Shan Kumaraswamy wrote:
Rich,
Your mean the AD Administrator password or IPA admin password?
AD

I'm trying to find out why IPA cannot make a connection to AD. So the hostname should be the AD hostname, and the -D (binddn) should be the DN of the user that IPA uses to bind to AD, and the password should be the password for that user.

On Tue, Mar 9, 2010 at 6:32 PM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    Shan Kumaraswamy wrote:

        When I try to run this command I am getting this error:
         [r...@sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h
        sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>> -D
        "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s
        base -b "" "objectclass=*"

        ldap_simple_bind: Invalid credentials
        ldap_simple_bind: additional info: 80090308: LdapErr:
        DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e,
        v1771

    You are not providing the correct password.



         On Tue, Mar 9, 2010 at 6:16 PM, Rich Megginson
        <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>> wrote:

           Please keep replies on list

           Shan Kumaraswamy wrote:

               Rich,
                Does a reverse DNS lookup on the IP address return that
               hostname? -Yes
                Is Active Directory configured to use/listen to SSL? -Yes,
               Active Directory Cert Auth installed and exported the and
               verifityed.

                Does the cert db /etc/dirsrv/slapd-BMITEST-COM/cert8.db
               contain the CA cert of the windows CA? -yes "Imported
        CA cert"

               certutil -L -d /etc/dirsrv/slapd-BMITEST-COM- Its listing
               installed cert
               I am trying to creating syn agreement from IPA server using
               following syntex:
                ipa-replica-manage add --winsync --binddn
               CN=Administrator,CN=Users,CN=Accounts,DC=bmitest,DC=com
               --bindpw secretpw --cacert
               /etc/dirsrv/slapd-BMITEST-COM/dsca.cer
        sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>

               <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>> -v

                Please corret me where I am doing worng?

           ldap_simple_bind: Can't contact LDAP server
                SSL error -5961 (TCP connection reset by peer.)

           This usually indicates some low level error.  Let's try this:
           /usr/lib64/mozldap/ldapsearch -h sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
           <http://sbtaddc001.bmitest.com/> -D

           "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s
           base -b "" "objectclass=*"

           Does that work?

               On Mon, Mar 8, 2010 at 6:30 PM, Rich Megginson
               <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>> wrote:

                  Shan Kumaraswamy wrote:

                      Hi Rich,

                      Sorry for the delay replay, after I executed your
               command I am
                      getting the following error from my directory
        server.
               Please
                      help me to resolve this error.

                      [r...@sbttipa001 ~]#
        /usr/lib64/mozldap/ldapsearch -h
                      sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>> -p 636 -Z -P

                      /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
                      CN=administrator,CN=users,DC=bmitest,DC=com -w
               "secretpw" -s
                      base -b "" "objectclass=*"

                      ldap_simple_bind: Can't contact LDAP server
                             SSL error -5961 (TCP connection reset by
        peer.)

                  Is sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                  <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>>

                  the real, registered DNS address for the Active
        Directory
               server?
                   On both the linux machine and the windows machine?
                  Does a reverse DNS lookup on the IP address return that
               hostname?
                  Is Active Directory configured to use/listen to SSL?
                  Does the cert db
        /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain
                  the CA cert of the windows CA?
                  certutil -L -d /etc/dirsrv/slapd-BMITEST-COM

On Wed, Feb 24, 2010 at 6:20 PM, Rich Megginson
                      <rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>> wrote:

                         Shan Kumaraswamy wrote:

                             Dear All,
                             I am facing the AD Sync issue with
        FreeIPA to Active
                             Directory, and as per the redhat-ds doc I
        have
               done all the
                             settings from AD front. please help me to
               resolve this
                      issue.
                             And find the below error message:
                              [r...@sbttipa001 ~]# ipa-replica-manage add
               --winsync
                             --binddn
        CN=ipaadmin,CN=users,DC=bmitest,DC=com
               --bindpw
                             secretpw --ca cert
               /etc/dirsrv/slapd-BMITEST-COM/adsync.cer
                             sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>

                             <http://sbtaddc001.bmitest.com/>> -v
        --passsync
               bmi.123

                             Directory Manager password:
                             INFO:root:Shutting down dirsrv:
BMITEST-COM... [ OK ]
                             INFO:root:
                             INFO:root:
                             INFO:root:
                             INFO:root:Starting dirsrv:
BMITEST-COM... [ OK ]
                             INFO:root:
                             INFO:root:Added CA certificate
                             /etc/dirsrv/slapd-BMITEST-COM/adsync.cer to
               certificate
                             database for sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>>

                             INFO:root:Restarted directory server
                      sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>>

                             INFO:root:Could not validate connection to
               remote server
                             sbtaddc001.bmitest.com:636
        <http://sbtaddc001.bmitest.com:636/>
               <http://sbtaddc001.bmitest.com:636/>
                      <http://sbtaddc001.bmitest.com:636/>
                             <http://sbtaddc001.bmitest.com:636/>

                             <http://sbtaddc001.bmitest.com:636
        <http://sbtaddc001.bmitest.com:636/>
               <http://sbtaddc001.bmitest.com:636/>
                      <http://sbtaddc001.bmitest.com:636/>
                             <http://sbtaddc001.bmitest.com:636/>> -
        continuing

                             INFO:root:The error was: {'info':
               'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
               verify
                             failed', 'desc ': "Can't contact LDAP
        server"}
                             The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com
                             Windows PassSync entry exists, not resetting
               password
                             INFO:root:Added new sync agreement,
        waiting for
               it to
                      become
                             ready . . .
                             INFO:root:Replication Update in progress:
        FALSE:
                      status: 49  -
                             LDAP error: Invalid credentials: start:
        0: end: 0
                             INFO:root:Agreement is ready, starting
               replication . . .
                             Starting replication, please wait until
        this has
               completed.
                             [sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>

                             <http://sbttipa001.bmitest.com/>>] reports:
               Update failed!
                             Status: [49  - LDAP error: Invalid
        credentials]
                             INFO:root:Added agreement for other host
                             sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>>


                         Error 49 usually means the password is not
        correct.  You
                      can use
                         mozldap ldapsearch to test the connection
        like this:

                         /usr/lib/mozldap/ldapsearch -h dchost -p 636
        -Z -P
                         /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
                         CN=ipaadmin,CN=users,DC=bmitest,DC=com -w
        "secretpw" -s
                      base -b ""
                         "objectclass=*"

                                      --         Thanks & Regards
                             Shan Kumaraswamy

------------------------------------------------------------------------

_______________________________________________
                             Freeipa-users mailing list
                             Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>>

https://www.redhat.com/mailman/listinfo/freeipa-users





                      --         Thanks & Regards
                      Shan Kumaraswamy





               --         Thanks & Regards
               Shan Kumaraswamy





-- Thanks & Regards
        Shan Kumaraswamy





--
Thanks & Regards
Shan Kumaraswamy


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to