• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

HowTO: Sync Active Directory with Directory Server

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

Stratus_ss

Overclockix Snake Charming Senior, Alt OS Content
Joined
Jan 24, 2006
Location
South Dakota
This is a repost so that I could add a section for client connectivity

HowTo: Sync Active Directory with 389 Server

Our example will have 3 computers, w2k8-ad.stratus.local (192.168.122.233), 389.stratus.local (192.168.122.250), client.stratus.local (192.168.122.33).

This HowTo assumes that you already have an Active Directory server configured and running (in our case w2k8-ad) with DNS services.

Step 1: Setup your networking

You will want to setup your network with something similar
to this
connetion.png

Step 2: Setup the 389 repository and install

The following is the command to run in order to install the EPEL repo which has the 389 server components. NOTE: the instructions for this repository on directory.fedoraproject.org/wiki/Download are incorrect.
Code:
rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm

NOTE: As they update the epel-release package, the link will become invalid. If you have a web browser handy, navigate to the URL (minus the RPM) and find the name of the rpm manually.

Once the repository is configured you will want to run the following commands (as root):
Code:
yum clean all
yum install 389-ds -y
Step 3: Setup the initial configuration

While there are different guides out there to help walk through setting up the 389 server, it may be best to setup a user for this process (as recommended by several guides). As the 389 server was previously called the Fedora Directory Server, we will call our user fds:
Code:
useradd fds
Run the following command:
Code:
setup-ds-admin.pl
IMPORTANT NOTE: in order for this process to complete successfully your hostname must be resolvable as well as reverse resolvable. I.e. <nslookup 389.stratus.local> and <nslookup 192.168.122.250> both need to return successful records

This will walk you through the setup process:
Code:
[root@postfix Desktop]# setup-ds-admin.pl

=========================================================================
This program will set up the 389 Directory and Administration Servers.

It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]: yes

=========================================================================
Your system has been scanned for potential problems, missing patches, etc.  The following output is a report of the items found that need to be addressed before running this software in a production environment.

389 Directory Server system tuning analysis version 10-AUGUST-2007.

NOTICE : System is x86_64-unknown-linux2.6.32-220.el6.x86_64 (4 processors).

NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds (120 minutes).  This may cause temporary server congestion from lost client connections.

WARNING: There are only 1024 file descriptors (hard limit) available, which limit the number of simultaneous connections. 

WARNING: There are only 1024 file descriptors (soft limit) available, which limit the number of simultaneous connections. 

WARNING  : The warning messages above should be reviewed before proceeding.

Would you like to continue? [no]: yes

=========================================================================
Choose a setup type:

   1. Express
       Allows you to quickly set up the servers using the most  common options and pre-defined defaults. Useful for quick evaluation of the products.

   2. Typical
       Allows you to specify common defaults and options.

   3. Custom
       Allows you to specify more advanced options. This is  recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]: <PRESS ENTER>

=========================================================================
Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname>
\Example: eros.example.com.

To accept the default shown in brackets, press the Enter key.

Warning: This step may take a few minutes if your DNS servers can not be reached or if DNS is not configured correctly.  If you would rather not wait, hit Ctrl-C and run this program again with the following command line option to specify the hostname:

    General.FullMachineName=your.hostname.domain.name

Computer name [389.stratus.local]: <PRESS ENTER>

=========================================================================
The servers must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user).  The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations.

If you have not yet created a user and group for the servers, create this user and group using your native operating system utilities.

System User [nobody]: fds
System Group [nobody]: fds

=========================================================================
Server information is stored in the configuration directory server. This information is used by the console and administration server to configure and manage your servers.  If you have already set up a configuration directory server, you should register any servers you set up or create with the configuration server.  To do so, the following information about the configuration server is required: the fully qualified host name of the form <hostname>.<domainname>(e.g. hostname.example.com), the port number (default 389), the suffix, the DN and password of a user having permission to write the configuration information, usually the configuration directory administrator, and if you are using security (TLS/SSL).  If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port number (default 636) instead of the regular LDAP port number, and provide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter 'No' to be prompted to set up one.

Do you want to register this software with an existing
configuration directory server? [no]: <PRESS ENTER>

=========================================================================
Please enter the administrator ID for the configuration directory server.  This is the ID typically used to log in to the console.  You will also be prompted for the password.

Configuration directory server
administrator ID [admin]: <PRESS ENTER>
Password:
Password (confirm):

=========================================================================
The information stored in the configuration directory server can be separated into different Administration Domains.  If you are managing multiple software releases at the same time, or managing information about multiple domains, you may use the Administration Domain to keep them separate.

If you are not using administrative domains, press Enter to select the default.  Otherwise, enter some descriptive, unique name for the administration domain, such as the name of the organization responsible for managing the domain.

Administration Domain [stratus.local]: <PRESS ENTER>

=========================================================================
The standard directory server network port number is 389.  However, if you are not logged as the superuser, or port 389 is in use, the default value will be a random unused port number greater than 1024. If you want to use port 389, make sure that you are logged in as the superuser, that port 389 is not in use.

Directory server network port [389]: <PRESS ENTER>

=========================================================================
Each instance of a directory server requires a unique identifier. This identifier is used to name the various instance specific files and directories in the file system, as well as for other uses as a server instance identifier.

Directory server identifier [389]: <PRESS ENTER>

=========================================================================
The suffix is the root of your directory tree.  The suffix must be a valid DN. It is recommended that you use the dc=domaincomponent suffix convention. For example, if your domain is example.com, you should use dc=example,dc=com for your suffix. Setup will create this initial suffix for you, but you may have more than one suffix. Use the directory server utilities to create additional suffixes.

Suffix [dc=stratus, dc=local]: <PRESS ENTER>

=========================================================================
Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and typically has a bind Distinguished Name (DN) of cn=Directory Manager. You will also be prompted for the password for this user.  The password must be at least 8 characters long, and contain no spaces. Press Control-B or type the word "back", then Enter to back up and start over.

Directory Manager DN [cn=Directory Manager]: <PRESS ENTER>
Password:
Password (confirm):

=========================================================================
The Administration Server is separate from any of your web or application servers since it listens to a different port and access to it is restricted.

Pick a port number between 1024 and 65535 to run your Administration Server on. You should NOT use a port number which you plan to run a web or application server on, rather, select a number which you will remember and which will not be used for anything else.

Administration port [9830]: <PRESS ENTER>

=========================================================================
The interactive phase is complete.  The script will now set up your servers.  Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]: yes

Step 4: Working with the 389-console

Now that the server is running, run the following to launch the graphical interface:
Code:
389-console

389-login.png
Enter the following:

User ID: cn=Directory Manager
Password: <your password>
administration URL: http://localhost:9830

console-start.png

Click the + sign beside your hostname, and then again on the Server Group to reveal the Directory Server option. Highlight it, and click the “Open” button.

You will be greeted by this screen:

directory_start.png


Step 5: Create a Sync user

Click the Directory Tab, highlight the “config” entry Right click and highlight “New” and then “User”

create_sync_user.png

You will see the following screen.

sync_user.png

NOTE: you may call this user whatever you wish, just remember what the “User ID:” is.



Step 6: Windows Sync agreement

This has a few “mini” parts. The first is to enable replication. In the “Configuration” tab, highlight Replication, check the “Enable Changelog” box and then click “Use Default”. Click “Save”

replication.png

Next, highlight “userRoot”, check the “Enable Replica” box and scroll down to the place where it says “Enter a new Supplier DN:”. This is refering to the sync user we created earlier. Enter your sync user like so:
uid=SMaster,cn=config

Click add, and then save

sync_master_user.png

Right click on the “userRoot” and click “New Windows Sync Agreement”. You will be greeted with the following screen.

windows_sync_1.png

Enter your information. This is mostly aesthetic, as this only affects what the directory server displays for the sync agreement.

windows_sync-2.png

After clicking next, fill in the following information:

Windows Domain Name: stratus.local

Select Sync New Windows Users, Sync New Windows Groups

Domain Controller Host: w2k8-ad.stratus.local (or the FQDN of the Active directory server

Bind as: cn=Administrator,cn=Users,dc=stratus,dc=local
Fill in the password box.

NOTE: you do not have to bind as Administrator, but this requires your Active Directory system administrators to provide you with the appropriate “cn=” users.


NOTE 2: I have run into problems with users who have no Surname having some of their group memberships stripped in a domain which has been upgraded from 2000 -> 2003 -> 2008. If you experience this in your TEST environment try setting the bind user to a non-privileged user and then setting their security access to "Replicating Directory Changes" to allow (This is found by enabling Advanced Features, then right clicking on your domain and clicking properties and then going to the security tab. If your user is not in the list, add it and then grant it the permission to Replicate Directory Changes


After clicking next, the system may pause for a moment while it tests the information you have provided. If it is successful you will see a summary of the sync agreement. At this point you will be able to sync users and groups but NOT passwords.


Step 7: Setup an ACL for PassSync

In the Directory Server window, click on the Directory tab. Highlight your domain (in this case its' called “stratus”), right click and select
“Set Access permissions”. NOTE: this can also be achieved by pressing ctrl + L

Select “New” from the right hand menu. In some cases you will see a the following (see the screen shot directly below).

pass_sync_389_server-1.png

ACL-2.png


Enter an appropriate ACL name and then click “Edit Manual”. Replace the contents with the following:
Code:
(targetattr = "*")
(version 3.0;
acl "PassSync";
allow (all)
(userdn = "ldap:///uid=SMaster,cn=config")
;)

pass_sync_acl_389_2.png

Click “Ok”. You should now see a “PassSync” option listed in the ACL list. Click “Ok” to close that screen.


Step 8: Run the following script
Code:
#!/bin/bash
mkdir /etc/dirsrv/cert
cd /etc/dirsrv/cert
#This echo statement is actually putting the word “password” (without the quotes) in a temporary password file to help
#automate the process. This will be the password for your certificate. Change this as appropriate
echo "password" > /tmp/pwdfile
export PATH=/usr/bin/:$PATH
touch noise.txt
cd /etc/dirsrv/slapd-389

#Associate the password with the certificates which will be generated in the current directory
certutil -N -d . -f /tmp/pwdfile
#Generate a CA certificate for the 389 server
certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/dirsrv/cert/noise.txt -f /tmp/pwdfile -2

#anwsers are Y, <enter accepting defaults>, Y
#This builds the server cert
certutil -S -n "Server-Cert" -s "cn=389.stratus.local" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z /etc/dirsrv/cert/noise.txt -f /tmp/pwdfile

#This exports the cacert in case you need it
pk12util -d . -o cacert.p12 -n "CA certificate"

#This exports the server-cert which you will need on the windows AD
pk12util -d . -o servercert.p12 -n Server-Cert

#This exports the CA cert for ldap clients
certutil -L -d . -n "CA certificate" -a > cacert.asc

#This places the cacert in the ldap directory so you can test the user database locally
cp cacert.asc /etc/openldap/cacerts/
cacertdir_rehash /etc/openldap/cacerts/

#This sets up /etc/pam_ldap.conf, again client related config... This is optional on the server itself

file=`cat > /etc/pam_ldap.conf <<EOF 
host 192.168.122.250
base dc=stratus,dc=local
bindpw password
rootbinddn cn=Directory Manager,dc=stratus,dc=local
ssl start_tls
ssl on
tls_cacertfile /etc/openldap/cacerts/cacert.asc
EOF`

#Import the CA Cert into the 389 server
cd /etc/dirsrv/admin-serv
certutil -A -d . -n "CA certificate" -t "CT,," -a -i /etc/dirsrv/slapd-389/cacert.asc
service dirsrv-admin restart


Step 9: Configure SSL for the 389 Server

In the Directory Server window,
highlight your local host entry. (In this case its 389.stratus.local:389). On the right side of the screen, select the Encryption tab. Check the boxes which say “Enable SSL for this server” as well as “use this cipher family: RSA”. In the drop down box you should be able to select “Server-Cert”. Under “Client Authentication” make sure that both “Allow client authentication” and “Use SSL in Console”. Click “Save”
encryption_setting1.png

Step 9B: Create a pin with password to enable unattended start

If you choose to skip this step, your server will not come back up unless someone is there to put in the SSL token at the CLI. To allow for unattended restarts you must create a pin.txt

This password is stored in clear text within the password file, so its usage represents a significant security risk. Do not use a password file if the server is running in an unsecured environment.

The password file must be in the same directory where the other key and certificate databases for Directory Server are stored. In our case it is /etc/dirsrv/slapd-389. The file should be named pin.txt.

Include the token name and password in the file, such as Token:mypassword. For example:

Internal (Software) Token:<your password>

The PIN file should be owned by the Directory Server user and set to read-only by the Directory Server user, with no access to anyone other user (mode 0400).

Step 10: Install the PassSync service on the AD Server

Screenshotfrom2012-12-28152051_zpsb661c4d5.png

Download the PassSync and install it on the Active Directory server. You will need to fill out the form before PassSync will start syncing passwords with your directory server.


**NOTE: This step can be misconfigured and the users and groups will still be imported properly without passwords
**NOTE 2: the log file for PassSync can be found C:\Program Files\389 Directory Password Synchronization\passync.log

Step 11: Copy the Server-Cert to Windows AD and import it

The server cert you just created on your 389/ldap server will be located /etc/dirsrv/slapd-389/servercert.p12. Copy this over to the Windows Server and import it with the following commands:

# run this on the w2k8 server in C:\Program Files\(Red Hat| 389) Directory Password Synchronization
Code:
cd C:\Program Files\389 Directory Password Synchronization
certutil.exe -d . -N
pk12util.exe -d . -i servercert.p12
certutil.exe -d . -M -n Server-Cert -t "P,P,P"
After the Server-Cert has been installed, you will need to reboot the AD server in order for PassSync to work properly within the AD structure. Additionally it is not a bad idea to reboot the 389 server at the same time. NOTE: you will need to start the dirsrv after the reboot as we have not setup a “pin”. After running service dirvsrv start, you will be prompted for the password which you created for the Server-Cert.


Step 12: Initiate a full sync.

NOTE: While the PassSync service on the Windows server starts with the computer, I have found that it may take a few minutes before it has managed to collect the data from AD. If you don't want to wait, I have found that restarting the service should allow PassSync to scrape the data from AD.

In the “Configuration” tab of the Directory Server window, if you have not already, expand “Replication”, and then “userRoot”. Right click on your domain, and click “Initiate Full Re-Synchronization”. In the Directory tab, expand your domain and highlight people. You should now see your Active Directory users in your directory server.

Run_windows_sync.png


You should see stars in the password field if the sync has worked properly. In order for these users to be enabled in ldap you have to Enable Posix User Attributes. Set the UID and GUID, as well as the Home Directory and login shell.

domain_people_389.png

user_was_synced.png

add_posix_user.png


And that should be it, you should now have Active Directory syncing with the Directory server. Linux/Unix clients would then authenticate as OpenLDAP clients against the Directory server. See HowTOL Setup LDAP Server and Clients for more information on client authentication with the directory server
 
Last edited:
Client Configuration

On the Directory Server

The first step that is needed is to create your own SSL cert for client authentication. This is different than the SSL Cert which was created and imported into the Directory Server earlier.

In this step you will create and sign an SSL certificate which will then be made available to clients wishing to authenticate against the database.

In a terminal:

Code:
openssl req -new -x509 -nodes -out /etc/pki/tls/certs/stratus_cert.pem -keyout /etc/pki/tls/certs/stratus_key.pem -days 365

You can obviously call your cert whatever you wish. Once you fill out the required information (NOTE: common name is your FQDN!), you may allow authentication by making the Directory Server aware of the newly created cert.

Open up the directory server from the 389-console.

Select "Manage Certificates" under the "Tasks" tab

manage_certs_389.png

Click on the "CA Certs" tab and click "Install.."

cacerts.png

In this example, I am simply catting out the cert so that I can paste it into the program. If you wish you can also select the file by browsing to it.

paste_cert.png

After you have pasted the file, you will be greeted by the following summation screen:

cert_info.png

Continue clicking next, you may read the screens if you wish, but no action is required until you get to the following screen:

cert_purpose.png

In my case, I am not wanting other servers to authenticate against my Directory Server, so I made sure that I only checked "Accepting connections from clients"

After this, restart the dirsrv and dirsrv-admin in order for the Directory server to make use of the newly installed cert

Code:
service dirsrv restart
service dirsrv-admin restart

NOTE: When restarting the dirsrv you will be prompted for a password until you create a pin. (More on this later)

On the Client Machine

The first step is to make sure that you have the necessary packages installed

Code:
yum install -y openldap-clients pam_ldap nscd sssd

Once that is completed, you can run the authconfig-gtk (or launch it from the GUI under System -> Administration -> Authentication)

Fill out the information as appropriate and then toggle from Kerberos to LDAP password. Check "Use TLS to encrypt connection" and then click "Download CA Cert" and enter the hostname of your directory server and the port 636

authconfig-1.png

NOTE: If this fails, you can check to make sure that your computer is listening on port 636 by running the following on the Directory Server
Code:
nmap localhost

Click the Advanced tab and make sure you check "Create home directories"

authconfig-2.png

At this point you may need to reboot the client computer as some PAM files were edited and they often do not take (full) effect until after a reboot.

You should now be able to log in to the users who are stored/have been sync'd into the Directory Server!
 
Last edited:
*** if passync throws an error 81, it has a bad cert file. Remove the current ones and import a new certificate


TROUBLESHOOTING

If you receive the following error:

Code:
WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections. 

WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.

Do the following:

edit the /etc/sysctl.conf file, and reset the fs.file-max parameter:

Code:
fs.file-max = 64000
Then increase the maximum number of open files on the system by editing the /etc/security/limits.conf configuration file. Add the following entry:
Code:
*        -        nofile        8192
Edit the /etc/pam.d/system-auth, and add this entry:
Code:
session required /lib/security/$ISA/pam_limits.so
Reboot the machine to apply the changes.

User does not exist

If you receive this error try querying your Directory Server from the client

Code:
ldapsearch -x -b "dc=stratus,dc=local"

If you can find the user in the output, check for mis-spellings such as capitals or typoos

If you don't receive and users and you have verified that the user exists in the Directory Server, try the following:

Code:
ldapsearch -x -b "dc=stratus,dc=local" -h 389.stratus.local

If this works then the problem lies in either /etc/pam_ldap.conf or /etc/openldap/ldap.conf, most likely a misconfigured "host" or "uri" directive. Make sure the hostname or ip address is correct in each of these files.

Directory Server not accepting User Password

If you can successfully query the database without the "-h" parameter and you have tried

Code:
su someuser

But it will not accept the password, and you have verified the password is correct, log in as root and re-run the su command. If it succeeds, check /var/log/messages for indications that SELinux is preventing either nscd or sssd from working correctly.

If you think it is SELinux and not other environmental factors (such as the firewall), try setting SELinux to permissive mode and try again

Code:
setenforce permissive
sestatus

If it still fails, you may have an SSL certificate problem.

A post on serverfault had this to say (and it is good advice so I am including it here)

The first thing you may want to do is check that your server is presenting it's certificates properly. You can do this by trying to connect to your server using OpenSSL. On a client machine with access, run:
Code:
openssl s_client –connect target_server_fqdn:636

This should return a nice print out of the server's certificate. The key here is checking the "Verify return code" printed at the end. You may get different codes, but generally speaking, you should get 0 for a valid certificate, and possibly 19 if you're self-signing.

If this fails, go back and check to ensure you have imported your server side certificates properly.

If you've passed this test, move on to testing your TLS connections from the client side.

On a client machine, run

Code:
ldapsearch -z -ZZ '(uid=<testusername>)'
This will force an LDAP lookup over an encrypted connection. If that's successful, you should get some user information back, and a check into the DS logs should yield the following:
Code:
    [23/Sep/2011:07:48:57 -0500] conn=1631 op=0 EXT oid="X.X.X.X.XX.X.XX" name="startTLS" [23/Sep/2011:07:48:57 -0500] conn=1631 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [23/Sep/2011:07:48:57 -0500] conn=1631 SSL 256-bit AES
If this fails, you'll want to ensure the certificates were properly imported on the client side.

When troubleshooting, some common areas I've found myself looking frequently are:

1.) On the clients, in some cases (which someone here may be able to better explain), you might try to require signing by editing ldap.conf and including the line
Code:
TLS_REQCERT allow
2.) If the authentication GUI is giving you problems, you might try just explicitly turning on TLS for LDAP with
Code:
authconfig --enableldaptls --update
I've had problems with the GUI before, so I tend to stick to using CLI commands.

3.) And a final thing you might try (again , just for testing), is calling
Code:
cacertdir_rehash <dir where certs are stored>
 
Last edited:
Dumping and Import Active Directory OU's

Some people, particularly businesses will have more than just the default OU's. If this is the case you will need to dump your OU's from Active Directory into an ldif file in order to be imported into the 389 server. If this is the case for you, here are some handy commands to run on the AD server

Code:
ldifde -f example_groups.ldif -d "dc=example,dc=com " -p subtree -r "(&(objectCategory=group)(objectClass=group))" -l "cn,objectclass"

ldifde -f example_users.ldif -d "dc=example,dc=com"  -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"

ldifde -f example_ous.ldif -d "dc=example,dc=com" -p subtree -r "(objectCategory=organizationalUnit)" -l "cn,objectclass,ou"

The most important one is the last one dumping to example_ous.ldif. The others are optional depending on whether or not you wish to allow the 389 server to pull those down from AD or whether you want to do most of the work at once.

After you have this(these) file(s) you can now import then in the 389 server

<screen shots coming later>
 
Last edited:
After having run through this again, I have found that the authentication gui does not pull down the cert(s)

putting them in place manually sort of fixed the problem

I noticed this in /var/log/messages

Code:
Oct  9 12:53:20 client sssd[be[default]]: Could not start TLS encryption. TLS: hostname does not match CN in peer certificate

This was because I used a hostname in the creation of the cert and an ip when editing pam_ldap and ldap.conf

Changing those configs to a FQDN allowed me to go from start to finish following this guide on CentOS 6.3
 
thank you for the guide.
is it possible to sync in one direction only? we have an AD server which is not owned by our department, and i want to sync it to an LDAP server.
Is it possible to do the syncing from AD -> Ldap? I also want to be able to export the AD groups and users however, since i cannot log into/use the AD server i cannot run ldifde. Is there a way to do that on the linux end?

thanks
any info/help would be good :D

thanks
 
thank you for the guide.
is it possible to sync in one direction only? we have an AD server which is not owned by our department, and i want to sync it to an LDAP server.
Is it possible to do the syncing from AD -> Ldap? I also want to be able to export the AD groups and users however, since i cannot log into/use the AD server i cannot run ldifde. Is there a way to do that on the linux end?

thanks
any info/help would be good :D

thanks

Hi,

As noted in the big, bold, large print above. You can create a user that is non-priviledged but that can replicate changes.

This has the effect of having a uni-directional sync (from AD -> ldap)

However, not having access to the Active Directory server really hampers this quite a bit. I am not aware of how to work around not having AD access. That really handicaps you
 
Hi,

As noted in the big, bold, large print above. You can create a user that is non-priviledged but that can replicate changes.

This has the effect of having a uni-directional sync (from AD -> ldap)

However, not having access to the Active Directory server really hampers this quite a bit. I am not aware of how to work around not having AD access. That really handicaps you

heheh yeah it sure does ... :mad:

i guess ill continue researching .. :cry:

thanks for the guide though. i appreciate the time and effort it took to write it. Wish i could use it!
 
Thank you for your guide. What do you do with existing server certificates - created with openssl and signed by an official authority? My certifcate has as cn 'server.xyz.com' and also the subject alt names are 'server.xyz.com' and 'ldap.xyz.com'.
How do I say certutil to import this certificate and handling as ssl-certificate? I only can import it in the certificate manager as CA cert?
 
Thank you for your guide. What do you do with existing server certificates - created with openssl and signed by an official authority? My certifcate has as cn 'server.xyz.com' and also the subject alt names are 'server.xyz.com' and 'ldap.xyz.com'.
How do I say certutil to import this certificate and handling as ssl-certificate? I only can import it in the certificate manager as CA cert?

Hi,

While I personally don't have a ton of experience with certs, the official docs have a section on importing pre-existing certs. Maybe this is what you are looking for?

(389 server used to be called the Fedora Directory Server, which is why the wiki is hosted by fedora)
 
the official docs have a section on importing pre-existing certs. Maybe this is what you are looking for?

Yes, this works and the certificate is now showing at 'Server Certs' section at certificate manager. Adding the CA-chain was no problem and the certification path at server certificate shows a step more from CA.

After restarting console, its also possible in selection at Configuration/Encryption section. :clap:

Thank you. :cool:
 
A restart of the server has not started dirsrv - every attempt to start it results in error. :confused:
Code:
root@titan:/root 1009 > service dirsrv start
Starting dirsrv:
    titan...[07/Dec/2012:14:42:37 +0100] createprlistensockets - PR_Bind() on All Interfaces port 636 failed: 
Netscape Portable Runtime error -5982 (Local Network address is in use.)
                                                           [FEHLGESCHLAGEN]
  *** Warning: 1 instance(s) failed to start


root@titan:/root 1012 > netstat -npl | grep 636
udp        0      0 0.0.0.0:636                 0.0.0.0:*                               1490/portreserve

The problem is an entry in /etc/portreserve:
Code:
root@titan:/etc/portreserve 1034 > cat /etc/portreserve/slapd
ldaps

After starting and stopping slapd-service, the portreserve was cleared and I could started the dirsrv service.

Should I insert 'dirsrv' or remove the file /etc/portreserve/slapd?
 
Two questions:
1. For sync, is there a possibility, to sync any main OU and all other sub-OU's (e.g. OU=ISE which contains OUs Guest, Student, Employee, which has uids)?
So I must create for every OU an additional Windows Sync Agreement.:screwy:
2. I can not sync passwords. The passync.log on WinDC gives every time
Code:
12/11/12 15:03:04: PassSync service running
12/11/12 15:03:04: No entries yet
12/11/12 15:03:04: Ldap bind error in Connect
	32: No such object
12/11/12 15:03:04: Can not connect to ldap server in SyncPasswords
:( Error log at server only​
Code:
[11/Dec/2012:14:45:05 +0100] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ISE_Mitarbeiter" (darona:389)".
[11/Dec/2012:14:45:06 +0100] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ISE_Mitarbeiter" (darona:389)". Sent 12 entries.

First I thought, it's a password problem by certificate database at passync (I've given an empty password), but after re-creation with password same error occours.

What I've forgotten?
 
Two questions:
1. For sync, is there a possibility, to sync any main OU and all other sub-OU's (e.g. OU=ISE which contains OUs Guest, Student, Employee, which has uids)?
So I must create for every OU an additional Windows Sync Agreement.:screwy:
2. I can not sync passwords. The passync.log on WinDC gives every time
Code:
12/11/12 15:03:04: PassSync service running
12/11/12 15:03:04: No entries yet
12/11/12 15:03:04: Ldap bind error in Connect
	32: No such object
12/11/12 15:03:04: Can not connect to ldap server in SyncPasswords
:( Error log at server only​
Code:
[11/Dec/2012:14:45:05 +0100] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=ISE_Mitarbeiter" (darona:389)".
[11/Dec/2012:14:45:06 +0100] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=ISE_Mitarbeiter" (darona:389)". Sent 12 entries.

First I thought, it's a password problem by certificate database at passync (I've given an empty password), but after re-creation with password same error occours.

What I've forgotten?

As to your first question, the OUs will sync if you have created them ahead of time. This is why I have included the section on dumping your AD schema and loading it into the Directory Server. Once the schema is in place the OU will sync normally.

As to your second question, the error message you posted seems to indicate that the ldap server is not available or has been mis-entered in your SyncPasswords area.

Can you ping it?
If so, can you run a port scan to make sure the 636 port is open?
If it is open, you can check /var/log/audit/audit.log to see if SELinux is denying the interaction

Also note that PassSync only replicates passwords which have been changed AFTER it was installed.

Therefore you have to push a global password reset after you are sure the sync is working. So for this I setup a test user so that I could constantly change the password and verify that the password was showing up in the 389 server
 
As to your second question, the error message you posted seems to indicate that the ldap server is not available or has been mis-entered in your SyncPasswords area.

Can you ping it?
If so, can you run a port scan to make sure the 636 port is open?
Yes.
I found something other: My SMaster-account:
Are you sure, that at passsync configuration, smaster should be cd=smaster,cn=config ? After changing my smaster into uid=SMaster,dc=domain,dc=domain,dc=...,dc=de I didn't become an error at logfile:
Code:
12/12/12 10:21:25: PassSync service stopped
12/12/12 10:21:27: PassSync service initialized
12/12/12 10:21:27: PassSync service running

If it is open, you can check /var/log/audit/audit.log to see if SELinux is denying the interaction
no error

Also note that PassSync only replicates passwords which have been changed AFTER it was installed.
Ok, that is it. But now if I changed a password of a user, the log file gives me another error, maybe of changing the user-account credentials?
Code:
12/12/12 11:20:17: Ldap error in ModifyPassword
	50: Insufficient access
12/12/12 11:20:17: Modify password failed for remote entry: uid=wang,ou=Mitarbeiter,ou=...,dc=...
12/12/12 11:20:17: Deferring password change for wang
 
Yes.
I found something other: My SMaster-account:
Are you sure, that at passsync configuration, smaster should be cd=smaster,cn=config ? After changing my smaster into uid=SMaster,dc=domain,dc=domain,dc=...,dc=de

You dont have to have all of that but you are right there was an error in the screen shot, that screen shot has been removed. Good catch and sorry for the confusion. I actually dont know where the proper screen shot went, when I was taking screen shots I had already set things up and I was kind of rushing through

As for your other error, I did not encounter this error in the 3+ months of QA testing, I am not exactly sure where the problem is
 
Hey,
Thanks for your helpful guide, i'm having a strange msg error about the certificate
when i type this command cacertdir_rehash <dir where certs are stored> i get this :
--> cacertdir_rehash
unable to load certificate
7653:error:0906D06C:pEM routines:pEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

i tried to fix the problem with this http://www.schalley.eu/2010/12/30/openssl-certificates-tips-tricks-der-crt-cer-pem/ but it didn't work :eh?:

I'd appreciate some help.
 
Can you elaborate on what exactly you did to create the cert?

Perhaps some insight into the process will help track down an answer
 
Thank you for the detailed instructions and screenshots.

We currently are running a 389 directory that was setup in 2011 by a former sysadmin. We're trying to slowly move to AD.

When I try to export the key and run certutil on the windows server, we do not know the key password. Trying to generate a new key on the 389 server causes issues. We've cloned the server and running it in a dev enviroment.

When I try to run command I get invalid password. Is there anyway to resolve this?

# certutil -N -d . -f /tmp/pwdfile
Invalid password.
 
Last edited:
Back