ISW, Active Directory and ldaps://
I'm trying to get password synchronization working using Identity Synchronization for Windows 12004Q3SP1 with JES Directory Server 5.2 and Active Directory on a Windows 2003 domain. It is not working, and in the Directory Server error log, this message appears whenever I change a user password:
WARNING<38731>isw Plugins authentication to Active Direcotry server at ldaps://servername.ad.example.com:636 failed ... error(81): Can't contact LDAP server
To test connectivity with the AD server, I opened a web browser on the Sun server and browsed to ldap://servername.ad.example.com:636. This produces a search window, so I know the AD server responds on port 636. However, when I put the "s" after "ldap", the browser tells me it can't find the AD server: ldaps://servername.ad.example.com:636.
I need to find a way around this. Either I need to get the AD server to respond to ldaps:// or I need to get the Sun server to request on ldap://. Anyone know how to do either? Thanks.-G.
[1017 byte] By [
GlennG] at [2007-11-26 11:02:47]
# 1
I tried to edit the original post, but evidently editing is turned off. Here is some additional information.
Password synchronization works when the password is changed on the Directory Server. It only fails when the password is changed on the Active Directory server.
The error message quoted above appears at system startup. Here's the error message that appears in the Directory Server log when I change a password on the AD server:
WARNING<38783>isw Plugins authentication cannot be completed, because no domain controller (ldaps://servername.ad.example.com:636) is available to verify credential for user uid=glenn,ou=people,o=example.com
Thanks for any ideas.-G.
# 2
And now I must amend my reply. The error message quoted above appears in the log when the user tries to log in to Directory Editor, which is an application running on the Sun machine. So the error message results from an attempt to log in with the new password, not from the password change itself.-G.
# 3
are you running ldap over ssl on both SunDS and AD? from reading your earlier posts it doesn't appear that you are. i seam to recall that end to end SSL was a requirement for a successful ISW deployment, this is how i have it setup and it works fine.
getting SSL setup for both SunDS and AD should be rather straight forward, though the documentation for AD is sparse at best. i wrote up a howto on getting AD-SSL working, see the TinyCA2 section at http://directory.fedora.redhat.com/wiki/Howto:WindowsSync
# 5
I'm beginning to wonder if the problem has anything to do with the fact that I'm trying to use a Microsoft Certification Authority on the Active Directory server to provide certificates. It does not work very well, as it insists that requests invoke a template, and the Sun server does not seem to know anything about these templates. Has anyone been able to use the Microsoft CA with ISW, or should I try something like Tiny CA? Thanks again.-G.
