From 389 Directory Server

Contents 1 Sync With Active Directory 1.1 Enabling SSL with Active Directory 1.1.1 With Microsoft Certificate Authority 1.1.2 With OpenSSL CA 1.1.3 With Red Hat Certificate Authority 1.1.4 With TinyCA2 1.1.5 With any Other 3rd-Party Certificate Authority 1.2 Configuring PassSync 1.2.1 Installing PassSync 1.2.2 Enabling SSL for PassSync 1.2.3 Reboot Windows 1.2.4 PassSync Logging 1.3 Enabling SSL With 389 Directory Server 1.4 Creating Sync Agreements 1.5 Testing your Configuration 1.5.1 Test to make sure you can talk SSL from 389 Directory to AD 1.6 Troubleshooting

Sync With Active Directory

These are steps which you should follow to sync Windows Active Directory and 389 Directory Server .

Enabling SSL with Active Directory

With Microsoft Certificate Authority

Active Directory gets its server certificate automatically created/enrolled when a Microsoft Certificate Server is configured/installed for that domain in Enterprise Root CA mode.

 http://support.microsoft.com/default.aspx?scid=kb;en-us;247078

With OpenSSL CA

 <add openssl ca notes here>

With Red Hat Certificate Authority

These are some notes that describe how you should go about enabling SSL for an Active Directory Installation Using Red Hat Certificate System (CA).

Steps to follow for Windows 2000 Advanced Server:

• Make sure your windows host has a proper hostname set and is using a static IP address. ( for eg. optimusvm4.sfbay.redhat.com )
• Keep the Windows 2000 Advanced Server Install CD handy.

• Goto Start->Programs->Administrative Tools->Configure your Server->Active Directory->Start the Active Directory installation.
  • Create a domain controller with the domain name sfbay.redhat.com. Most of the settings could be defaults.
  • Restart after Active Directory install is completed.

• Goto Start->Settings->Control Panel->Add/Remove Programs->Add/Remove Windows Components.
  • Select "Certificate Services and IIS". Install those services.
    • When installing the microsoft CA, make sure you select "Stand-Alone Root CA". if you select, "Enterprise Root CA", this has the capability to issue a certificate to the Active Directory server automatically.

• Goto a Red Hat Certificate System install (where you have a CA, up and running )
  • use certutil and create a temporary database.
  • generate a server certificate request.
  • submit this certificate request to the Red Hat CA and get it approved. Make sure the certificate has the right extension to be used for servers.
  • export the server certificate and its private key to a .p12 file using the pk12util utility.
  • copy this .p12 file to the Windows Server System.

• Use the mmc(Start->Run->mmc) application in the windows server system and add the snap-in for Certificates.
  • Goto Personal->Certificates and click import. Import the .p12 file. Also import the RedHat CA certificate to the "Trusted Root Certificates" list.
  • restart the domain controller ( aka reboot ).
  • Active directory will now be listening for requests after reboot on port 636.

With TinyCA2

([1]http://tinyca.sm-zone.net/)

These notes should help you go about enabling SSL for Active Directory Installation using certificates generated with the TinyCA2 Certificate Authority.

FYI...

• TinyCA2 uses OpenSSL for it's backend.
• Server Certificate Settings MUST allow for the use of "Subject alternative name (subjectAltName)" of type IP Address. This is an AD requirement. (To get this option, you may need to go to Preferences->OpenSSLConfiguration, click on the Server Certificate Settings, and change Subject alternative name from Copy Email to ask)

Steps to follow for Windows 2000 Advanced Server:

• Make sure your windows host has a proper hostname set and is using a static IP address. ( for eg. optimusvm4.sfbay.redhat.com )
• Keep the Windows 2000 Advanced Server Install CD handy.

• Goto Start->Programs->Administrative Tools->Configure your Server->Active Directory->Start the Active Directory installation.
  • Create a domain controller with the domain name sfbay.redhat.com. Most of the settings could be defaults.
  • Restart after Active Directory install is completed.
  • The installation of the "Certificate Services" Windows Component as specified in the RedHat CA section is NOT necessary.

• Goto your TinyCA Installation (where you have a CA up and running).
  • Goto the Certificates Tab-> Click New -> Select "Create Key and Certificate (Server)".
    • Commone Name must be the FQDN of your AD server.
    • During the Sign Request/Create Certificate supply the IP Address of the AD server for the subjectAltName and do not add the email address to the subject dn.
  • Under Certificates select the certificate created for the AD server and click Export.
    • Select PKCS#12 (Certificate and Key) and click save.
    • Set the Key Password
    • Set the Eeport Password
    • Set the Friendly Name to the FQDN of the AD server
    • Set without passphrase to NO
    • Set Add CA Certificate to PKCS#12 to YES and clieck OK
  • Copy this .p12 file to you AD server.

• Install the certificate and key for the AD server using the MMC Certificate snap-in
  • Click Start -> run -> mmc (enter)
    • In MMC click Console -> Add snap-in -> Add -> Certificates -> Add -> Computer Account -> Next -> Finish
    • Expand Certificates (Local Computer) -> Right Click Personal -> All Tasks -> Import
    • In the Import Wizard -> Click next -> Browse to the AD servers .p12 file -> Next -> Supply the Export Password -> Next -> Select Automatically select the store -> Next -> Finish
    • Click the Refresh button
    • Verify that the AD server certificate has been installed under Personal -> Certificates
    • Verify that you CA certificate has been installed under Trusted Root CA's -> Certificates
• Restart the AD server

• Verify that you can connect via LDAPS on the AD server.
• Click Start -> run -> ldp (enter)
  • In Active Directory Administratorion Tool (ldp) click Connection -> Connect
    • Server: FQDN of the AD server
    • Port: 636
    • Click OK and you should see a bunch of stuff scroll across the screen

• Verify that you can connect via LDAPS with OpenSSL
• Open a terminal

 openssl s_client -connect optimusvm4.sfbay.redhat.com:636 -showcerts -CAfile /path/to/cacert.pem

enjoy

With any Other 3rd-Party Certificate Authority

 http://support.microsoft.com/default.aspx?scid=kb;en-us;321051

Configuring PassSync

As of version 1.1.3, PassSync supports 32-bit and 64-bit Windows Server 2003 and 2008.

Installing PassSync

NOTE: If you are upgrading from Fedora PassSync to 389 PassSync, the installer will create a 389 branded folder under your program files folder and copy the files you need from there. The installer will _not_ remove the old Fedora Password Sync folder. You can remove this manually after install if the 389 one is working correctly.

NOTE: After installing, either new or upgrade, you will have to reboot the machine in order for the changes to take effect (unless you can figure out a way to make Active Directory/lsass use the passhook plugin without rebooting . . .)

PassSync should be installed on the Windows box where you have installed/configured Active Directory. Follow these steps:

• Double Click on the PassSync .msi for your platform - see Download
  • You will be asked to provide the following details:
    • 389 Directory Server Hostname
    • 389 Directory Server TLS/SSL Port number
    • 389 Directory Server Bind DN [ It is recommended that you create a special user and provide them appropriate access ]
    • 389 Directory Server Bind DN password
    • (Optional) PassSync Cert DB password (CertToken)

Enabling SSL for PassSync

NOTE: PassSync will not work until TLS/SSL is configured. The passsync.log will contain errors about SSL initialization until SSL is properly configured, and the service will not start.

The following method assumes that you have some knowledge about using NSS based certificate and key management utilities like certutil/pk12util.

For detailed docs on these tools see [ http://www.mozilla.org/projects/security/pki/nss/tools/ here ].

More information about PassSync can be found here.

Follow these steps to set up certificates that Password Sync Service will use SSL to access the Directory Server:

• On the Directory Server, export the CA certificate.

cd /usr/lib/dirsrv/slapd-instance_name
certutil -d . -L -n "CA certificate" -a > dsca.crt
# NOTE - it might not be called CA certificate - use certutil -d . -L to list your certs

• Copy the exported certificate from the Directory Server to the Windows machine (e.g. scp, ftp, samba mount, etc.)
• On the Windows Machine, open a CMD window and cd to the Password Sync installation directory.

cd "C:\Program Files\389 Directory Password Synchronization"

• Import the CA certificate from the Directory Server into the new certificate database.

certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i \path\to\dsca.crt
# note - if the above fails with Bad Database, you will have to do this first:
certutil.exe -d . -N # just press Enter/Return when prompted for a password

• Verify the CA certificate

certutil.exe -d . -L -n "DS CA cert"

• Reboot the Windows machine - PassSync will not begin working until after a reboot due to the way the AD passhook.dll plug-in works

NOTE: If you want to password protect your key/cert db, you will need to use certutil.exe -d . -N to create a key/cert db with a password _before_ importing the CA cert. If you want to start over, just simply remove the *.db files. You will need to provide the Cert Token password above. If you need to set the password, you can run the .msi again and use Modify mode, or use regedit and edit the registry - see below for the registry key.

Reboot Windows

PassSync will not work until Windows is rebooted. This is due to the way the passhook.dll Active Directory plug-in works.

PassSync Logging

The PassSync log file is in the file passsync.log in the C:\Program Files\389 Directory Server Synchronization folder.

The passhook log and data file are in your \windows\system32 folder - passhook.dat and passhook.log

The following registry settings are available to enable PassSync service logging.

Under HKLM->Software->PasswordSync, add string value “Log Level” and set it to “1”.

• level - 0 - Only Errors are logged.
• level - 1 - All transacations are logged.

Enabling SSL With 389 Directory Server

Read this Howto:SSL to get 389 Directory Server enabled in SSL mode.

 Note: Its always better to use the same Certificate Authority to 
 issue certificates to both 389 Directory Server and Active Directory 
 to minimize any trust issues that might occur.

Creating Sync Agreements

See http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html for information.

Testing your Configuration

Test to make sure you can talk SSL from 389 Directory to AD

This is how you test to verify that the Windows side SSL is enabled properly:

 /usr/lib[64]/mozldap/ldapsearch -Z -P /path/to/dirsrv/cert8.db -h <AD/NT Hostname> -p <AD SSL port> 
 -D "<sync manager user> -w < sync manager password> -s <scope> 
 -b "<AD base>" "<filter>"

for example

 /usr/lib/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-myhostname/cert8.db -h ad.example.com 
 -p 636 -D "cn=sync manager,cn=users,dc=example,dc=com"
 -w password -s base -b "cn=users,dc=example,dc=com" "objectclass=*"

If you did not create a sync manager (you should have!) you can use cn=administrator,cn=users,dc=example,dc=com.

If you begin to see errors when doing this search, you could optionally use the ssltap tool , which basically proxies requests - to troubleshoot.

Troubleshooting

Enable PassSync logging - see above

Enable the replication logging level in the directory server FAQ#Troubleshooting