Troubleshooting Problems With SSL Between the Directory Server and Active Directory (Sun Java System Directory Server Enterprise Edition 6.2 Troubleshooting Guide)

Sun Java System Directory Server Enterprise Edition 6.2 Troubleshooting Guide

Troubleshooting Problems With SSL Between the Directory Server and Active Directory

By default, Directory Server does not communicate with Active Directory over SSL when performing on-demand password synchronization. If the default is overridden to protect this communication with SSL, then the Active Directory CA certificate must be added to the Directory Server certificate database of each master replica as described in Chapter 4, Understanding the Product, in Sun Java System Directory Server Enterprise Edition 6.2 Installation Guide.

If the Active Directory CA certificate is not added, users fail to bind to Directory Server with the error DSA is unwilling to perform. The plug-in’s log, isw-hostname /logs/SUBC100/pluginwps_log_0.txt, reports the following:

[06/Nov/2006:15:56:16.310 -0600]
INFO    td=0x0376DD74 logCode=81 
ADRepository.cpp:310
"unable to open connection to Active Directory server 
at ldaps://host2.example.com:636, reason: "

If you receive these errors, you must add the Active Directory CA certificate to Directory Server’s certificate database and restart Directory Server.