Re: [Freeipa-users] Problem with Sync. IPA and Active directory using an external CA server with key size of 4096
On Tue, 16 Feb 2016, Mitra Dehghan wrote: Thanks for your response. My environment is: OS: Centos 6.7 - kernel 2.6.32-537.3.1 NSS package: nss-3.19.1-3 IPA version: 3.0.0-47 389-ds-base version: 1.2.11.15-60 Ok, NSS fix is there as part of 3.19.1 rebase, https://rhn.redhat.com/errata/RHSA-2015-1185.html However, you need to work out ciphers in 389-ds-base configuration. To see what could be done, install FreeIPA 4.x in CentOS 7 and compare settings there in cn=config. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with Sync. IPA and Active directory using an external CA server with key size of 4096
Thanks for your response. My environment is: OS: Centos 6.7 - kernel 2.6.32-537.3.1 NSS package: nss-3.19.1-3 IPA version: 3.0.0-47 389-ds-base version: 1.2.11.15-60 On Tue, Feb 16, 2016 at 12:06 PM, Alexander Bokovoy wrote: > On Tue, 16 Feb 2016, Mitra Dehghan wrote: > >> Hello, >> I want to Sync IPA and Active directory servers: >> 1- I'm using an external root CA server which uses key size of 4096 >> 2- Both IPA and Active directory, use the same CA server as external root >> CA. >> 3- Using default configuration,the handshake process for establishing SSL >> connection between servers(IPA and active directory) is failed during >> certificate-base authentication. As a result password Sync. fails after >> user synchronization is done. >> >> I guess the problem is key size and I was wondering if any special changes >> are required in the CA instance configured by IPA or if the job is >> possible >> at all. >> >> Note: Things goes well when I use internal CA servers both for active >> directory and IPA server. >> > Can you give a bit more details about your environment? We fixed a bug > in NSS some time ago related to this issue. > https://rhn.redhat.com/errata/RHBA-2015-2121.html > > What is your distribution? nss package version? IPA version? 389-ds-base > version? > > -- > / Alexander Bokovoy > -- m-dehghan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with Sync. IPA and Active directory using an external CA server with key size of 4096
On Tue, 16 Feb 2016, Mitra Dehghan wrote: Hello, I want to Sync IPA and Active directory servers: 1- I'm using an external root CA server which uses key size of 4096 2- Both IPA and Active directory, use the same CA server as external root CA. 3- Using default configuration,the handshake process for establishing SSL connection between servers(IPA and active directory) is failed during certificate-base authentication. As a result password Sync. fails after user synchronization is done. I guess the problem is key size and I was wondering if any special changes are required in the CA instance configured by IPA or if the job is possible at all. Note: Things goes well when I use internal CA servers both for active directory and IPA server. Can you give a bit more details about your environment? We fixed a bug in NSS some time ago related to this issue. https://rhn.redhat.com/errata/RHBA-2015-2121.html What is your distribution? nss package version? IPA version? 389-ds-base version? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problem with Sync. IPA and Active directory using an external CA server with key size of 4096
Hello, I want to Sync IPA and Active directory servers: 1- I'm using an external root CA server which uses key size of 4096 2- Both IPA and Active directory, use the same CA server as external root CA. 3- Using default configuration,the handshake process for establishing SSL connection between servers(IPA and active directory) is failed during certificate-base authentication. As a result password Sync. fails after user synchronization is done. I guess the problem is key size and I was wondering if any special changes are required in the CA instance configured by IPA or if the job is possible at all. Note: Things goes well when I use internal CA servers both for active directory and IPA server. -- m-dehghan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project