470886 – Windows passsync SSL setup is bogus

Bug 470886 - Windows passsync SSL setup is bogus

Summary: Windows passsync SSL setup is bogus

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Directory Server
Classification:	Red Hat
Component:	Doc-administration-guide
Sub Component:
Version:	8.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Deon Ballard
QA Contact:	Content Services Development
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	249650
TreeView+	depends on / blocked

Reported:	2008-11-10 19:04 UTC by Rich Megginson
Modified:	2009-08-20 03:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:	8.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-04-29 23:07:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Rich Megginson 2008-11-10 19:04:01 UTC

On Windows 2003 server and later, if you install MS AD first, then install MS Cert Server in Enterprise Root CA mode, it will automatically configure AD for SSL and issue it's cert - you do not have to use certreq or any of that other stuff.

"Next, set up certificates that Password Sync will use to access the Directory Server over SSL:"

Looks like a copypasta from some old SSL setup.  passsync only needs the CA certificate of the CA that issued the directory server SSL server cert.

Step 1 is ok

Step 2 should be
 certutil.exe -d . -N

Step 3 should be
 cd /etc/dirsrv/slapd-yourinstancename
 certutil -d . -L -n "CA certificate" -a > dsca.crt

Step 4 is ok

Step 5 should be
 certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -A -n "DS CA cert" -t CT,, -a -i \path\to\dsca.crt

Remove Step 6

Comment 1 Rob Crittenden 2008-11-10 20:00:21 UTC

IMHO Step 2 should be moved to Step 5:

cd "C:\Program Files\Red Hat Directory Password Synchronization"
certutil.exe -N -d .
certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i \path\to\dsca.crt

Additionally, there is no need to fetch NSS because certutil is included with the package.

It should also be mentioned that this is a bit of a chicken-and-egg problem. First you install PassSync but the first sync attempt will always fail because you haven't created the SSL database yet. On the other hand, you don't have the tools you need to create the datbase without installing the service first!

Also, I'd mention that you can safely re-run the .msi if you need to reconfigure the service (you got the bind user or password wrong, for instance).

Finally, it didn't work for me until I rebooted the machine.

Comment 2 Jenny Severance 2009-01-28 18:48:18 UTC

The setup is also incorrect on the Fedora wiki webpage:

http://www.directory.fedora.redhat.com/wiki/Howto:WindowsSync

Comment 3 Deon Ballard 2009-02-07 05:55:48 UTC

I updated the setup procedure in the admin guide (8.0 and 8.1). I'll have the link up for review soon.

Changing status to modified.

Comment 4 Deon Ballard 2009-02-07 05:56:14 UTC

Oh, I haven't done anything with the wiki config yet. Just an FYI.

Comment 5 Deon Ballard 2009-02-09 15:38:00 UTC

I may need to add this in to the 7.1 guide; I'll check. If so, I'll need to reassign this to myself.

Comment 6 Jenny Severance 2009-03-16 15:48:06 UTC

fix verified section 9.2.5. Step 5: Configure the Password Sync Service of admin guide

Comment 7 Chandrasekar Kannan 2009-04-29 23:07:42 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.