Bug 470886 - Windows passsync SSL setup is bogus
Windows passsync SSL setup is bogus
Product: Red Hat Directory Server
Classification: Red Hat
Component: Doc-administration-guide (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Deon Ballard
Content Services Development
: Documentation
Depends On:
Blocks: 249650
  Show dependency treegraph
Reported: 2008-11-10 14:04 EST by Rich Megginson
Modified: 2009-08-19 23:38 EDT (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-04-29 19:07:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Rich Megginson 2008-11-10 14:04:01 EST
On Windows 2003 server and later, if you install MS AD first, then install MS Cert Server in Enterprise Root CA mode, it will automatically configure AD for SSL and issue it's cert - you do not have to use certreq or any of that other stuff.

"Next, set up certificates that Password Sync will use to access the Directory Server over SSL:"

Looks like a copypasta from some old SSL setup.  passsync only needs the CA certificate of the CA that issued the directory server SSL server cert.

Step 1 is ok

Step 2 should be
 certutil.exe -d . -N

Step 3 should be
 cd /etc/dirsrv/slapd-yourinstancename
 certutil -d . -L -n "CA certificate" -a > dsca.crt

Step 4 is ok

Step 5 should be
 certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -A -n "DS CA cert" -t CT,, -a -i \path\to\dsca.crt

Remove Step 6
Comment 1 Rob Crittenden 2008-11-10 15:00:21 EST
IMHO Step 2 should be moved to Step 5:

cd "C:\Program Files\Red Hat Directory Password Synchronization"
certutil.exe -N -d .
certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i \path\to\dsca.crt

Additionally, there is no need to fetch NSS because certutil is included with the package.

It should also be mentioned that this is a bit of a chicken-and-egg problem. First you install PassSync but the first sync attempt will always fail because you haven't created the SSL database yet. On the other hand, you don't have the tools you need to create the datbase without installing the service first!

Also, I'd mention that you can safely re-run the .msi if you need to reconfigure the service (you got the bind user or password wrong, for instance).

Finally, it didn't work for me until I rebooted the machine.
Comment 2 Jenny Galipeau 2009-01-28 13:48:18 EST
The setup is also incorrect on the Fedora wiki webpage:

Comment 3 Deon Ballard 2009-02-07 00:55:48 EST
I updated the setup procedure in the admin guide (8.0 and 8.1). I'll have the link up for review soon.

Changing status to modified.
Comment 4 Deon Ballard 2009-02-07 00:56:14 EST
Oh, I haven't done anything with the wiki config yet. Just an FYI.
Comment 5 Deon Ballard 2009-02-09 10:38:00 EST
I may need to add this in to the 7.1 guide; I'll check. If so, I'll need to reassign this to myself.
Comment 6 Jenny Galipeau 2009-03-16 11:48:06 EDT
fix verified section 9.2.5. Step 5: Configure the Password Sync Service of admin guide
Comment 7 Chandrasekar Kannan 2009-04-29 19:07:42 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.