Directory - Synchronize RHDS and AD

1. Import certificate from RHDS to AD

  • From RHDS, export the server certificate using pk12util
cd /etc/dirsrv/slapd-el4
pk12util -d . -o cacert.123.p12 -n "CA certificate" -k pwdfile.txt<
Enter password for PKCS12 file: 123
Re-enter password: 123
pk12util-bin: PKCS12 EXPORT SUCCESSFUL<
  • Copy the exported certificate cacert.123.p12 to the Windows machine.
scp cacert.123.p12 [email protected]:<
  • Import the copied server certificate into Windows:
    • Open the certificate management console Сертификаты.msc.
    • Open the Доверенные корневые ЦС branch.
    • Click with right mouse button, choose Все задачи, then Импорт.
    • Click Далее.
    • Click Обзор, surf to the C:\cygwin\home\winadmin\ directory containing your certificate, change file type to .p12, click your file and click OK. Click Next.
    • Enter password 123 for your certificate file.
    • Check the Пометить этот ключ как экспортируемый field. Click Next.
    • Accept the Доверенные корневые ЦС storage and click Next.
    • Click Готово.
    • Check that CAcert is in the Trusted CA list.

2. Import certificate from AD to RHDS

1) В Windows:

  • Открываем консоль сертификатов и выбираем Сертификаты (Локальный компьютер) -> Личные -> Сертификаты
  • Выбираем справа сертификат OurdomCA
  • Открываем правой кнопкой мыши меню операций и выбираем Все задачи --> Экспорт
  • Кликаем Далее, Не экспортировать закрытый ключ
  • Выбираем формат Файлы в Base64-кодировке X.509 (.CER) и кликаем Далее
  • Выбираем имя файла C:\cygwin\home\winadmin\ourdomca.cer
  • Кликаем далее и готово

2) В RHEL4:

  • Копируем сертификат из Windows в домашний каталог:
scp [email protected]:ourdomca.cer /etc/dirsrv/slapd-el4<
  • Запускаем консоль администратора:
redhat-idm-console -u admin -w pass123 -a http://server.ourdom.com:11333/ &<
  • В левом окне консоли раскрываем server.ourdom.com, Server Group
  • Выбираем Directory Server и в правом окне консоли кликаем Open
  • В новом окне Directory Server активируем вкладку Tasks, в ней кликаем пункт Manage Certificates
  • В новом окне Manage Certificates активируем вкладку CA Certs и кликаем кнопку Install внизу
  • В новом окне Certificate Install Wizard выбираем пункт Certificate location: in this local file, щелкаем Browse и выбираем файл ourdomca.cer
  • Кликаем Open, Next, Next, Next
  • На экране Intended Purpose убеждаемся, что обе галочки Client Authentication и Server Authentication установлены и кликаем Done
  • Убеждаемся, что сертификат OurdomCA появился в списке доверенных сертификатов
  • Закрываем окна

3. Supplier Bind DN

3.1. Supplier Bind DN for RHDS

(RedHat: Creating the supplier bind DN<)

Создаем точку подключения replication manager:

service dirsrv stop
cd /etc/dirsrv/slapd-el4
cp dse.ldif dse.ldif.bak1
cat >> dse.ldif<
dn: cn=repman,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
passwordExpirationTime: 20380119031407Z
userPassword: ...
^D<
pwdhash -D . pass123 >> dse.ldif
vi dse.ldif<

Проверяем подключение:

service dirsrv start
ldapsearch -x -LLL -D "cn=repman,cn=config" -w pass123 -b "cn=config" "objectclass=*" cn<

3.2. Supplier Bind DN for AD

  • открываем консоль AD Users
  • раскрываем ветку Builtin. Поскольку ветка Users изменчива в синхронизации, ее использовать нельзя.
  • создаем пользователя с именем sync, паролем admin и именем входа syncadmin:
cn=sync admin,cn=builtin,dc=ourdom,dc=local<
  • даем ему пароль pass123
  • добавляем его в группы Администраторы домена, Пользователи удаленного рабочего стола

4. Setup PassSync

Забираем PassSync.msi<с сервера fedoraproject.org< или копию<.

SetupADPassSync.jpg или SetupADPassSync2.jpg

Details:

  • Host Name: 10.20.4.1 или server.ourdom.com или vpn.ourdom.com
  • Port number: 636
  • RHDS Bind DN: cn=repman,cn=config
  • RHDS Bind DN password: pass123
  • PassSync Cert DB password (CertToken): pass123 (another possible)
  • Search Base: ou=People,dc=ourdom,dc=com

4.1. SSL for PassSync

Follow these steps to set up certificates that Password SyncService will use SSL to access the Directory Server:

  • From RHDS, export the server certificate using pk12util
$ cd /etc/dirsrv/slapd-el4
$ pk12util -d . -o servercert.123.p12 -n "Server-Cert" -k pwdfile.txt
Enter password for PKCS12 file: 123
Re-enter password: 123
pk12util-bin: PKCS12 EXPORT SUCCESSFUL<
  • Copy the exported certificate servercert.123.p12 and CA certificate from RHDS to Windows.
scp servercert.123.p12 cacert.123.p12 [email protected]:
    "'/cygdrive/c/Program Files (x86)/Red Hat Directory Password Synchronization/'"<
  • Create a new cert8.db and key.db using certutil.exe on the Password Sync machine.
> cd "C:\Program Files\Red Hat Directory Password Synchronization"
> certutil.exe -d . -N
Enter new password: pass123<
  • (in case you had already your server started, you'll need to enter your windows user password)
Enter Password or Pin for "NSS Certificate DB": your user password<
  • Correct access rights for all the files:
ssh [email protected]
cd "/cygdrive/c/Program Files (x86)/Red Hat Directory Password Synchronization/"
chmod a+r *<
  • Import the copied server certificate into the certificate database using pk12util.exe.
> pk12util.exe -d . -i servercert.123.p12
Enter Password or Pin for "NSS Certificate DB": pass123
Enter password for PKCS12 file: 123<
  • Give "trusted peer" status to the server.
> certutil.exe -d . -M -n Server-Cert -t "P,P,P"<
  • Also do the same for the CA certificate that signed the RHDS Server "server certificate" and make sure it has trust attributes like "CT,CT,CT":
> pk12util.exe -d . -i cacert.123.p12
Enter password for PKCS12 file: 123
Re-enter password: 123
> certutil.exe -d . -M -n "CA certificate" -t "CT,CT,CT"<
  • REBOOT WINDOWS

5. Configure replication in RHDS

( RedHat: Enabling replica< )

  • Запускаем консоль администратора:
redhat-idm-console -u admin -w pass123 -a http://server.ourdom.com:11333/ &<
  • В левом окне консоли раскрываем server.ourdom.com, Server Group. Выбираем Directory Server и в правом окне консоли кликаем Open
  1. In the Directory Server Console, select the Configuration tab.
  2. In the left-hand navigation tree, click the Replication folder.
  3. In the main window, click the Supplier Settings tab.
  4. Check the Enable Changelog box.
  5. Click the Use default button to use the default changelog database directory.
  6. Save the changelog settings.

Configure the database that will be synchronized as a replica.

  1. In the Directory Server Console, select the Configuration tab.
  2. In the left-hand navigation tree, click the Replication folder, then click the name of the database userRoot to synchronize.
  3. Check the Enable Replica checkbox, and select the radio button by the type of replica which the database will be. The replica role should be either a single-master or multi-master.
  4. In the Update Settings section, add a supplier DN (this user must be on the Active Directory server): cn=replication manager,cn=config CN=sync admin,CN=Builtin,DC=ourdom,DC=local
  5. Save the replication settings for the database.

6. Agreement setup

  1. In the Directory Server Console, select the Configuration tab.
  2. In the left-hand navigation tree, click Replication, then right-click on the database to sync. The default user database is userRoot, but additional databases are added as new suffuxes are added to the Directory Server.
  3. Select New Windows Sync Agreement from the menu. This opens the Synchronization Agreement Wizard.
  4. In the two fields, supply a name of users and description of users sync of the synchronization agreement. Hit Next.
  5. The second screen reads Windows Sync Server Info. By default, the Directory Server hostname and port are visible at the top, under Supplier. At the very bottom of the screen, the name of the synced suffix, such as dc=example,dc=com, is displayed. http://www.redhat.com/docs/manuals/dir-server/ag/8.0/images/syncagmt.png
  6. In the middle of the screen are fields for the Windows domain information. Fill in the domain name and the domain controller:
    • Windows domain name: ourdom.local
  7. Select the checkboxes for the Windows entries which are going to be synchronized.
    • Sync New Windows Users. When enabled, all user entries found in Windows that are subject to the agreement will automatically be created in the Directory Server.
    • Sync New Windows Groups. When enabled, all group entries found in Windows that are subject to the agreement will automatically be created in the Directory Server.
  8. The Windows and Directory Server subtree information is automatically filled in; use the defaults to sync only users or change these as appropriate to sync groups or groups and users.
    • Windows subtree: cn=Users,dc=ourdom,dc=local
    • DS Subtree: ou=People,dc=ourdom,dc=com or ou=Groups,dc=ourdom,dc=com
  9. Check the Using encrypted SSL connection checkbox. The use of SSL is recommended for security reasons, and SSL is required for synchronizing passwords because Active Directory will refuse to modify passwords unless the connection is SSL-protected.
    • Domain controller host: winsrv.vpn or 10.20.1.1
  10. Fill in the authentication information in the Bind as... and Password fields with the sync ID information. This user must be on both the Active Directory server and will be one of the supplier DNs available in the database replication setup.
    • Bind as: CN=Sync Admin,CN=Builtin,DC=ourdom,DC=local
    • Password: pass123
  11. The last screen is a summary of the synchronization agreement. It is possible to modify all of the configuration at this using the back buttons to get to the appropriate screen. If the agreement is correct, click Done.

When the agreement is complete, an icon representing the synchronization agreement is displayed under the suffix. This icon indicates that the synchronization agreement is set up.

7. Automation

Просмотр соглашений и статуса синхронизации:

$ ldapsearch -H ldaps://server.ourdom.com -x -D cn=dirman -w pass123
             -b 'cn=mapping tree,cn=config' -LLL
             '(objectClass=nsDSWindowsReplicationAgreement)'
             dn nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd
             nsds5replicaLastUpdateStatus
dn: cn=groups, cn=replica, cn="dc=ourdom,dc=com", cn=mapping tree, cn=config
nsds5replicaLastUpdateStart: 20080513221433Z
nsds5replicaLastUpdateEnd: 20080513221433Z
nsds5replicaLastUpdateStatus: 0 Incremental update succeeded

dn: cn=users, cn=replica, cn="dc=ourdom,dc=com", cn=mapping tree, cn=config
nsds5replicaLastUpdateStart: 20080513221456Z
nsds5replicaLastUpdateEnd: 20080513221456Z
nsds5replicaLastUpdateStatus: 0 Incremental update succeeded<

8. Troubleshooting

8.1. RHDS --> ADS

The following command shall be successful:

/usr/lib/mozldap6/ldapsearch -h winsrv.vpn -p 636 -Z -P /etc/dirsrv/slapd-el4/
-D "CN=Sync Admin,CN=Builtin,DC=ourdom,DC=local" -w pass123
-LLL -b "cn=Users,dc=ourdom,dc=local" "(cn=winadmin)" cn<

8.2. RHDS

In the Directory Server console on the Configuration tab in the left pane open the Logs folder and choose Error Log.In the right pabe in the Log Level group mark the Replication item and save changes. The log will be dumped by default in /opt/fedora-ds/slapd-el4/logs/errors.

8.3. PassSync

Parameters can be found in the HKLM\Software\Wow6432Node\PasswordSync registry branch.

Under HKLM->Software->PasswordSync, add string value Log Level and set it to 1. Log file should be available under C:\windows\System32\pass*.log:

  • level - 0 - Only Errors are logged.
  • level - 1 - All transacations are logged.

Вложения