Please keep replies on list

Shan Kumaraswamy wrote:
Rich,
Does a reverse DNS lookup on the IP address return that hostname? -Yes Is Active Directory configured to use/listen to SSL? -Yes, Active Directory Cert Auth installed and exported the and verifityed.


Does the cert db /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain the CA cert of the windows CA? -yes "Imported CA cert"

certutil -L -d /etc/dirsrv/slapd-BMITEST-COM- Its listing installed cert
I am trying to creating syn agreement from IPA server using following syntex: ipa-replica-manage add --winsync --binddn CN=Administrator,CN=Users,CN=Accounts,DC=bmitest,DC=com --bindpw secretpw --cacert /etc/dirsrv/slapd-BMITEST-COM/dsca.cer sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com> -v Please corret me where I am doing worng?
ldap_simple_bind: Can't contact LDAP server
      SSL error -5961 (TCP connection reset by peer.)

This usually indicates some low level error.  Let's try this:
/usr/lib64/mozldap/ldapsearch -h sbtaddc001.bmitest.com -D "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s base -b "" "objectclass=*"

Does that work?


On Mon, Mar 8, 2010 at 6:30 PM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    Shan Kumaraswamy wrote:

        Hi Rich,

        Sorry for the delay replay, after I executed your command I am
        getting the following error from my directory server. Please
        help me to resolve this error.

        [r...@sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h
        sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>> -p 636 -Z -P
        /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
        CN=administrator,CN=users,DC=bmitest,DC=com -w "secretpw" -s
        base -b "" "objectclass=*"

        ldap_simple_bind: Can't contact LDAP server
               SSL error -5961 (TCP connection reset by peer.)

    Is sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
    <http://sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>>
    the real, registered DNS address for the Active Directory server?
     On both the linux machine and the windows machine?
    Does a reverse DNS lookup on the IP address return that hostname?
    Is Active Directory configured to use/listen to SSL?
    Does the cert db /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain
    the CA cert of the windows CA?
    certutil -L -d /etc/dirsrv/slapd-BMITEST-COM


         On Wed, Feb 24, 2010 at 6:20 PM, Rich Megginson
        <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>> wrote:

           Shan Kumaraswamy wrote:

               Dear All,
               I am facing the AD Sync issue with FreeIPA to Active
               Directory, and as per the redhat-ds doc I have done all the
               settings from AD front. please help me to resolve this
        issue.
               And find the below error message:
                [r...@sbttipa001 ~]# ipa-replica-manage add --winsync
               --binddn CN=ipaadmin,CN=users,DC=bmitest,DC=com --bindpw
               secretpw --ca cert /etc/dirsrv/slapd-BMITEST-COM/adsync.cer
               sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>

               <http://sbtaddc001.bmitest.com/>> -v --passsync bmi.123

               Directory Manager password:
               INFO:root:Shutting down dirsrv:
BMITEST-COM... [ OK ]
               INFO:root:
               INFO:root:
               INFO:root:
               INFO:root:Starting dirsrv:
BMITEST-COM... [ OK ]
               INFO:root:
               INFO:root:Added CA certificate
               /etc/dirsrv/slapd-BMITEST-COM/adsync.cer to certificate
               database for sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
        <http://sbttipa001.bmitest.com/>>

               INFO:root:Restarted directory server
        sbttipa001.bmitest.com <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
        <http://sbttipa001.bmitest.com/>>

               INFO:root:Could not validate connection to remote server
               sbtaddc001.bmitest.com:636
        <http://sbtaddc001.bmitest.com:636/>
               <http://sbtaddc001.bmitest.com:636/>

               <http://sbtaddc001.bmitest.com:636
        <http://sbtaddc001.bmitest.com:636/>
               <http://sbtaddc001.bmitest.com:636/>> - continuing

               INFO:root:The error was: {'info': 'error:14090086:SSL
               routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
               failed', 'desc ': "Can't contact LDAP server"}
               The user for the Windows PassSync service is
               uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com
               Windows PassSync entry exists, not resetting password
               INFO:root:Added new sync agreement, waiting for it to
        become
               ready . . .
               INFO:root:Replication Update in progress: FALSE:
        status: 49  -
               LDAP error: Invalid credentials: start: 0: end: 0
               INFO:root:Agreement is ready, starting replication . . .
               Starting replication, please wait until this has completed.
               [sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>

               <http://sbttipa001.bmitest.com/>>] reports: Update failed!
               Status: [49  - LDAP error: Invalid credentials]
               INFO:root:Added agreement for other host
               sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com/>>


           Error 49 usually means the password is not correct.  You
        can use
           mozldap ldapsearch to test the connection like this:

           /usr/lib/mozldap/ldapsearch -h dchost -p 636 -Z -P
           /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
           CN=ipaadmin,CN=users,DC=bmitest,DC=com -w "secretpw" -s
        base -b ""
           "objectclass=*"

                        --         Thanks & Regards
               Shan Kumaraswamy

------------------------------------------------------------------------

               _______________________________________________
               Freeipa-users mailing list
               Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
        <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>

               https://www.redhat.com/mailman/listinfo/freeipa-users





-- Thanks & Regards
        Shan Kumaraswamy





--
Thanks & Regards
Shan Kumaraswamy


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to