Bug 470886 - Windows passsync SSL setup is bogus
 Summary: Windows passsync SSL setup is bogus
 Status: Product: CLOSED CURRENTRELEASE Aliases: None Red Hat Directory Server Red Hat Doc-administration-guide (Show other bugs) --- 8.0 All Linux high Severity high --- Target Release: --- Deon Ballard Content Services Development Documentation 249650 Show dependency tree / graph

 Reported: 2008-11-10 14:04 EST by Rich Megginson 2009-08-19 23:38 EDT (History) 2 users (show) jgalipea rcritten 8.1 Bug Fix --- 2009-04-29 19:07:42 EDT --- --- --- --- --- --- ---

 Rich Megginson 2008-11-10 14:04:01 EST On Windows 2003 server and later, if you install MS AD first, then install MS Cert Server in Enterprise Root CA mode, it will automatically configure AD for SSL and issue it's cert - you do not have to use certreq or any of that other stuff. "Next, set up certificates that Password Sync will use to access the Directory Server over SSL:" Looks like a copypasta from some old SSL setup. passsync only needs the CA certificate of the CA that issued the directory server SSL server cert. Step 1 is ok Step 2 should be certutil.exe -d . -N Step 3 should be cd /etc/dirsrv/slapd-yourinstancename certutil -d . -L -n "CA certificate" -a > dsca.crt Step 4 is ok Step 5 should be certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -A -n "DS CA cert" -t CT,, -a -i \path\to\dsca.crt Remove Step 6 Rob Crittenden 2008-11-10 15:00:21 EST IMHO Step 2 should be moved to Step 5: cd "C:\Program Files\Red Hat Directory Password Synchronization" certutil.exe -N -d . certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i \path\to\dsca.crt Additionally, there is no need to fetch NSS because certutil is included with the package. It should also be mentioned that this is a bit of a chicken-and-egg problem. First you install PassSync but the first sync attempt will always fail because you haven't created the SSL database yet. On the other hand, you don't have the tools you need to create the datbase without installing the service first! Also, I'd mention that you can safely re-run the .msi if you need to reconfigure the service (you got the bind user or password wrong, for instance). Finally, it didn't work for me until I rebooted the machine. Jenny Galipeau 2009-01-28 13:48:18 EST The setup is also incorrect on the Fedora wiki webpage: http://www.directory.fedora.redhat.com/wiki/Howto:WindowsSync Deon Ballard 2009-02-07 00:55:48 EST I updated the setup procedure in the admin guide (8.0 and 8.1). I'll have the link up for review soon. Changing status to modified. Deon Ballard 2009-02-07 00:56:14 EST Oh, I haven't done anything with the wiki config yet. Just an FYI. Deon Ballard 2009-02-09 10:38:00 EST I may need to add this in to the 7.1 guide; I'll check. If so, I'll need to reassign this to myself. Jenny Galipeau 2009-03-16 11:48:06 EDT fix verified section 9.2.5. Step 5: Configure the Password Sync Service of admin guide Chandrasekar Kannan 2009-04-29 19:07:42 EDT An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html