19.2. Configuring Windows Sync

19.2. Configuring Windows Sync

19.2.1. Step 1: Configure SSL on Directory Server

To configure the Directory Server to run in SSL, see Chapter 11, Managing SSL. To configure SSL on Active Directory, see the appropriate user documentation.

Use the certutil utility to create self-signed certificates or obtain and install certificates to enable SSL; for more information, see Section 11.3, “Using certutil”.

The following certificates must be issued and installed on both the Directory Server and the Active Directory sync peer:

  • CA certificate, shared between the Directory Server and Active Directory

  • Directory Server certificate, accessible by the sync services

19.2.2. Step 2: Configure the Active Directory Domain

The Active Directory domain has to be properly configured for synchronization to work.

  1. Set up the Windows domain. On Windows 2000, use the dcpromo tool. On Windows 2003, install the domain controller for Active Directory by clicking Add or Remove Programs and then Add/Remove Windows Components.

    NOTE

    For more detailed information, see the appropriate Windows documentation.

  2. Make sure that the Active Directory password complexity policies are enabled so that the Password Sync service will run.

    Run secpol.msc, and select Security Settings, then Account Policies, and Password Policy. Make sure that Password must meet complexity requirements is selected.

  3. Set up SSL on the Active Directory server.

    1. Install a certificate authority in the Windows Components section in Add/Remove Programs.

    2. Select the Enterprise Root CA option.

    3. Reboot the Active Directory server. If IIS web services are running, the CA certificate can be accessed by opening http://servername/certsrv.

    4. Set up the Active Directory server to use the SSL server cert.

      1. Create a certificate request .inf, using the fully-qualified domain name of the Active Directory as the certificate subject.

      2. Request the certificate by running the following command on the Active Directory machine: 

        certreq -new request.inf request.req

      3. Submit the request to the Active Directory CA. For example: 

        certreq -submit request.req certnew.cer

        NOTE

        If the command-line tool returns an error message, then use the Web browser to access the CA and submit the certificate request. If IIS is running, then the CA URL is http://servername/certsrv.

      4. Accept the certificate request. For example: 

        certreq -accept cernew.cer

      5. Make sure that the server certificate is present on the Active Directory server. In the File menu, click Add/Remove, then click Certificates and Personal>Certificates.

      6. Import the CA certificate from Directory Server into Active Directory. Click Trusted Root CA, then Import, and browse for the Directory Server CA certificate.

    For more information, see http://support.microsoft.com/default.aspx?scid=kb;en-us;321051.

19.2.3. Step 3: Select or Create the Sync Identity

There are two users used to configure Windows Sync: an Active Directory user, specified in the sync agreement, and a Directory Server user, specified in the Password Sync service.

The user specified in the sync agreement is the entity as whom the Directory Server binds to Active Directory to send and receive updates. The Active Directory user should be a member of the Domain Admins group, or have equivalent rights, and must have rights to replicate directory changes. This limits the extent of the Windows directory that can be affected by the sync ID to only the synchronized subtree. For information on adding users and setting privileges in Active Directory, see the Microsoft documentation.

The user references in the Password Sync service must have read and write permissions to every entry within the synchronized subtree and absolutely must have write access to password attributes in Directory Server so that Password Sync can update password changes.

For security reasons, the Password Sync user should not be Directory Manager and should not be part of the synchronized subtree. For information on adding users, see Chapter 2, Creating Directory Entries; for information on setting permissions, see Chapter 6, Managing Access Control. For information on creating a special sync ID, see Section 8.3, “Creating the Supplier Bind DN Entry”

NOTE

The user cited in the sync agreement (the supplier DN) exists on the Active Directory server. The user cited in the Password Sync configuration exists on Directory Server.

19.2.4. Step 4: Install and Configure the Password Sync Service

Password Sync can be installed on any Windows machine to synchronize Windows passwords. Passwords can only be synchronized if both the Directory Server and Windows server are running in SSL, the sync agreement is configured over an SSL connection, and certificate databases are configured for Password Sync to access.

  1. Copy the PassSync.msi file that contains the Password Sync utility to the Active Directory machine.

  2. Double-click on the PassSync.msi file to install it.

  3. The Password Sync Setup window will appear. Hit Next to begin installing.

  4. Fill in the Directory Server hostname, secure port number, user name (such as cn=sync manager,cn=config), the certificate token (password), and the search base (e.g., ou=People,dc=example,dc=com).

    Setting up Password Sync Information
    Figure 19.3. Setting up Password Sync Information

    Hit Next, then Finish to install Password Sync.

  5. Reboot the Windows machine to start Password Sync.

    NOTE

    The Windows machine must be rebooted. Without the rebooting, PasswordHook.dll will not be enabled, and password synchronization will not function.

Password Sync is installed in C:\Program Files\Red Hat Directory Password Synchronization.

The following DLLs are installed in C:\winnt\system32 and utilized by Password Sync:

passhook.dll
nsldap32v50.dll
nsldapssl32v50.dll
libplc4.dll
nsldappr32v50.dll
nss3.dll
libnspr4.dll
ssl3.dll
libplds4.dll
softokn3.dll

Next, set up certificates that Password Sync will use to access the Directory Server over SSL:

NOTE

SSL is required for Password Sync to send password to Directory Server. The service will not send the passwords except over SSL to protect the clear text password sent from the Active Directory machine to the Directory Server machine.

  1. Download certutil.exe if it is not already installed on the machine. It is available from ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/. See Chapter 11, Managing SSL for more information on SSL.

  2. Create a new cert8.db and key.db using certutil.exe on the Password Sync machine. 

    certutil.exe -d . -N
ln -s slapd-serverID-cert8.db cert8.db
ln -s slapd-serverID-key3.db key3.db

  3. On the Directory Server, export the server certificate using pk12util. 

    pk12util -d . -o
servercert.pfx -n Server-Cert

  4. Copy the exported certificate from the Directory Server to the Windows machine.

  5. Import the server certificate from the Directory Server into the new certificate databases using pk12util.exe. 

    pk12util.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -i servercert.pfx

  6. Give trusted peer status to the server. 

    certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -M 
     -n Server-Cert -t "P,P,P"

    NOTE

    If any Active Directory user accounts exist when Password Sync is first installed, then the passwords for those user accounts cannot be synchronized until they are changed because Password Sync cannot decrypt a password once it has been hashed in Active Directory.

19.2.5. Step 5: Configure the Directory Server Database for Synchronization

Just as with replication, there must be a changelog available to track and send directory changes and the Directory Server database being synchronized must be configured as a replica.

NOTE

If the Directory Server database is already in a replicated environment, this step is not necessary.

First, enable the changelog:

  1. In the Directory Server Console, select the Configuration tab.

  2. In the left-hand navigation tree, click the Replication folder.

  3. In the main window, click the Supplier Settings tab.

  4. Check the Enable Changelog database.

  5. Set the changelog database directory. Click the Use default button to use the default or Browse... to select a custom directory.

  6. Save the changelog settings.

After setting up the changelog, then configure the database that will be synchronized as a replica. The replica role should be either a single-master or multi-master.

  1. In the Directory Server Console, select the Configuration tab.

  2. In the left-hand navigation tree, click the Replication folder, then click the name of the database to synchronize.

    By default, there are two databases, NetscapeRoot for directory configuration and userRoot for directory entries. Other databases may be listed if they have been added to Directory Server.

  3. Check the Enable Replica checkbox, and select the radio button by the type of replica which the database will be.

  4. In the Update Settings section, either select or add a supplier DN. This is the user account as which synchronization process will be run. As mentioned in Section 19.2.3, “Step 3: Select or Create the Sync Identity”, this user must be on the Active Directory server.

  5. Save the replication settings for the database.

NOTE

For more information on replication settings, see Chapter 8, Managing Replication.

19.2.6. Step 6: Create the Synchronization Agreement

Create the synchronization agreement:

  1. In the Directory Server Console, select the Configuration tab.

  2. In the left-hand navigation tree, click Replication, then right-click on the database to sync. The default user database is userRoot, but additional databases are added as new suffuxes are added to the Directory Server.

    Alternatively, highlight the database, and in the top tool bar, click Object.

  3. Select New Windows Sync Agreement from the menu.

    This opens the Synchronization Agreement Wizard.

  4. In the two fields, supply a name and description of the synchronization agreement. Hit Next.

  5. The second screen reads Windows Sync Server Info. By default, the Directory Server hostname and port are visible at the top, under Supplier. At the very bottom of the screen, the name of the synced suffix, such as dc=example,dc=com, is displayed.

    Setting up the Sync Agreement
    Figure 19.4. Setting up the Sync Agreement

  6. In the middle of the screen are fields for the Windows domain information. Fill in the domain name and the domain controller.

  7. Select the checkboxes for the Windows entries which are going to be synchronized.

    • Sync New Windows Users. When enabled, all user entries found in Windows that are subject to the agreement will automatically be created in the Directory Server.

    • Sync New Windows Groups. When enabled, all group entries found in Windows that are subject to the agreement will automatically be created in the Directory Server.

  8. The Windows and Directory Server subtree information is automatically filled in; use the defaults to sync only users or change these as appropriate to sync groups or groups and users.

  9. Check the Using encrypted SSL connection checkbox. The use of SSL is recommended for security reasons, and SSL is required for synchronizing passwords because Active Directory will refuse to modify passwords unless the connection is SSL-protected.

  10. Fill in the authentication information in the Bind as... and Password fields with the sync ID information. This user must be on both the Active Directory server and will be one of the supplier DNs available in the database replication setup, as described in Section 19.2.5, “Step 5: Configure the Directory Server Database for Synchronization”.

  11. The last screen is a summary of the synchronization agreement. It is possible to modify all of the configuration at this using the back buttons to get to the appropriate screen. If the agreement is correct, click Done.

When the agreement is complete, an icon representing the synchronization agreement is displayed under the suffix. This icon indicates that the synchronization agreement is set up.

19.2.7. Step 7: Begin Synchronization

After the sync agreement is created, begin the synchronization process. Select the sync agreement, right-click or open the Object menu, and select Begin resynchronization. This will begin the synchronization process.

If synchronization stops for any reason, begin another total update (resynchronization) by selecting this from the sync agreement menu. Beginning a total update (resynchronization) will not delete or overwrite the databases.


Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.