10.2. Configuring Windows Sync

Configuring synchronization is very similar to configuring replication. It requires configuring the database as a master with a changelog and creating an agreement to define synchronization. A common user identity, a sync user, connects to the Windows sync peer to send updates from the Directory Server and to check for updates to sync back to the Directory Server.

NOTE

To synchronize passwords (which is the only way for users to be active on both Directory Server and Active Directory), synchronization must be configured to run over SSL/TLS. Therefore, this configuration section assumes that SSL/TLS must also be configured.

Configuring synchronization over SSL/TLS is also similar to configuring replication over SSL/TLS. Both sync peers must be configured to trust each other for encrypted sessions (all password operations are performed over TLS/SSL).

All synchronization for user and group entries is passive from the Active Directory side; it is the Directory Server which sends updates on its side and polls for updates on the Active Directory domain. For passwords, the Active Directory server requires a separate password service; this service actively sends password changes from the Active Directory domain to Directory Server.

10.2.1. Step 1: Configure SSL on Directory Server

The full instructions for configuring the Directory Server to run in SSL are at Section 14.2.3.1, “Enabling TLS/SSL Only in the Directory Server”. Basically, the Directory Server needs to have the appropriate SSL certificates installed, be configured to run over an SSL port, and allow client authentication from other servers.

Two certificates must be issued and installed on both the Directory Server and the Active Directory sync peer:

CA certificate, shared between the Directory Server and Active Directory
Server certificates for the Directory Server and Active Directory sync peers, which are accessible by the sync services

To set up SSL:

Generate a certificate request.
1. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.
2. Select the Server Certs tab, and click the Request button at the bottom.
3. Fill in the certificate information, and save the certificate request to a file.
Submit the certificate to a certificate authority, and retrieve it once it is issued.
The method for submitting certificate requests and retrieving certificates varies for each CA.
Install the new certificate.
1. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.
2. Select the Server Certs tab, and click Install at the bottom of the window.
3. Paste in the certificate, and set the password for the token database.
Install the CA certificate for the issuing CA.
1. Download and save the CA certificate from the CA's site. Each CA has a slightly different way of making its CA certificate available.
2. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.
3. Go to the CA Certs tab, and click Install at the bottom of the window.
4. Paste in the CA certificate or point to the downloaded file, and go through the certificate installer.
Change the server to the SSL port; this is described in much more detail in Section 1.7, “Changing Directory Server Port Numbers”.
1. Open the Directory Server Console, and open the Configuration tab for the Directory Server.
2. In the Settings tab, set the secure port for the server to use for TLS/SSL communications, such as 636. Click Save.
3. Select the Encryption tab in the right pane.
4. Select the Enable SSL for this Server checkbox, then select the certificate to use from the drop-down menu. Click Save.
5. Restart the Directory Server. The Directory Server must be restarted from the command line.
```
service dirsrv restart example
```
  To restart the Directory Server without the password prompt, create a PIN file or use a hardware crypto device. See Section 14.2.3.3, “Creating a Password File for the Directory Server” for information on how to create a PIN file.

10.2.2. Step 2: Configure the Active Directory Domain

NOTE

Synchronization can only be configured with an Active Directory domain controller, so make sure that the domain is properly installed and configured.

The first configuration step is to make sure that the Active Directory password complexity policies are are enabled so that the Password Sync service will run.

Run secpol.msc from the command line.
Select Security Settings.
Open Account Policies, and then open Password Policy.
Enable the Password must meet complexity requirements option and save.

If SSL is not already enabled, set up SSL on the Active Directory server. Setting up LDAPS is explained in more detail in the Microsoft knowledgebase at http://support.microsoft.com/kb/321051.

Install a certificate authority in the Windows Components section in Add/Remove Programs.
Select the Enterprise Root CA option.
Reboot the Active Directory server. If IIS web services are running, the CA certificate can be accessed by opening http://servername/certsrv.
Set up the Active Directory server to use the SSL server certificate.
1. Create a certificate request .inf, using the fully-qualified domain name of the Active Directory as the certificate subject. For example:
```
;----------------- request.inf ----------------- 

[Version] 

Signature="$Windows NT$ 

[NewRequest]

Subject = "CN=ad.server.example.com, O=Engineering, L=Raleigh, S=North Carolina, C=US"
KeySpec = 1 
KeyLength = 2048 
Exportable = TRUE 
MachineKeySet = TRUE 
SMIME = False 
PrivateKeyArchive = FALSE 
UserProtected = FALSE 
UseExistingKeySet = FALSE 
ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
ProviderType = 12
RequestType = PKCS10 
KeyUsage = 0xa0 

[EnhancedKeyUsageExtension] 

OID=1.3.6.1.5.5.7.3.1 

;-----------------------------------------------
```
  For more information on the .inf request file, see the Microsoft documentation, such as http://technet.microsoft.com/en-us/library/cc783835.aspx.
2. Generate the certificate request.
```
certreq -new request.inf request.req
```
3. Submit the request to the Active Directory CA. For example:
```
certreq -submit request.req certnew.cer
```
  NOTE
  If the command-line tool returns an error message, then use the Web browser to access the CA and submit the certificate request. If IIS is running, then the CA URL is http://servername/certsrv.
4. Accept the certificate request. For example:
```
certreq -accept certnew.cer
```
5. Make sure that the server certificate is present on the Active Directory server.
  In the File menu, click Add/Remove, then click Certificates and Personal>Certificates.
6. Import the CA certificate from Directory Server into Active Directory. Click Trusted Root CA, then Import, and browse for the Directory Server CA certificate.
Reboot the domain controller.

To test that the server is running in SSL correctly, try searching the Active Directory over LDAPS.

10.2.3. Step 3: Select or Create the Sync Identity

There are two users used to configure Windows Sync:

An Active Directory user, specified in the sync agreement.
The user specified in the sync agreement is the entity as whom the Directory Server binds to Active Directory to send and receive updates. The Active Directory user should be a member of the Domain Admins group, or have equivalent rights, and must have rights to replicate directory changes.
For information on adding users and setting privileges in Active Directory, see the Microsoft documentation.
A Directory Server user, specified in the Password Sync Service.
The user referenced in the Password Sync Service must have read and write permissions to every entry within the synchronized subtree and absolutely must have write access to password attributes in Directory Server so that Password Sync can update password changes.

NOTE

The user cited in the sync agreement (the supplier DN) exists on the Active Directory server. The user cited in the Password Sync configuration exists on Directory Server.

To create a sync user on Directory Server:

Create a new entry, such as cn=sync user,cn=config, with a password. For example:

/usr/lib64/mozldap/ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=sync user,cn=config 
objectClass: inetorgperson 
objectClass: person 
objectClass: top 
cn: sync user
sn: SU 
userPassword: secret 
passwordExpirationTime: 20380119031407Z

Set an ACI that grants the sync user access to compare and write user passwords.
The ACI must be set at the top of the subtree which will be synchronized. For example:
```
/usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389

dn: ou=people,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="userPassword")(version 3.0;aci "password sync";allow (write,compare) userdn="ldap:///cn=sync user,cn=config";)
```
For security reasons, the Password Sync user should not be Directory Manager and should not be part of the synchronized subtree.

10.2.4. Step 4: Install the Password Sync Service

Password Sync can be installed on every domain controller in the Active Directory domain in order to synchronize Windows passwords.

Passwords can only be synchronized if both the Directory Server and Windows server are running in SSL, the sync agreement is configured over an SSL connection, and certificate databases are configured for Password Sync to access.

Download the PassSync.msi file from the appropriate Directory Server channel in Red Hat Network and save it to the Active Directory machine.
NOTE
There are two PassSync packages available, one for 32-bit Windows servers and one for 64-bit. Make sure to select the appropriate packages for your Windows platform.
Double-click on the PassSync.msi file to install it.
The Password Sync Setup window appears. Hit Next to begin installing.
Fill in the Directory Server hostname, secure port number, user name (such as cn=sync user,cn=config), the certificate token (password), and the search base (e.g., ou=People,dc=example,dc=com).
Hit Next, then Finish to install Password Sync.
Reboot the Windows machine to start Password Sync.
NOTE
The Windows machine must be rebooted. Without the rebooting, PasswordHook.dll is not enabled, and password synchronization will not function.

The first attempt to synchronize passwords, which happened when the Password Sync application is installed, will always fail because the SSL connection between the Directory Server and Active Directory sync peers. The tools to create the certificate and key databases is installed with the .msi.

Password Sync and many of its libraries are installed in C:\Program Files\Red Hat Directory Password Synchronization. All of the files installed with Password Sync are listed in Table 10.1, “Installed Password Sync Libraries”.

Table 10.1. Installed Password Sync Libraries

Directory	Library	Directory	Library
C:\WINDOWS\system32	passhook.dll	C:\WINDOWS\system32	libnspr4.dll
C:\WINDOWS\system32	nss3.dll	C:\WINDOWS\system32	sqlite3.dll
C:\WINDOWS\system32	softokn3.dll	C:\WINDOWS\system32	nssdbm3.dll
C:\WINDOWS\system32	nssutil3.dll
C:\WINDOWS\system32	smime3.dll	C:\WINDOWS\system32	freebl3.dll
C:\Program Files\Red Hat Directory Password Synchronization	nsldap32v60.dll	C:\Program Files\Red Hat Directory Password Synchronization	certutil.exe
C:\Program Files\Red Hat Directory Password Synchronization	nsldappr32v60.dll	C:\Program Files\Red Hat Directory Password Synchronization	nsldapssl32v60.dll
C:\WINDOWS\system32	ssl3.dll	C:\WINDOWS\system32	libplc4.dll
C:\Program Files\Red Hat Directory Password Synchronization	nssckbi.dll	C:\Program Files\Red Hat Directory Password Synchronization	nsldif32v60.dll
C:\Program Files\Red Hat Directory Password Synchronization	passsync.log ^[a]	C:\Program Files\Red Hat Directory Password Synchronization	passsync.exe
C:\Program Files\Red Hat Directory Password Synchronization	pk12util.exe	C:\Program Files\Red Hat Directory Password Synchronization	msvcr71.dll
C:\WINDOWS\system32	libplds4.dll
^[a] This log file is not an installed library, but it is created at installation.

10.2.5. Step 5: Configure the Password Sync Service

Next, set up certificates that Password Sync uses to access the Directory Server over SSL:

NOTE

SSL is required for Password Sync to send passwords to Directory Server. The service will not send the passwords except over SSL to protect the clear text password sent from the Active Directory machine to the Directory Server machine. This means that Password Sync will not work until SSL is configured.

On the Directory Server, export the server certificate.

cd /etc/dirsrv/slapd-instance_name
certutil -d . -L -n "CA certificate" -a > dsca.crt

Copy the exported certificate from the Directory Server to the Windows machine.
Open a command prompt on the Windows machine, and open the Password Sync installation directory.
```
cd "C:\Program Files\Red Hat Directory Password Synchronization"
```
Create new cert8.db and key.db databases on the Windows machine.
```
certutil.exe -d . -N
```
Import the server certificate from the Directory Server into the new certificate database.
```
certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i \path\to\dsca.crt
```
Verify that the CA certificate was correctly imported.
```
certutil.exe -d . -L -n "DS CA cert"
```
Reboot the Windows machine. The Password Sync service is not available until after a system reboot.

NOTE

If any Active Directory user accounts exist when Password Sync is first installed, then the passwords for those user accounts cannot be synchronized until they are changed because Password Sync cannot decrypt a password once it has been hashed in Active Directory.

10.2.6. Step 6: Configure the Directory Server Database for Synchronization

Just as with replication, there must be a changelog available to track and send directory changes and the Directory Server database being synchronized must be configured as a replica.

NOTE

If the Directory Server database is already configured for replication, this step is not necessary.

Setting up a database for replication is described in Section 9.5.1, “Configuring the Read-Write Replicas on the Supplier Servers”.

10.2.6.1. Setting up the Directory Server from the Console

First, enable the changelog:

In the Directory Server Console, select the Configuration tab.
In the left-hand navigation tree, click the Replication folder.
In the main window, click the Supplier Settings tab.
Check the Enable Changelog database.
Set the changelog database directory. Click the Use default button to use the default or Browse... to select a custom directory.
Save the changelog settings.

After setting up the changelog, then configure the database that will be synchronized as a replica. The replica role should be either a single-master or multi-master.

IMPORTANT

You cannot configure a sync agreement on a hub. Synchronization will not succeed.

In the Directory Server Console, select the Configuration tab.
In the left-hand navigation tree, click the Replication folder, then click the name of the database to synchronize.
By default, there are two databases, NetscapeRoot for directory configuration and userRoot for directory entries. Other databases may be listed if they have been added to Directory Server.
Check the Enable Replica checkbox, and select the radio button by the type of replica which the database is.
In the Update Settings section, either select or add a supplier DN. This is the user account as which synchronization process will be run. As mentioned in Section 10.2.3, “Step 3: Select or Create the Sync Identity”, this user must be on the Active Directory server.
Save the replication settings for the database.

NOTE

For more information on replication settings, see Chapter 9, Managing Replication.

10.2.6.2. Setting up the Directory Server for Sync from the Command Line

First, enable the changelog:

/usr/lib64/mozldap/ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=changelog5,cn=config
objectclass: top
objectclass: extensibleObject
cn: changelog5
nsslapd-changelogdir: /var/lib/dirsrv/slapd-instance_name/changelogdb

Then, create the supplier replica entry:

/usr/lib64/mozldap/ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=sync replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config
objectclass: top
objectclass: nsds5replica
objectclass: extensibleObject
cn: sync replica
nsds5replicaroot: dc=example,dc=com
nsds5replicaid: 7
nsds5replicatype: 3
nsds5flags: 1
nsds5ReplicaPurgeDelay: 604800
nsds5ReplicaBindDN: cn=sync user,cn=config

These different parameters are described in more detail in the Configuration and Command-Line Tool Reference and Section 9.7.1, “Configuring Suppliers from the Command Line”.

10.2.7. Step 7: Create the Synchronization Agreement

Create the synchronization agreement.

NOTE

If secure binds are required for simple password authentication (Section 13.5.1, “Requiring Secure Binds”), then any replication operations will fail unless they occur over a secure connection. Using a secure connection (SSL/TLS and Start TLS connections or SASL authentication) is recommended, anyway.

10.2.7.1. Creating the Sync Agreement from the Console

In the Directory Server Console, select the Configuration tab.
In the left-hand navigation tree, click Replication, then right-click on the database to sync. The default user database is userRoot, but additional databases are added as new suffixes are added to the Directory Server.
Alternatively, highlight the database, and in the top tool bar, click Object.
Select New Windows Sync Agreement from the menu.
In the two fields, supply a name and description of the synchronization agreement. Hit Next.
In the Windows Sync Server Info window, fill in the Active Directory information in the Windows Domain Information area.
- The name of the Windows domain.
- What kinds of entries to synchronize; users and groups are synchronized independently. When a type of entry is chosen, then all of the entries of that type that are found in the Windows subtree are created in the Directory Server.
- The Windows and Directory Server subtree information; this is automatically filled in.
- The hostname of the domain controller
- The Windows server's port number
Set the connection type. There are three options:
- Use LDAP. This sets either a standard, unencrypted connection.
- Use TLS/SSL. This uses a secure connection over the server's secure LDAPS port, such as 636. Both the Directory Server and the Windows server must be properly configured to run in TLS/SSL for this connection and must have installed each other's CA certificates in order to trust their server certificates.
- Use Start TLS. This uses Start TLS to establish a secure connection over the server's standard port. Like regular SSL, these peer servers must be able to trust each other's certificates.
Using either TLS/SSL or Start TLS is recommended for security reasons. TLS/SSL or Start TLS is required for synchronizing passwords because Active Directory refuses to modify passwords unless the connection is SSL-protected.
Fill in the authentication information in the Bind as... and Password fields with the sync ID information. This user must exist in the Active Directory domain.
Save the sync agreement.

NOTE

By default, Win Sync polls the Active Directory peer every five (5) minutes to check for changes. In the sync agreement summary, this is displayed as the Update Interval. The update interval can be changed by editing the winSyncInterval attribute manually. See Section 10.7, “Modifying the Sync Agreement”.

When the agreement is complete, the new sync agreement is listed under the suffix.

10.2.7.2. Creating the Sync Agreement from the Command Line

It is also possible to add the sync agreement through the command line.

/usr/lib64/mozldap/ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=ExampleSyncAgreement,cn=sync replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config
changetype: add
objectclass: top
objectclass: nsDSWindowsReplicationAgreement
cn: ExampleSyncAgreement
nsds7WindowsReplicaSubtree: cn=Users,dc=ad1
nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com
nsds7NewWinUserSyncEnabled: on
nsds7NewWinGroupSyncEnabled: on
nsds7WindowsDomain: ad1
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaHost: ad1.windows-server.com
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=sync user,cn=config
nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA==
nsDS5ReplicaTransportInfo: TLS
winSyncInterval: 1200

All of the different parameters used in the sync agreement are listed in Table 10.6, “Sync Agreement Attributes”. These different parameters are described in more detail in the Configuration and Command-Line Tool Reference.

10.2.8. Step 8: Configure Directory Server User and Group Entries for Synchronization

Add the ntUser and ntGroup object classes to any user and group entries, respectively, which will be synchronized, along with any required attributes. Only Directory Server entries with those object classes are synchronized. Active Directory entries which are synced over to Directory Server have those object classes automatically.

Whenever the appropriate object classes are added to an entry, both for new entries and existing entries, the entry is synced over at the next incremental update.

Configuring Directory Server user entries for synchronization is described in Section 10.3.3, “Configuring User Sync for Directory Server Users”, and configuring Directory Server group entries for synchronization is described in Section 10.4.4, “Configuring Group Sync for Directory Server Groups”.

10.2.9. Step 9: Begin Synchronization

After the sync agreement is created, begin the synchronization process.

Go to the Configuration tab in the Console.
Open the Replication folder and expand the appropriate database.
Select the sync agreement.
Right-click on the agreement or open the Object menu.
Select Initiate Full Re-synchronization.

If synchronization stops for any reason, begin another total update (resynchronization) by selecting this from the sync agreement menu. Beginning a total update (resynchronization) will not delete or overwrite the databases.