Hello, just to explain why I'm in confusion, I saw this line on redhat procedure: "Import the CA certificate from Directory Server into Active Directory. Click *Trusted Root CA*, then *Import*, and browse for the Directory Server CA certificate."
and this one on a website: "#This exports the server-cert which you will need on the windows AD pk12util -d . -o servercert.p12 -n Server-Cert" So I check, and I don't have any "servercert.p12" in my directory server (/etc/dirsrv/slapd-389/) I go to install the Password Sync in my Domain Controller, hope it works ;) Thanks of the community. 2013/3/27 alexandre <[email protected]> > Yes you're right, I was speaking for my domain controller (it have > automatically on the trusted root certification authorithy... And I made a > webenrollment request from my 38ds and install the CA cert on my 389ds... > > thanks > Le 27 mars 2013 17:51, "Rich Megginson" <[email protected]> a écrit : > > On 03/27/2013 10:32 AM, alexandre wrote: >> >> My CA is on my domain controller. >> >> >> Then it is not going to be in the list of "Trusted Root Certification >> Authorities" on the 389 machine unless you install it. >> >> Le 27 mars 2013 17:11, "Rich Megginson" <[email protected]> a écrit : >> >>> On 03/27/2013 10:07 AM, alexandre wrote: >>> >>> Ok now I know where my confusion come from. So just to check, in my >>> case the CA cert that issued the 389DS server cert is automatically in my >>> "Trusted Root Certification Authorities" because my authority is on my >>> domain controller !? >>> >>> >>> I don't know. What is the CA? >>> >>> >>> Thanks ! >>> Alex >>> >>> >>> 2013/3/27 Rich Megginson <[email protected]> >>> >>>> On 03/27/2013 09:53 AM, alexandre wrote: >>>> >>>> Yes I understand that. >>>> >>>> To resume, I have a server-cert and a CA cert in my 389DS. I have a CA >>>> cert in my active directory. >>>> >>>> So I need server cert in my AD !? >>>> >>>> >>>> No. AD only needs the CA cert of the CA that issued the 389DS server >>>> cert. >>>> >>>> >>>> >>>> I don't really understand "But you must generate cert for DS on AD >>>> CA", if I did a request by web-enrollment from my 389DS, and install it on >>>> my 389DS, it's good like that ? >>>> >>>> >>>> Yes. But PassSync doesn't use the Windows/AD Trusted Cert store, so >>>> you still have to export that CA cert and install it using certutil, as >>>> described in the documentation for setting up PassSync. >>>> >>>> >>>> >>>> Thanks a lot ! >>>> Alex >>>> >>>> >>>> 2013/3/27 Grzegorz Dwornicki <[email protected]> >>>> >>>>> Yes and that button allows you to install server cert (again generated >>>>> in your case on AD CA) . CA tab allows you to install CA cert. >>>>> >>>>> Greg. >>>>> 27 mar 2013 16:33, "alexandre" <[email protected]> napisał(a): >>>>> >>>>> Sorry my capture is not on the mail, it's the point 12.2.1. >>>>>> 4.c.Go to the *CA Certs* tab, and click *Install* at the bottom of >>>>>> the window. >>>>>> On this link: >>>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html >>>>>> >>>>>> Thanks >>>>>> >>>>>> >>>>>> 2013/3/27 alexandre <[email protected]> >>>>>> >>>>>>> Thanks for the new Link ! >>>>>>> >>>>>>> @Rich Megginson "It's not the 389DS server certificate, but the >>>>>>> CA certificate for the CA that issued the 389DS server certificate, that >>>>>>> you need for PassSync" >>>>>>> >>>>>>> @Grzegorz Dwornicki "But you must generate cert for DS on AD CA. >>>>>>> Then you need to import this cert with AD CA cert on DS" >>>>>>> >>>>>>> Sorry I don't understand "CA certificate for the CA that issued >>>>>>> the 389DS server certificate", I have to export this one below to the >>>>>>> AD? >>>>>>> (it's empty on this capture, but with CA certificate on my directory >>>>>>> server): >>>>>>> >>>>>>> >>>>>>> >>>>>>> @Grzegorz Dwornicki --> do you have a procedure to do that ? I >>>>>>> don't find in redhat documentation. (when you said AD CA, do you >>>>>>> considerthat AD CA = Authority installed on my AD ?) >>>>>>> >>>>>>> Many thanks, for your answers. And your patience about my >>>>>>> translation problems. >>>>>>> >>>>>>> Best regards, >>>>>>> Alex >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2013/3/27 Grzegorz Dwornicki <[email protected]> >>>>>>> >>>>>>>> I had missunderstood you im this case. No you don't need to create >>>>>>>> second CA. But you must generate cert for DS on AD CA. Then you need to >>>>>>>> import this cert with AD CA cert on DS >>>>>>>> >>>>>>>> Greg. >>>>>>>> 27 mar 2013 15:41, "alexandre" <[email protected]> napisał(a): >>>>>>>> >>>>>>>> I'm really impressed by the reactivity of this list !!! >>>>>>>>> >>>>>>>>> Sorry my understanding is not perfect because i'm french, so I >>>>>>>>> don't have any CA in my DS, I have one CA (installed on my domain >>>>>>>>> controller). >>>>>>>>> >>>>>>>>> Do I need to install a CA in my DS ? (when I write CA for me it >>>>>>>>> means a Authority). >>>>>>>>> >>>>>>>>> >>>>>>>>> Alex >>>>>>>>> >>>>>>>>> >>>>>>>>> 2013/3/27 Grzegorz Dwornicki <[email protected]> >>>>>>>>> >>>>>>>>>> If you have diferent CA in AD vs DS then you need to do this >>>>>>>>>> import. >>>>>>>>>> >>>>>>>>>> AD by default don't use LDAPS or STARTSSL soo you need to install >>>>>>>>>> ms cert CA stuff. >>>>>>>>>> >>>>>>>>>> Greg. >>>>>>>>>> 27 mar 2013 15:07, "alexandre" <[email protected]> napisał(a): >>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> I try to follow this procedure : >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html >>>>>>>>>>> >>>>>>>>>>> Everything works fine, except I don't understand right this >>>>>>>>>>> line: >>>>>>>>>>> >>>>>>>>>>> "Import the CA certificate from Directory Server into Active >>>>>>>>>>> Directory. Click *Trusted Root CA*, then *Import*, and browse >>>>>>>>>>> for the Directory Server CA certificate." >>>>>>>>>>> >>>>>>>>>>> For me CA certificate, it's a certificate from the Authority, >>>>>>>>>>> so in my Active Directory the certificate from the authority is >>>>>>>>>>> already >>>>>>>>>>> know in the Trusted Root CA. >>>>>>>>>>> >>>>>>>>>>> So, do I need to import 389DS server certificate in my active >>>>>>>>>>> directory ? >>>>>>>>>>> >>>>>>>>>>> And finally, there is no indication to do that, someone can >>>>>>>>>>> help me to pass through ? >>>>>>>>>>> >>>>>>>>>>> Thanks in advance. >>>>>>>>>>> >>>>>>>>>>> Best regards, >>>>>>>>>>> Alex >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> 389 users mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> 389 users mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> 389 users mailing list >>>>>>>>> [email protected] >>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> 389 users mailing list >>>>>>>> [email protected] >>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> [email protected] >>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>> >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> [email protected] >>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>> >>>> >>>> >>>> >>>> -- >>>> 389 users mailing >>>> [email protected]https://admin.fedoraproject.org/mailman/listinfo/389-users >>>> >>>> >>>> >>> >>> >>
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
