Rich again some errors:
[r...@sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h sbtaddc001.bmitest.com-D "CN=administrator,CN=users,DC=bmitest,DC=com" -w "Str1ve2XL" -s base -b "" "objectclass=*" ldap_simple_bind: Strong authentication required ldap_simple_bind: additional info: 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1771 On Tue, Mar 9, 2010 at 6:38 PM, Rich Megginson <rmegg...@redhat.com> wrote: > Shan Kumaraswamy wrote: > >> Rich, >> Your mean the AD Administrator password or IPA admin password? >> > AD > > I'm trying to find out why IPA cannot make a connection to AD. So the > hostname should be the AD hostname, and the -D (binddn) should be the DN of > the user that IPA uses to bind to AD, and the password should be the > password for that user. > >> >> On Tue, Mar 9, 2010 at 6:32 PM, Rich Megginson <rmegg...@redhat.com<mailto: >> rmegg...@redhat.com>> wrote: >> >> Shan Kumaraswamy wrote: >> >> When I try to run this command I am getting this error: >> [r...@sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h >> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com >> <http://sbtaddc001.bmitest.com/>> -D >> >> "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s >> base -b "" "objectclass=*" >> >> ldap_simple_bind: Invalid credentials >> ldap_simple_bind: additional info: 80090308: LdapErr: >> DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, >> v1771 >> >> You are not providing the correct password. >> >> >> >> On Tue, Mar 9, 2010 at 6:16 PM, Rich Megginson >> <rmegg...@redhat.com <mailto:rmegg...@redhat.com> >> <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>> wrote: >> >> Please keep replies on list >> >> Shan Kumaraswamy wrote: >> >> Rich, >> Does a reverse DNS lookup on the IP address return that >> hostname? -Yes >> Is Active Directory configured to use/listen to SSL? -Yes, >> Active Directory Cert Auth installed and exported the and >> verifityed. >> >> Does the cert db /etc/dirsrv/slapd-BMITEST-COM/cert8.db >> contain the CA cert of the windows CA? -yes "Imported >> CA cert" >> >> certutil -L -d /etc/dirsrv/slapd-BMITEST-COM- Its listing >> installed cert >> I am trying to creating syn agreement from IPA server using >> following syntex: >> ipa-replica-manage add --winsync --binddn >> CN=Administrator,CN=Users,CN=Accounts,DC=bmitest,DC=com >> --bindpw secretpw --cacert >> /etc/dirsrv/slapd-BMITEST-COM/dsca.cer >> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> >> <http://sbtaddc001.bmitest.com >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/>> -v >> >> Please corret me where I am doing worng? >> >> ldap_simple_bind: Can't contact LDAP server >> SSL error -5961 (TCP connection reset by peer.) >> >> This usually indicates some low level error. Let's try this: >> /usr/lib64/mozldap/ldapsearch -h sbtaddc001.bmitest.com >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> -D >> >> "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s >> base -b "" "objectclass=*" >> >> Does that work? >> >> >> On Mon, Mar 8, 2010 at 6:30 PM, Rich Megginson >> <rmegg...@redhat.com <mailto:rmegg...@redhat.com> >> <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>> >> <mailto:rmegg...@redhat.com >> <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com >> <mailto:rmegg...@redhat.com>>>> wrote: >> >> Shan Kumaraswamy wrote: >> >> Hi Rich, >> >> Sorry for the delay replay, after I executed your >> command I am >> getting the following error from my directory >> server. >> Please >> help me to resolve this error. >> >> [r...@sbttipa001 ~]# >> /usr/lib64/mozldap/ldapsearch -h >> sbtaddc001.bmitest.com >> <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/>> -p 636 -Z -P >> >> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D >> CN=administrator,CN=users,DC=bmitest,DC=com -w >> "secretpw" -s >> base -b "" "objectclass=*" >> >> ldap_simple_bind: Can't contact LDAP server >> SSL error -5961 (TCP connection reset by >> peer.) >> >> Is sbtaddc001.bmitest.com >> <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/>> >> >> the real, registered DNS address for the Active >> Directory >> server? >> On both the linux machine and the windows machine? >> Does a reverse DNS lookup on the IP address return that >> hostname? >> Is Active Directory configured to use/listen to SSL? >> Does the cert db >> /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain >> the CA cert of the windows CA? >> certutil -L -d /etc/dirsrv/slapd-BMITEST-COM >> >> On Wed, Feb 24, 2010 at 6:20 >> PM, Rich Megginson >> <rmegg...@redhat.com >> <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com >> <mailto:rmegg...@redhat.com>> >> <mailto:rmegg...@redhat.com >> <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com >> <mailto:rmegg...@redhat.com>>> >> <mailto:rmegg...@redhat.com >> <mailto:rmegg...@redhat.com> >> <mailto:rmegg...@redhat.com >> <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com >> <mailto:rmegg...@redhat.com> >> <mailto:rmegg...@redhat.com >> <mailto:rmegg...@redhat.com>>>>> wrote: >> >> Shan Kumaraswamy wrote: >> >> Dear All, >> I am facing the AD Sync issue with >> FreeIPA to Active >> Directory, and as per the redhat-ds doc I >> have >> done all the >> settings from AD front. please help me to >> resolve this >> issue. >> And find the below error message: >> [r...@sbttipa001 ~]# ipa-replica-manage add >> --winsync >> --binddn >> CN=ipaadmin,CN=users,DC=bmitest,DC=com >> --bindpw >> secretpw --ca cert >> /etc/dirsrv/slapd-BMITEST-COM/adsync.cer >> sbtaddc001.bmitest.com >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> >> <http://sbtaddc001.bmitest.com/>> -v >> --passsync >> bmi.123 >> >> Directory Manager password: >> INFO:root:Shutting down dirsrv: >> BMITEST-COM... >> [ OK ] >> INFO:root: >> INFO:root: >> INFO:root: >> INFO:root:Starting dirsrv: >> BMITEST-COM... >> [ OK ] >> INFO:root: >> INFO:root:Added CA certificate >> /etc/dirsrv/slapd-BMITEST-COM/adsync.cer to >> certificate >> database for sbttipa001.bmitest.com >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/>> >> >> INFO:root:Restarted directory server >> sbttipa001.bmitest.com >> <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/>> >> >> INFO:root:Could not validate connection to >> remote server >> sbtaddc001.bmitest.com:636 >> <http://sbtaddc001.bmitest.com:636/> >> <http://sbtaddc001.bmitest.com:636/> >> <http://sbtaddc001.bmitest.com:636/> >> <http://sbtaddc001.bmitest.com:636/> >> >> <http://sbtaddc001.bmitest.com:636 >> <http://sbtaddc001.bmitest.com:636/> >> <http://sbtaddc001.bmitest.com:636/> >> <http://sbtaddc001.bmitest.com:636/> >> <http://sbtaddc001.bmitest.com:636/>> - >> continuing >> >> INFO:root:The error was: {'info': >> 'error:14090086:SSL >> >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate >> verify >> failed', 'desc ': "Can't contact LDAP >> server"} >> The user for the Windows PassSync service is >> >> uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com >> Windows PassSync entry exists, not resetting >> password >> INFO:root:Added new sync agreement, >> waiting for >> it to >> become >> ready . . . >> INFO:root:Replication Update in progress: >> FALSE: >> status: 49 - >> LDAP error: Invalid credentials: start: >> 0: end: 0 >> INFO:root:Agreement is ready, starting >> replication . . . >> Starting replication, please wait until >> this has >> completed. >> [sbttipa001.bmitest.com >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/> >> <http://sbttipa001.bmitest.com/> >> >> <http://sbttipa001.bmitest.com/>>] reports: >> Update failed! >> Status: [49 - LDAP error: Invalid >> credentials] >> INFO:root:Added agreement for other host >> sbtaddc001.bmitest.com >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/> >> <http://sbtaddc001.bmitest.com/>> >> >> >> Error 49 usually means the password is not >> correct. You >> can use >> mozldap ldapsearch to test the connection >> like this: >> >> /usr/lib/mozldap/ldapsearch -h dchost -p 636 >> -Z -P >> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D >> CN=ipaadmin,CN=users,DC=bmitest,DC=com -w >> "secretpw" -s >> base -b "" >> "objectclass=*" >> >> -- Thanks & Regards >> Shan Kumaraswamy >> >> >> ------------------------------------------------------------------------ >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> <mailto:Freeipa-users@redhat.com> >> <mailto:Freeipa-users@redhat.com >> <mailto:Freeipa-users@redhat.com>> >> <mailto:Freeipa-users@redhat.com >> <mailto:Freeipa-users@redhat.com> >> <mailto:Freeipa-users@redhat.com >> <mailto:Freeipa-users@redhat.com>>> >> <mailto:Freeipa-users@redhat.com >> <mailto:Freeipa-users@redhat.com> >> <mailto:Freeipa-users@redhat.com >> <mailto:Freeipa-users@redhat.com>> >> <mailto:Freeipa-users@redhat.com >> <mailto:Freeipa-users@redhat.com> >> <mailto:Freeipa-users@redhat.com >> <mailto:Freeipa-users@redhat.com>>>> >> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> >> -- Thanks & Regards >> Shan Kumaraswamy >> >> >> >> >> >> -- Thanks & Regards >> Shan Kumaraswamy >> >> >> >> >> >> -- Thanks & Regards >> Shan Kumaraswamy >> >> >> >> >> >> -- >> Thanks & Regards >> Shan Kumaraswamy >> >> > -- Thanks & Regards Shan Kumaraswamy
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users