16.4. Setting up Synchronization Between Active Directory and Directory Server

Configuring synchronization is very similar to configuring replication. It requires configuring the database as a master with a changelog and creating an agreement to define synchronization. A common user identity, a synchronization user, connects to the Active Directory (AD) domain controller (DC) to send updates from Directory Server to AD and to check AD for updates to synchronize them to Directory Server.

Note

To enable users to use their accounts on Directory Server and AD, synchronize passwords. Password synchronization requires to use an encrypted connection.
Synchronization for user and group entries is passive from the AD side. Directory Server send updates to AD and polls for updates on the AD domain. For passwords, the AD server requires a separate password service. This service actively sends password changes from the AD domain to Directory Server.

16.4.1. Step 1: Enabling TLS on the Directory Server Host

The Password Sync service requires to synchronize passwords over an encrypted connection. If TLS is not yet enabled in your Directory Server instance, enable it. For details, see Section 9.4.1, “Enabling TLS in Directory Server”.

16.4.2. Step 2: Enabling Password Complexity in the AD Domain

Enable password complexity in the AD domain using a group policy. For example:
  1. Open the Group Policy Management console and create a new Group Policy Object (GPO) in the domain.
    For details about using the Group Policy Management console, see the Windows documentation.
  2. Right-click the GPO, and select Edit to open the Group Policy Management Editor.
  3. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword Policy, and double-click the policy named Password must meet complexity requirements.
  4. Enable the policy and click OK.
  5. Close the Group Policy Management Editor and the Group Policy Management console.

16.4.3. Step 3: Extracting the CA Certificate from AD

Extract the root certificate authority (CA) certificate and copy it to the Directory Server host:
  • If your AD CA certificate is self-signed:
    1. On an AD DC with the Certification Authority application installed, press the Super key+R combination to open the Run dialog.
    2. Enter the certsrv.msc command and click OK to open the Certification Authority application.
    3. Right-click on the name of the local Certificate Authority and choose Properties.
    4. On the General tab, select the certificate to export in the CA certificates field and click View Certificate.
    5. On the Details tab, click Copy to File to start the Certificate Export Wizard.
    6. Click Next, and then select Base-64 encoded X.509 (.CER).
    7. Specify a suitable directory and file name for the exported file. Click Next to export the certificate, and then click Finish.
    8. Copy the root CA certificate to the Directory Server host.
  • If your AD CA certificate is signed by an external CA:
    1. Determine the root CA. For example:
      # openssl s_client -connect adserver.example.com:636
      CONNECTED(00000003)
      depth=1 C = US, O = Demo Company, OU = IT, CN = Demo CA-28
      verify error:num=20:unable to get local issuer certificate
      verify return:0
      ---
      Certificate chain
       0 s:/C=US/O=Demo Company/OU=IT/CN=adserver.example.com
         i:/C=US/O=Demo Company/OU=IT/CN=Demo CA-1
       1 s:/C=US/O=Demo Company/OU=IT/CN=Demo CA-1
         i:/C=US/O=Demo Company/OU=IT/CN=Demo Root CA 2
      The previous example shows that the AD server's CA certificate is signed by CN=Demo CA-1, which is signed by CN=Demo Root CA 2. This means that CN=Demo Root CA 2 is the root CA.
    2. Contact the operator of the root CA about how to retrieve the CA certificate.
    3. Copy the root CA certificate to the Directory Server host.

16.4.4. Step 4: Extracting the CA Certificate from the Directory Server's NSS Database

To extract the CA certificate from the Directory Server's NSS database:
  1. List the certificates in the database:
    # certutil -d /etc/dirsrv/slapd-instance_name/ -L
    
    Certificate Nickname                Trust Attributes
                                        SSL,S/MIME,JAR/XPI
    
    Server-Cert                         u,u,u
    Example CA                          C,,
  2. Extract the CA certificate from the database. For example, to extract the CA certificate with the Example CA nickname and store it in the /root/ds-ca.crt file:
    # certutil -d /etc/dirsrv/slapd-instance_name/ -L -n "Example CA" -a > /root/ds-ca.crt
  3. Copy the CA certificate to the AD DC.

16.4.5. Step 5: Creating the Synchronization Accounts

For synchronization between AD and Directory Server, you require one account in AD and one in Directory Server. This section explains further details about creating these accounts.

Creating an Account in Directory Server

The AD DCs use a Directory Server account in the Password Sync service to synchronize passwords to Directory Server. For example, to create the cn=pw_sync_user,dc=config user in Directory Server:
  1. Create the user account:
    # ldapadd -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=pw_sync_user,cn=config
    objectClass: inetorgperson
    objectClass: person
    objectClass: top
    cn: pw_sync_user
    sn: pw_sync_user
    userPassword: password
    passwordExpirationTime: 20380101000000Z
    This creates the cn=pw_sync_user,dc=config account and sets its expiration time to January 01 2038.

    Important

    For security reasons, do not create the account in the synchronized subtree.
  2. Set an ACI at the top of the subtree that will be synchronized and grants write and compare permissions to the cn=pw_sync_user,dc=config user. For example, to add such an ACI to the ou=People,dc=example,dc=com entry:
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: ou=People,dc=example,dc=com
    changetype: modify
    add: aci
    aci: (targetattr="userPassword")(version 3.0;acl "Password synchronization";
     allow (write,compare) userdn="ldap:///cn=pw_sync_user,dc=config";)
  3. Configure that Directory Server can store passwords in clear text in the changelog:
    # dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-unhashed-pw-switch=on
    Because Directory Server uses a different password encryption than Active Directory, Directory Server must send the password in clear text to the Windows server. However, the clear text password is sent over a TLS encrypted connection that is required for password synchronization and is, therefore, not exposed to the network.

Creating an Account in AD

To send and receive updates, Directory Server uses an AD account when connecting to AD. This account must be a member of the Domain Admins group or have equivalent permissions in AD. For details about creating AD accounts, see your AD documentation.

16.4.6. Step 6: Installing the Password Sync Service

Install the Password Sync on every writable DC in your AD. For details about installing the Password Sync service, see the Installing the password synchronization service section in the Red Hat Directory Server Installation Guide.
For a list of operating systems running the Password Sync service that Red Hat supports, see the Red Hat Directory Server Release Notes.

16.4.7. Step 7: Adding the CA Certificate Directory Server uses to the Password Sync Service's Certificate Database

On every DC that has the Password Sync service installed, add the CA certificate Directory Server uses to the Password Sync service's certificate database:
  1. Change into the C:\Program Files\Red Hat Directory Password Synchronization\ directory:
    > cd "C:\Program Files\Red Hat Directory Password Synchronization\"
  2. Create the certificate databases in the current directory:
    > certutil.exe -d . -N
    The certutil.exe utility prompts to set a password to the new database it creates.
  3. Import the CA certificate used by the Directory Server instance. You copied this certificate in Section 16.4.4, “Step 4: Extracting the CA Certificate from the Directory Server's NSS Database” to the Windows DC. For example, to import the certificate from the C:\ds-ca.crt file and store it in the database with the Example CA nickname:
    > certutil.exe -d . -A -n "Example CA" -t CT,, -a -i "C:\ds-ca.crt"
  4. Optionally, verify that the CA certificate was stored correctly in the database:
    > certutil.exe -d . -L
    
    Certificate Nickname                Trust Attributes
                                        SSL,S/MIME,JAR/XPI
    
    Example CA                          CT,,
  5. Reboot the Windows DC. The Password Sync service is not available until you reboot the system.

Note

If any AD user accounts exist when you install Password Sync, the service cannot synchronize the passwords for those accounts until the passwords are changed. This happens because Password Sync cannot decrypt a password once it has been stored in Active Directory. For details about enforcing a password reset for AD users, see the Active Directory documentation.

16.4.8. Step 8: Adding the CA Certificate AD uses to Directory Server's Certificate Database

On the Directory Server host, add the CA certificate AD uses to the certificate database:
  1. Import the CA certificate AD uses. You copied this certificate in Section 16.4.3, “Step 3: Extracting the CA Certificate from AD” to the Directory Server host. For example, to import the certificate from the /root/ad-ca.crt file and store it in the database with the Example CA nickname:
    > certutil -d /etc/dirsrv/slapd-instance_name/ -A -n "Example CA" -t CT,, -a -i /root/ad-ca.crt
  2. Optionally, verify that the CA certificate was stored correctly in the database:
    > certutil -d /etc/dirsrv/slapd-instance_name/ -L
    
    Certificate Nickname                Trust Attributes
                                        SSL,S/MIME,JAR/XPI
    ...
    Example CA                          CT,,

16.4.9. Step 9: Configuring the Database for Synchronization and Creating the Synchronization Agreement

This section describes how to configure the database for synchronization and create the synchronization agreement.

16.4.9.1. Configuring the Database for Synchronization and Creating the Synchronization Agreement Using the Command Line

The following example assumes that you have Directory Server running on a host named ds.example.com and an AD DC running on a host named win-server.ad.example.com. The following procedure describes how to configure synchronization between these hosts:
  1. Enable replication for the suffix:
    # dsconf -D "cn=Directory Manager" ldap://ds.example.com replication \
        enable --suffix="dc=example,dc=com" --role="master" --replica-id=1
    This command configures the ds.example.com host as a master for the dc=example,dc=com suffix and sets the replica ID for this entry to 1.

    Important

    The replica ID must be a unique integer between 1 and 65534 for a suffix across all masters in the topology.
  2. Add the synchronization agreement and initialize the agreement. For example:
    # dsconf -D "cn=Directory Manager" ldap://ds.example.com repl-winsync-agmt \
         create --suffix="dc=example,dc=com" --host="win-server.ad.example.com" --port=636 \
         --conn-protocol="LDAPS" --bind-dn="cn=user_name,cn=Users,dc=ad,dc=example,dc=com" \
         --bind-passwd="password" --win-subtree="cn=Users,dc=example,dc=com" \
         --ds-subtree="ou=People,dc=example,dc=com" --win-domain="AD" \
         --init example-agreement
    This command creates a replication agreement named example-agreement. The replication agreement defines settings, such as AD DC's host name, protocol, and authentication information, Directory Server uses when connecting and synchronizing data to the DC.
    After the agreement is created, Directory Server initializes the agreement. To initialize the agreement later, omit the --init option. Note that synchronization does not start before you initialized the agreement. For details about initializing a synchronization agreement, see Section 16.11.2.1, “Performing a Full Synchronization Using the Command Line”.
    Optionally, pass the --sync-users="on" and --sync-groups="on" option to the command to automatically synchronize new Windows users and groups to Directory Server.
    For further details about the options used in the command, enter:
    # dsconf -D "cn=Directory Manager" ldap://ds.example.com repl-agmt --help
  3. Verify that the initialization was successful:
    # dsconf -D "cn=Directory Manager" ldap://ds.example.com repl-winsync-agmt \
         init-status --suffix="dc=example,dc=com" example-agreement
    Agreement successfully initialized.

16.4.9.2. Configuring the Database for Synchronization and Creating the Synchronization Agreement Using the Web Console

The following example assumes that you have Directory Server running on a host named ds.example.com and an AD DC running on a host named win-server.ad.example.com. The following procedure describes how to configure synchronization between these hosts:
  1. Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
  2. Select the instance.
  3. Enable replication for the suffix:
    1. Open the Replication menu.
    2. Select the dc=example,dc=com suffix, and click Enable Replication.
    3. Select Master in the Replication Role field and enter a replica ID. For example:
      These settings configure the ds.example.com host as a master for the dc=example,dc=com suffix and sets the replica ID for this entry to 1.

      Important

      The replica ID must be a unique integer between 1 and 65534 for a suffix across all masters in the topology.
    4. Click Enable Replication.
  4. Add the synchronization agreement and initialize agreement:
    1. Open the Replication menu and select the Winsync Agreements entry.
    2. Click Create Agreement and fill the fields. For example:
      These settings will create a synchronization agreement named example-agreement. The synchronization agreement defines settings, such as the DC's host name, protocol, and authentication information, Directory Server uses when connecting and synchronizing data.
      Optionally, select Sync New Windows Users and Sync New Windows Groups to automatically synchronize new Windows users and groups to Directory Server.
      After the agreement is created, Directory Server initializes the agreement. To initialize the agreement later, do not select Do Online Initialization. Note that synchronization does not start before you initialized the agreement. For details about initializing a synchronization agreement, see Section 16.11.2.2, “Performing a Full Synchronization Using the Web Console”.
    3. Click Save Agreement.
  5. Verify that the initialization was successful:
    1. Open the Replication menu.
    2. Select the Agreements entry.
      If the initialization completed successfully, the web console displays the Error (0) Replica acquired successfully: Incremental update succeeded message in the Last Update Status column.
      Depending of the amount of data to synchronize, the initialization can take up to several hours.