SSL between the Directory Server Plug-in and Active Directory (Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide)

Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide

SSL between the Directory Server Plug-in and Active Directory

By default, Directory Server does not communicate with Active Directory over SSL when performing on-demand password synchronization. If the default is overridden to protect this communication with SSL, then the Active Directory CA certificate must be added to the Directory Server certificate database of each master replica as described in Chapter 3, Understanding the Product If this certificate is not added, users will fail to bind to Directory Server with the error “DSA is unwilling to perform.”, and the Plug-in’s log (for example, isw-hostname /logs/SUBC100/pluginwps_log_0.txt) will report:

[06/Nov/2006:15:56:16.310 -0600]
INFO    td=0x0376DD74 logCode=81 
ADRepository.cpp:310
"unable to open connection to Active Directory server 
at ldaps://host2.example.com:636, reason: "

In this situation, you must add the Active Directory CA certificate to Directory Server’s certificate database and restart Directory Server.