Bug 739241 - Tech review: active directory
Summary: Tech review: active directory
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: doc-Identity_Management_Guide
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Deon Ballard
QA Contact: ecs-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-16 22:27 UTC by Deon Ballard
Modified: 2011-12-12 19:15 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-12 19:15:59 UTC


Attachments (Terms of Use)
active directory (37.89 KB, application/vnd.oasis.opendocument.text)
2011-09-16 22:27 UTC, Deon Ballard
no flags Details

Description Deon Ballard 2011-09-16 22:27:30 UTC
Created attachment 523647 [details]
active directory

1. Download the attachment.

2. Make sure tack changes is turned on. Edit > Changes > Record.

3. Make any changes to the doc.

4. Attach the file to the bug.

5. Reassign the bug to me (dlackey).

I care about accuracy, completeness, clarity, and organization. 

Thanks!

Comment 2 Alexander Bokovoy 2011-10-07 16:11:23 UTC
Deon, thanks for the document. There are few things missing from it. Luckily, they are covered elsewhere so gathering them together is easier.

1. In 7.2 after step 5 (reboot the Windows machine) you need to add a step for transferring IPA CA certificate to Password Sync. This is described in http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Enabling_SSL_for_PassSync
 1.1 Export IPA CA Certificate:
realm=IPA.EXAMPLE.COM
certutil -d /etc/dirsrv/slapd-`echo $realm|sed 's/\./-/g'` -L "$realm IPA CA" -a >ipaca.crt
 1.2. Transfer it to Windows server.
 1.3. On windows server:
 cd "C:\Program Files\389 Directory Password Synchronization"
 certutil.exe -d . -A -n "IPA.EXAMPLE.COM IPA CA" -t CT,, -a -i ipaca.crt

With current Password Sync versions this should be enough to enable Password Sync to talk SSL to IPA directory server.

2. In 7.4.2, before you can create synchronization agreements, you need to import both IPA CA and AD CA to IPA server so that ldap clients could talk to IPA directory server and Active Directory server using SSL.
  2.1. Copy AD certificate to /etc/openldap/cacerts/
  2.2. Copy IPA CA certificate to /etc/openldap/cacerts/
  2.3. Run cacertdir_rehash /etc/openldap/cacerts/
  2.4. Modify /etc/openldap/ldap.conf, and add if they do not exist:
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow

With these changes one can now run ipa-replica-manage connect --winsync.

ipa-replica-manage connect --winsync \
   --binddn cn=Administrator,cn=users,dc=ad,dc=example,dc=com \
   --bindpw secret --passsync secretpw  \
   --cacert /etc/openldap/cacerts/ad.cer \
   ad.example.com -v

For some reason, specifying DM password as commandline option did not work for me, I had to force it to be entered.

3. In the above --binddn points to a user in Active Directory that has enough privileges. Note that in internationalized versions of Windows, CNs of the system users are translated as well. For example, in Russian version of Windows Server 2008 R2, CN=Administrator is really CN=Администратор. One has to take this into account or Active Directory server will respond with cryptic error messages about incorrect credentials. Same cryptic will be shown if AD CA certificate is not available to LDAP clients via the configuration in /etc/openldap/ldap.conf.

Comment 3 Deon Ballard 2011-11-15 02:38:35 UTC
Setting to ON_QA for review for 6.2.

This is a bulk change, so I'm not providing links at this time. If you need help finding the info, ping sunny-dee on #docs or email me.

Thanks!


Note You need to log in before you can comment on or make changes to this bug.