From Fedora Directory Server
Contents |
Sync With Active Directory
These are steps which you should follow to sync Windows Active Directory and Fedora Directory Server .
Enabling SSL with Active Directory
With Microsoft Certificate Authority
Active Directory gets its server certificate automatically created/enrolled when a Microsoft Certificate Server is configured/installed for that domain.
http://support.microsoft.com/default.aspx?scid=kb;en-us;247078
With OpenSSL CA
<add openssl ca notes here>
With Red Hat Certificate Authority
These are some notes that describe how you should go about enabling SSL for an Active Directory Installation Using Red Hat Certificate System (CA).
Steps to follow for Windows 2000 Advanced Server:
- Make sure your windows host has a proper hostname set and is using a static IP address. ( for eg. optimusvm4.sfbay.redhat.com )
- Keep the Windows 2000 Advanced Server Install CD handy.
- Goto Start->Programs->Administrative Tools->Configure your Server->Active Directory->Start the Active Directory installation.
- Create a domain controller with the domain name sfbay.redhat.com. Most of the settings could be defaults.
- Restart after Active Directory install is completed.
- Goto Start->Settings->Control Panel->Add/Remove Programs->Add/Remove Windows Components.
- Select "Certificate Services and IIS". Install those services.
- When installing the microsoft CA, make sure you select "Stand-Alone Root CA". if you select, "Enterprise Root CA", this has the capability to issue a certificate to the Active Directory server automatically.
- Select "Certificate Services and IIS". Install those services.
- Goto a Red Hat Certificate System install (where you have a CA, up and running )
- use certutil and create a temporary database.
- generate a server certificate request.
- submit this certificate request to the Red Hat CA and get it approved. Make sure the certificate has the right extension to be used for servers.
- export the server certificate and its private key to a .p12 file using the pk12util utility.
- copy this .p12 file to the Windows Server System.
- Use the mmc(Start->Run->mmc) application in the windows server system and add the snap-in for Certificates.
- Goto Personal->Certificates and click import. Import the .p12 file. Also import the RedHat CA certificate to the "Trusted Root Certificates" list.
- restart the domain controller ( aka reboot ).
- Active directory will now be listening for requests after reboot on port 636.
With TinyCA2
([1]http://tinyca.sm-zone.net/)
These notes should help you go about enabling SSL for Active Directory Installation using certificates generated with the TinyCA2 Certificate Authority.
FYI...
- TinyCA2 uses OpenSSL for it's backend.
- Server Certificate Settings MUST allow for the use of "Subject alternative name (subjectAltName)" of type IP Address. This is an AD requirement. (To get this option, you may need to go to Preferences->OpenSSLConfiguration, click on the Server Certificate Settings, and change Subject alternative name from Copy Email to ask)
Steps to follow for Windows 2000 Advanced Server:
- Make sure your windows host has a proper hostname set and is using a static IP address. ( for eg. optimusvm4.sfbay.redhat.com )
- Keep the Windows 2000 Advanced Server Install CD handy.
- Goto Start->Programs->Administrative Tools->Configure your Server->Active Directory->Start the Active Directory installation.
- Create a domain controller with the domain name sfbay.redhat.com. Most of the settings could be defaults.
- Restart after Active Directory install is completed.
- The installation of the "Certificate Services" Windows Component as specified in the RedHat CA section is NOT necessary.
- Goto your TinyCA Installation (where you have a CA up and running).
- Goto the Certificates Tab-> Click New -> Select "Create Key and Certificate (Server)".
- Commone Name must be the FQDN of your AD server.
- During the Sign Request/Create Certificate supply the IP Address of the AD server for the subjectAltName and do not add the email address to the subject dn.
- Under Certificates select the certificate created for the AD server and click Export.
- Select PKCS#12 (Certificate and Key) and click save.
- Set the Key Password
- Set the Eeport Password
- Set the Friendly Name to the FQDN of the AD server
- Set without passphrase to NO
- Set Add CA Certificate to PKCS#12 to YES and clieck OK
- Copy this .p12 file to you AD server.
- Goto the Certificates Tab-> Click New -> Select "Create Key and Certificate (Server)".
- Install the certificate and key for the AD server using the MMC Certificate snap-in
- Click Start -> run -> mmc (enter)
- In MMC click Console -> Add snap-in -> Add -> Certificates -> Add -> Computer Account -> Next -> Finish
- Expand Certificates (Local Computer) -> Right Click Personal -> All Tasks -> Import
- In the Import Wizard -> Click next -> Browse to the AD servers .p12 file -> Next -> Supply the Export Password -> Next -> Select Automatically select the store -> Next -> Finish
- Click the Refresh button
- Verify that the AD server certificate has been installed under Personal -> Certificates
- Verify that you CA certificate has been installed under Trusted Root CA's -> Certificates
- Click Start -> run -> mmc (enter)
- Restart the AD server
- Verify that you can connect via LDAPS on the AD server.
- Click Start -> run -> ldp (enter)
- In Active Directory Administratorion Tool (ldp) click Connection -> Connect
- Server: FQDN of the AD server
- Port: 636
- Click OK and you should see a bunch of stuff scroll across the screen
- In Active Directory Administratorion Tool (ldp) click Connection -> Connect
- Verify that you can connect via LDAPS with OpenSSL
- Open a terminal
openssl s_client -connect optimusvm4.sfbay.redhat.com:636 -showcerts -CAfile /path/to/cacert.pem
enjoy
With any Other 3rd-Party Certificate Authority
http://support.microsoft.com/default.aspx?scid=kb;en-us;321051
Configuring PassSync
Installing PassSync
PassSync should be installed on the Windows box where you have installed/configured Active Directory. Follow these steps:
- Double Click on the PassSync.msi [2] utility.
- You will be asked to provide the following details:
- FDS Hostname
- FDS SSL Port number
- FDS Bind DN [ It is recommended that you create a special user and provide them appropriate access ]
- FDS Bind DN password
- PassSync Cert DB password (CertToken)
- You will be asked to provide the following details:
Enabling SSL for PassSync
The following method assumes that you have some knowledge about using NSS based certificate and key management utilities like certutil/pk12util.
For detailed docs on these tools see [ http://www.mozilla.org/projects/security/pki/nss/tools/ here ].
Follow these steps to set up certificates that Password Sync Service will use SSL to access the Directory Server:
- Create a new cert8.db and key.db using certutil.exe on the Password Sync machine.
cd "C:\Program Files\Red Hat Directory Password Synchronization" certutil.exe -d . -N
- From your Fedora Directory Server, export the server certificate using pk12util.
cd /etc/dirsrv/slapd-<instance> pk12util -d . -o servercert.p12 -n Server-Cert
If you are using Fedora DS 1.0.4 or earlier, use this instead. Note slapd-serverID- <-This trailing dash is crucial!
cd "/opt/fedora-ds/alias/" pk12util -d . -P slapd-<instance>- -o servercert.p12 -n Server-Cert
- Copy the exported certificate (servercert.p12) from the Directory Server to the Windows machine.
- Import the copied server certificate into the certificate database using pk12util.exe.
pk12util.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -i servercert.p12
- Give "trusted peer" status to the server.
certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -M -n Server-Cert -t "P,P,P"
- Also do the same for the CA certificate that signed the Fedora Directory Server "server certificate" and make sure it has trust attributes like "CT,CT,CT"
certutil.exe -L -d "C:\Program Files\Red Hat Directory Password Synchronization"
Will list the certs and show you the trust attributes. Use certutil -M to modify the trust attributes
PassSync Logging
The following registry settings are available to enable PassSync service logging.
Under HKLM->Software->PasswordSync, add string value “Log Level” and set it to “1”.
Log file should be available under C:\windows\System32\pass*.log
level - 0 - Only Errors are logged. level - 1 - All transacations are logged.
Enabling SSL With Fedora Directory Server
Read this Howto:SSL to get Fedora Directory Server enabled in SSL mode.
Note: Its always better to use the same Certificate Authority to issue certificates to both Fedora Directory Server and Active Directory to minimize any trust issues that might occur.
Creating Sync Agreements
Testing your Configuration
Test to make sure you can talk SSL from Fedora Directory to AD
This is how you test to verify that the Windows side SSL is enabled properly:
ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port> -D "<sync manager user> -w < sync manager password> -s <scope> -b "<AD base>" "<filter>"
ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port> -D "cn=sync manager,cn=users,dc=sfbay,dc=redhat,dc=com" -w Secret12 -s base -b "ou=users,dc=sfbay,dc=redhat,dc=com" "objectclass=*"
If you begin to see errors when doing this search, you could optionally use the ssltap tool , which basically proxies requests - to troubleshoot.
