Red Hat Bugzilla – Bug 470886
Windows passsync SSL setup is bogus
Last modified: 2009-08-19 23:38:07 EDT
On Windows 2003 server and later, if you install MS AD first, then install MS Cert Server in Enterprise Root CA mode, it will automatically configure AD for SSL and issue it's cert - you do not have to use certreq or any of that other stuff.
"Next, set up certificates that Password Sync will use to access the Directory Server over SSL:"
Looks like a copypasta from some old SSL setup. passsync only needs the CA certificate of the CA that issued the directory server SSL server cert.
Step 1 is ok
Step 2 should be
certutil.exe -d . -N
Step 3 should be
certutil -d . -L -n "CA certificate" -a > dsca.crt
Step 4 is ok
Step 5 should be
certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -A -n "DS CA cert" -t CT,, -a -i \path\to\dsca.crt
Remove Step 6
IMHO Step 2 should be moved to Step 5:
cd "C:\Program Files\Red Hat Directory Password Synchronization"
certutil.exe -N -d .
certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i \path\to\dsca.crt
Additionally, there is no need to fetch NSS because certutil is included with the package.
It should also be mentioned that this is a bit of a chicken-and-egg problem. First you install PassSync but the first sync attempt will always fail because you haven't created the SSL database yet. On the other hand, you don't have the tools you need to create the datbase without installing the service first!
Also, I'd mention that you can safely re-run the .msi if you need to reconfigure the service (you got the bind user or password wrong, for instance).
Finally, it didn't work for me until I rebooted the machine.
The setup is also incorrect on the Fedora wiki webpage:
I updated the setup procedure in the admin guide (8.0 and 8.1). I'll have the link up for review soon.
Changing status to modified.
Oh, I haven't done anything with the wiki config yet. Just an FYI.
I may need to add this in to the 7.1 guide; I'll check. If so, I'll need to reassign this to myself.
fix verified section 9.2.5. Step 5: Configure the Password Sync Service of admin guide
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.