Shan Kumaraswamy wrote:
Rich again some errors:
[r...@sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com> -D "CN=administrator,CN=users,DC=bmitest,DC=com" -w "Str1ve2XL" -s base -b "" "objectclass=*"
ldap_simple_bind: Strong authentication required
ldap_simple_bind: additional info: 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1771
If this is your real password, as simo said, please change it immediately.

So at least you are talking to the AD server now. It is telling you that it will not accept a bind using a clear text password over an insecure connection - that is, try using SSL as we did previously:

/usr/lib64/mozldap/ldapsearch -ZZ -P /etc/dirsrv/slapd-BMITEST-COM/cert8.db -h sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com> -D "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s base -b "" "objectclass=*"
On Tue, Mar 9, 2010 at 6:38 PM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    Shan Kumaraswamy wrote:

        Rich,
        Your mean the AD Administrator password or IPA admin password?

    AD

    I'm trying to find out why IPA cannot make a connection to AD.  So
    the hostname should be the AD hostname, and the -D (binddn) should
    be the DN of the user that IPA uses to bind to AD, and the
    password should be the password for that user.


        On Tue, Mar 9, 2010 at 6:32 PM, Rich Megginson
        <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>> wrote:

           Shan Kumaraswamy wrote:

               When I try to run this command I am getting this error:
                [r...@sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h
               sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>> -D

               "CN=administrator,CN=users,DC=bmitest,DC=com" -w
        "secretpw" -s
               base -b "" "objectclass=*"

               ldap_simple_bind: Invalid credentials
               ldap_simple_bind: additional info: 80090308: LdapErr:
               DSID-0C0903AA, comment: AcceptSecurityContext error,
        data 52e,
               v1771

           You are not providing the correct password.



                On Tue, Mar 9, 2010 at 6:16 PM, Rich Megginson
               <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>> wrote:

                  Please keep replies on list

                  Shan Kumaraswamy wrote:

                      Rich,
                       Does a reverse DNS lookup on the IP address
        return that
                      hostname? -Yes
                       Is Active Directory configured to use/listen to
        SSL? -Yes,
                      Active Directory Cert Auth installed and
        exported the and
                      verifityed.

                       Does the cert db
        /etc/dirsrv/slapd-BMITEST-COM/cert8.db
                      contain the CA cert of the windows CA? -yes
        "Imported
               CA cert"

                      certutil -L -d /etc/dirsrv/slapd-BMITEST-COM-
        Its listing
                      installed cert
                      I am trying to creating syn agreement from IPA
        server using
                      following syntex:
                       ipa-replica-manage add --winsync --binddn
CN=Administrator,CN=Users,CN=Accounts,DC=bmitest,DC=com
                      --bindpw secretpw --cacert
                      /etc/dirsrv/slapd-BMITEST-COM/dsca.cer
               sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>

                      <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>> -v

                       Please corret me where I am doing worng?

                  ldap_simple_bind: Can't contact LDAP server
                       SSL error -5961 (TCP connection reset by peer.)

                  This usually indicates some low level error.  Let's
        try this:
                  /usr/lib64/mozldap/ldapsearch -h
        sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                  <http://sbtaddc001.bmitest.com/> -D

                  "CN=administrator,CN=users,DC=bmitest,DC=com" -w
        "secretpw" -s
                  base -b "" "objectclass=*"

                  Does that work?

On Mon, Mar 8, 2010 at 6:30 PM, Rich Megginson
                      <rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>> wrote:

                         Shan Kumaraswamy wrote:

                             Hi Rich,

                             Sorry for the delay replay, after I
        executed your
                      command I am
                             getting the following error from my directory
               server.
                      Please
                             help me to resolve this error.

                             [r...@sbttipa001 ~]#
               /usr/lib64/mozldap/ldapsearch -h
                             sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>> -p 636
        -Z -P

                             /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
CN=administrator,CN=users,DC=bmitest,DC=com -w
                      "secretpw" -s
                             base -b "" "objectclass=*"

                             ldap_simple_bind: Can't contact LDAP server
                                    SSL error -5961 (TCP connection
        reset by
               peer.)

                         Is sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                         <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>>

                         the real, registered DNS address for the Active
               Directory
                      server?
                          On both the linux machine and the windows
        machine?
                         Does a reverse DNS lookup on the IP address
        return that
                      hostname?
                         Is Active Directory configured to use/listen
        to SSL?
                         Does the cert db
               /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain
                         the CA cert of the windows CA?
                         certutil -L -d /etc/dirsrv/slapd-BMITEST-COM

                                                   On Wed, Feb 24,
        2010 at 6:20 PM, Rich Megginson
                             <rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>>>
                             <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>>> wrote:

                                Shan Kumaraswamy wrote:

                                    Dear All,
                                    I am facing the AD Sync issue with
               FreeIPA to Active
                                    Directory, and as per the
        redhat-ds doc I
               have
                      done all the
                                    settings from AD front. please
        help me to
                      resolve this
                             issue.
                                    And find the below error message:
                                     [r...@sbttipa001 ~]#
        ipa-replica-manage add
                      --winsync
                                    --binddn
               CN=ipaadmin,CN=users,DC=bmitest,DC=com
                      --bindpw
                                    secretpw --ca cert
                      /etc/dirsrv/slapd-BMITEST-COM/adsync.cer
                                    sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
                                    <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>

                                    <http://sbtaddc001.bmitest.com/>> -v
               --passsync
                      bmi.123

                                    Directory Manager password:
                                    INFO:root:Shutting down dirsrv:
BMITEST-COM... [ OK ]
                                    INFO:root:
                                    INFO:root:
                                    INFO:root:
                                    INFO:root:Starting dirsrv:
BMITEST-COM... [ OK ]
                                    INFO:root:
                                    INFO:root:Added CA certificate
/etc/dirsrv/slapd-BMITEST-COM/adsync.cer to
                      certificate
                                    database for
        sbttipa001.bmitest.com <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>
                                    <http://sbttipa001.bmitest.com/>
                                    <http://sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>>

                                    INFO:root:Restarted directory server
                             sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
        <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                                    <http://sbttipa001.bmitest.com/>
                                    <http://sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>>

                                    INFO:root:Could not validate
        connection to
                      remote server
                                    sbtaddc001.bmitest.com:636
        <http://sbtaddc001.bmitest.com:636/>
               <http://sbtaddc001.bmitest.com:636/>
                      <http://sbtaddc001.bmitest.com:636/>
                             <http://sbtaddc001.bmitest.com:636/>
                                    <http://sbtaddc001.bmitest.com:636/>

                                    <http://sbtaddc001.bmitest.com:636
        <http://sbtaddc001.bmitest.com:636/>
               <http://sbtaddc001.bmitest.com:636/>
                      <http://sbtaddc001.bmitest.com:636/>
                             <http://sbtaddc001.bmitest.com:636/>
<http://sbtaddc001.bmitest.com:636/>> -
               continuing

                                    INFO:root:The error was: {'info':
                      'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
                      verify
                                    failed', 'desc ': "Can't contact LDAP
               server"}
                                    The user for the Windows PassSync
        service is
uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com
                                    Windows PassSync entry exists, not
        resetting
                      password
                                    INFO:root:Added new sync agreement,
               waiting for
                      it to
                             become
                                    ready . . .
                                    INFO:root:Replication Update in
        progress:
               FALSE:
                             status: 49  -
                                    LDAP error: Invalid credentials:
        start:
               0: end: 0
                                    INFO:root:Agreement is ready, starting
                      replication . . .
                                    Starting replication, please wait
        until
               this has
                      completed.
                                    [sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                                    <http://sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>

                                    <http://sbttipa001.bmitest.com/>>]
        reports:
                      Update failed!
                                    Status: [49  - LDAP error: Invalid
               credentials]
                                    INFO:root:Added agreement for
        other host
                                    sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
                                    <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>>


                                Error 49 usually means the password is not
               correct.  You
                             can use
                                mozldap ldapsearch to test the connection
               like this:

                                /usr/lib/mozldap/ldapsearch -h dchost
        -p 636
               -Z -P
                                /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
                                CN=ipaadmin,CN=users,DC=bmitest,DC=com -w
               "secretpw" -s
                             base -b ""
                                "objectclass=*"

                                             --         Thanks & Regards
                                    Shan Kumaraswamy

------------------------------------------------------------------------

_______________________________________________
                                    Freeipa-users mailing list
                                    Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>
                             <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>>
                             <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>
                             <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>>>

https://www.redhat.com/mailman/listinfo/freeipa-users





                             --         Thanks & Regards
                             Shan Kumaraswamy





                      --         Thanks & Regards
                      Shan Kumaraswamy





               --         Thanks & Regards
               Shan Kumaraswamy





-- Thanks & Regards
        Shan Kumaraswamy





--
Thanks & Regards
Shan Kumaraswamy


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to