RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 739241 - Tech review: active directory
Summary: Tech review: active directory
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: doc-Identity_Management_Guide
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Deon Ballard
QA Contact: ecs-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-16 22:27 UTC by Deon Ballard
Modified: 2011-12-12 19:15 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-12 19:15:59 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
active directory (37.89 KB, application/vnd.oasis.opendocument.text)
2011-09-16 22:27 UTC, Deon Ballard 		no flags Details
View All

Description Deon Ballard 2011-09-16 22:27:30 UTC 
Created attachment 523647 [details]
active directory

1. Download the attachment.

2. Make sure tack changes is turned on. Edit > Changes > Record.

3. Make any changes to the doc.

4. Attach the file to the bug.

5. Reassign the bug to me (dlackey).

I care about accuracy, completeness, clarity, and organization. 

Thanks!
Comment 2 Alexander Bokovoy 2011-10-07 16:11:23 UTC 
Deon, thanks for the document. There are few things missing from it. Luckily, they are covered elsewhere so gathering them together is easier.

1. In 7.2 after step 5 (reboot the Windows machine) you need to add a step for transferring IPA CA certificate to Password Sync. This is described in http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Enabling_SSL_for_PassSync
 1.1 Export IPA CA Certificate:
realm=IPA.EXAMPLE.COM
certutil -d /etc/dirsrv/slapd-`echo $realm|sed 's/\./-/g'` -L "$realm IPA CA" -a >ipaca.crt
 1.2. Transfer it to Windows server.
 1.3. On windows server:
 cd "C:\Program Files\389 Directory Password Synchronization"
 certutil.exe -d . -A -n "IPA.EXAMPLE.COM IPA CA" -t CT,, -a -i ipaca.crt

With current Password Sync versions this should be enough to enable Password Sync to talk SSL to IPA directory server.

2. In 7.4.2, before you can create synchronization agreements, you need to import both IPA CA and AD CA to IPA server so that ldap clients could talk to IPA directory server and Active Directory server using SSL.
  2.1. Copy AD certificate to /etc/openldap/cacerts/
  2.2. Copy IPA CA certificate to /etc/openldap/cacerts/
  2.3. Run cacertdir_rehash /etc/openldap/cacerts/
  2.4. Modify /etc/openldap/ldap.conf, and add if they do not exist:
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow

With these changes one can now run ipa-replica-manage connect --winsync.

ipa-replica-manage connect --winsync \
   --binddn cn=Administrator,cn=users,dc=ad,dc=example,dc=com \
   --bindpw secret --passsync secretpw  \
   --cacert /etc/openldap/cacerts/ad.cer \
   ad.example.com -v

For some reason, specifying DM password as commandline option did not work for me, I had to force it to be entered.

3. In the above --binddn points to a user in Active Directory that has enough privileges. Note that in internationalized versions of Windows, CNs of the system users are translated as well. For example, in Russian version of Windows Server 2008 R2, CN=Administrator is really CN=Администратор. One has to take this into account or Active Directory server will respond with cryptic error messages about incorrect credentials. Same cryptic will be shown if AD CA certificate is not available to LDAP clients via the configuration in /etc/openldap/ldap.conf.
Comment 3 Deon Ballard 2011-11-15 02:38:35 UTC 
Setting to ON_QA for review for 6.2.

This is a bulk change, so I'm not providing links at this time. If you need help finding the info, ping sunny-dee on #docs or email me.

Thanks!
Note You need to log in before you can comment on or make changes to this bug.