is that it all seems to be working fine in every other case. I am still not sure there isn't a problem with my Win2003 domain controller...
Ack!
Date: Tue, 31 Jan 2006 15:17:18 -0500 From: Daniel Shackelford dshackel@arbor.edu Subject: [Fedora-directory-users] Hosed sync with AD To: FedoraUsers fedora-directory-users@redhat.com Message-ID: 43DFC5CE.1050909@arbor.edu Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hello...
Earlier this month we had an issue with one of our domain controllers (Win2003) and took it down. It was the one the directory server was pointing to for synchronization. Ever since then, no sync has occurred and I am back to getting the
-81 (Peer's Certificate issuer is not recognized.)
I have checked the DC, and all looks well. We were merely moving the logs to another volume, so it should not have an effect on ldap connections. I did some fiddling and at one point I removed the native java since I had installed the IBM version. Jessie depended on it, so that was removed as well. I have since gotten new certs and CA certs, and installed them, but still no luck on the connection. Certutil no longer worked, so I installed mozilla-nss, and now it does not work for other reasons:
NSS_Initialize failed: An I/O error occurred during security authorization.
All certificate management via the console seems to work fine...
So, my questions are:
Is there a way to get my ssl libraries so they line up with what FDS wants? Was jessie even involved in this issue? I already have all our data in this directory, so is there a way for me to get this thing syncing again without a wipe and reinstall? If I delete the sync agreement, and create a new one, what happens on the first sync? Will it just pick up where it left off, or will it choke on all the objects that were a part of the previous sync agreement? Will I have problems with my data since it has been over 10 days since the last sync?
Daniel Shackelford wrote:
Anyone able to address the other questions about ssl? I was able to use the system version of ldapsearch to connect securely to my domain controller from the FDS box. I can also connect the same way to FDS. I have read that the -81 error means that there is a problem with my server cert, or the ca cert that was used to create it. I have 2 server certs signed by different CAs (nothing self-signed), and I have tried them both. The CA certs are installed, and seem to be fine. I even exported on to use on the local openldap in order to test connections to the domain controller without a problem.
I don't have any insight off the top of my head beyond what you've already tried. You could take a packet trace with ethereal or the like and see if there's anything interesting in the SSL handshake.
Is FDS dependent on specific versions of libssl3.so or ?... The thing that confuses me the most is that it all seems to be working fine in every other case. I am still not sure there isn't a problem with my Win2003 domain controller...
FDS should be used with the version of NSS that it was built against. There will be some minor functionality differences between NSS releases and bug fixes, but I wouldn't expect much sensitivity to NSS version as far as basic functionality like this goes.
Bottom line is that if you can use the 'ldapsearch' command (the Mozilla version that ships with FDS), pointed at the same cert database that the server is using, to connect to your AD, then FDS's Winsync code should be able to connect too : the code paths are essentially identical.
Hi. Is it possible to protect the passwords & other info during transit with SSL w/o certificates? I'm not concerned with a MITM attack against the FDS or clients misrepresenting themselves, only need to encrypt the password like ssh would. Can I do it without all the cert setup business?
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Susan wrote:
Hi. Is it possible to protect the passwords & other info during transit with SSL w/o certificates? I'm not concerned with a MITM attack against the FDS or clients misrepresenting themselves, only need to encrypt the password like ssh would. Can I do it without all the cert setup business?
SSL and certs are tightly bound. If you cared to set up kerberos, a sasl bind would get you secure authentication and subsequent transport.
BTW, please start a new thread rather than changing subject text on a reply - it really messes with threaded mail readers :)
389-users@lists.fedoraproject.org