HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
NOTE:
To synchronize passwords (which is the only way for users to be active on both Directory Server
and Active Directory), synchronization must be configured to run over TLS/SSL. Therefore, this
configuration section assumes that TLS/SSL must also be configured.
Configuring synchronization over TLS/SSL is also similar to configuring replication over TLS/SSL.
Both sync peers must be configured to trust each other for encrypted sessions (all password
operations are performed over TLS/SSL).
All synchronization for user and group entries is passive from the Active Directory side; it is the
Directory Server that sends updates on its side and polls for updates on the Active Directory domain.
For passwords, the Active Directory server requires a separate password service; this service
actively sends password changes from the Active Directory domain to Directory Server.
9.2.1 Step 1: Configure SSL on Directory Server
The full instructions for configuring the Directory Server to run in SSL are at “Enabling TLS/SSL only
in the Directory Server” (page 481). Basically, the Directory Server needs to have the appropriate
SSL certificates installed, be configured to run over an SSL port, and allow client authentication
from other servers.
Two certificates must be issued and installed on both the Directory Server and the Active Directory
sync peer:
• CA certificate, shared between the Directory Server and Active Directory
• Server certificates for the Directory Server and Active Directory synchronized peers, which
are accessible by the synchronization services
To set up SSL:
1. Generate a certificate request.
a. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.
b. Select the Server Certs tab, and click the Request button.
c. Fill in the certificate information, and save the certificate request to a file.
2. Submit the certificate to a certificate authority, and retrieve it after it is issued.
The method for submitting certificate requests and retrieving certificates varies for each CA.
3. Install the new certificate.
a. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.
b. Select the Server Certs tab, and click Install.
c. Paste in the certificate, and set the password for the token database.
4. Install the CA certificate for the issuing CA.
a. Download and save the CA certificate from the CA's site. Each CA has a slightly different
way of making its CA certificate available.
b. In the Directory Server Console, select the Tasks tab, and click Manage Certificates.
c. Go to the CA Certs tab, and click Install.
d. Paste in the CA certificate or point to the downloaded file, and go through the certificate
installer.
5. Change the server to the SSL port.
a. Open the Directory Server Console, and open the Configuration tab for the Directory
Server.
b. In the Settings tab, set the secure port for the server to use for TLS/SSL communications,
such as 636. Click Save.
c. Select the Encryption tab in the right pane.
394 Synchronizing Directory Server with Microsoft Active Directory