Shan Kumaraswamy wrote:
Hi Rich,

Sorry for the delay replay, after I executed your command I am getting the following error from my directory server. Please help me to resolve this error.

[r...@sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com> -p 636 -Z -P /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D CN=administrator,CN=users,DC=bmitest,DC=com -w "secretpw" -s base -b "" "objectclass=*"
ldap_simple_bind: Can't contact LDAP server
        SSL error -5961 (TCP connection reset by peer.)
Is sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com> the real, registered DNS address for the Active Directory server? On both the linux machine and the windows machine?
Does a reverse DNS lookup on the IP address return that hostname?
Is Active Directory configured to use/listen to SSL?
Does the cert db /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain the CA cert of the windows CA?
certutil -L -d /etc/dirsrv/slapd-BMITEST-COM


On Wed, Feb 24, 2010 at 6:20 PM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    Shan Kumaraswamy wrote:

        Dear All,
        I am facing the AD Sync issue with FreeIPA to Active
        Directory, and as per the redhat-ds doc I have done all the
        settings from AD front. please help me to resolve this issue.
        And find the below error message:
         [r...@sbttipa001 ~]# ipa-replica-manage add --winsync
        --binddn CN=ipaadmin,CN=users,DC=bmitest,DC=com --bindpw
        secretpw --ca cert /etc/dirsrv/slapd-BMITEST-COM/adsync.cer
        sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>> -v --passsync bmi.123

        Directory Manager password:
        INFO:root:Shutting down dirsrv:
           BMITEST-COM...                                         [  OK  ]
        INFO:root:
        INFO:root:
        INFO:root:
        INFO:root:Starting dirsrv:
           BMITEST-COM...                                         [  OK  ]
        INFO:root:
        INFO:root:Added CA certificate
        /etc/dirsrv/slapd-BMITEST-COM/adsync.cer to certificate
        database for sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
        <http://sbttipa001.bmitest.com <http://sbttipa001.bmitest.com/>>
        INFO:root:Restarted directory server sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
        <http://sbttipa001.bmitest.com <http://sbttipa001.bmitest.com/>>
        INFO:root:Could not validate connection to remote server
        sbtaddc001.bmitest.com:636
        <http://sbtaddc001.bmitest.com:636/>
        <http://sbtaddc001.bmitest.com:636
        <http://sbtaddc001.bmitest.com:636/>> - continuing

        INFO:root:The error was: {'info': 'error:14090086:SSL
        routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
        failed', 'desc ': "Can't contact LDAP server"}
        The user for the Windows PassSync service is
        uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com
        Windows PassSync entry exists, not resetting password
        INFO:root:Added new sync agreement, waiting for it to become
        ready . . .
        INFO:root:Replication Update in progress: FALSE: status: 49  -
        LDAP error: Invalid credentials: start: 0: end: 0
        INFO:root:Agreement is ready, starting replication . . .
        Starting replication, please wait until this has completed.
        [sbttipa001.bmitest.com <http://sbttipa001.bmitest.com/>
        <http://sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>>] reports: Update failed!
        Status: [49  - LDAP error: Invalid credentials]
        INFO:root:Added agreement for other host
        sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>>

    Error 49 usually means the password is not correct.  You can use
    mozldap ldapsearch to test the connection like this:

    /usr/lib/mozldap/ldapsearch -h dchost -p 636 -Z -P
    /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
    CN=ipaadmin,CN=users,DC=bmitest,DC=com -w "secretpw" -s base -b ""
    "objectclass=*"

-- Thanks & Regards
        Shan Kumaraswamy

        ------------------------------------------------------------------------

        _______________________________________________
        Freeipa-users mailing list
        Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
        https://www.redhat.com/mailman/listinfo/freeipa-users





--
Thanks & Regards
Shan Kumaraswamy


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to