Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
531532533534535536537538539540
NOTE
If the command-line tool returns an error message, then use the Web browser to
access the CA and submit the certificate request. If IIS is running, then the CA
URL is http://servername/certsrv.
iv. Accept the certificate request. For example:
certreq -accept cernew.cer
v. Make sure that the server certificate is present on the Active Directory server. In the
File menu, click Add/Remove, then click Certificates and Personal>Certificates.
vi. Import the CA certificate from Directory Server into Active Directory. Click Trusted Root
CA, then Import, and browse for the Directory Server CA certificate.
For more information, see http://support.microsoft.com/default.aspx?scid=kb;en-us;321051.
2.3. Step 3: Select or Create the Sync Identity
There are two users used to configure Windows Sync: an Active Directory user, specified in the
sync agreement, and a Directory Server user, specified in the Password Sync service.
The user specified in the sync agreement is the entity as whom the Directory Server binds to
Active Directory to send and receive updates. The Active Directory user should be a member of
the Domain Admins group, or have equivalent rights, and must have rights to replicate directory
changes. This limits the extent of the Windows directory that can be affected by the sync ID to
only the synchronized subtree. For information on adding users and setting privileges in Active
Directory, see the Microsoft documentation.
The user references in the Password Sync service must have read and write permissions to
every entry within the synchronized subtree and absolutely must have write access to password
attributes in Directory Server so that Password Sync can update password changes.
For security reasons, the Password Sync user should not be Directory Manager and should not
be part of the synchronized subtree. For information on adding users, see Chapter 2, Creating
Directory Entries; for information on setting permissions, see Chapter 6, Managing Access
Control. For information on creating a special sync ID, see Section 3, “Creating the Supplier
Bind DN Entry”
Chapter 19. Synchronizing Red Hat Directory Server with Microsoft Active Directory
520