HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

391

392

393

394

395

396

397

398

399

400

For more information on the .inf request file, see the Microsoft documentation, such as

http://technet.microsoft.com/en-us/library/cc783835.aspx.

b. Generate the certificate request.

certreq -new request.inf request.req

c. Submit the request to the Active Directory CA. For example:

certreq -submit request.req certnew.cer

NOTE:

If the command-line tool returns an error message, then use the Web browser to access

the CA and submit the certificate request. If IIS is running, then the CA URL is

http://servername/certsrv.

d. Accept the certificate request. For example:

certreq -accept cernew.cer

e. Make sure that the server certificate is present on the Active Directory server.

In the File menu, click Add/Remove, then click Certificates and Personal→Certificates.

f. Import the CA certificate from Directory Server into Active Directory. Click Trusted Root

CA, then Import, and browse for the Directory Server CA certificate.

5. Reboot the domain controller.

To test that the server is running in SSL correctly, try searching the Active Directory over LDAPS.

9.2.3 Step 3: Select or create the Sync identity

There are two users used to configure Windows Sync:

• An Active Directory user, specified in the sync agreement

The user specified in the sync agreement is the entity as whom the Directory Server binds to

Active Directory to send and receive updates. The Active Directory user should be a member

of the Domain Admins group, or have equivalent rights, and must have rights to replicate

directory changes.

For information on adding users and setting privileges in Active Directory, see the Microsoft

documentation.

• A Directory Server user, specified in the Password Sync Service

The user referenced in the Password Sync Service must have read and write permissions to

every entry within the synchronized subtree and absolutely must have write access to password

attributes in Directory Server so that Password Sync can update password changes. For

example:

aci:

(target="ldap:///cn=sync%20user,cn=config")(targetattr="userpassword")(ve

rsion 3.0;acl "aci1";allow (write,compare) userdn=all;)

For security reasons, the Password Sync user should not be Directory Manager and should

not be part of the synchronized subtree.

NOTE:

The user cited in the sync agreement (the supplier DN) exists on the Active Directory server. The

user cited in the Password Sync configuration exists on Directory Server.

To create a synchronized user on Directory Server:

1. Stop the Directory Server.

396 Synchronizing Directory Server with Microsoft Active Directory