On Tue, Mar 9, 2010 at 6:38 PM, Rich Megginson <[email protected]
<mailto:[email protected]>> wrote:
Shan Kumaraswamy wrote:
Rich,
Your mean the AD Administrator password or IPA admin password?
AD
I'm trying to find out why IPA cannot make a connection to AD. So
the hostname should be the AD hostname, and the -D (binddn) should
be the DN of the user that IPA uses to bind to AD, and the
password should be the password for that user.
On Tue, Mar 9, 2010 at 6:32 PM, Rich Megginson
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
Shan Kumaraswamy wrote:
When I try to run this command I am getting this error:
[r...@sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h
sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>> -D
"CN=administrator,CN=users,DC=bmitest,DC=com" -w
"secretpw" -s
base -b "" "objectclass=*"
ldap_simple_bind: Invalid credentials
ldap_simple_bind: additional info: 80090308: LdapErr:
DSID-0C0903AA, comment: AcceptSecurityContext error,
data 52e,
v1771
You are not providing the correct password.
On Tue, Mar 9, 2010 at 6:16 PM, Rich Megginson
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>> wrote:
Please keep replies on list
Shan Kumaraswamy wrote:
Rich,
Does a reverse DNS lookup on the IP address
return that
hostname? -Yes
Is Active Directory configured to use/listen to
SSL? -Yes,
Active Directory Cert Auth installed and
exported the and
verifityed.
Does the cert db
/etc/dirsrv/slapd-BMITEST-COM/cert8.db
contain the CA cert of the windows CA? -yes
"Imported
CA cert"
certutil -L -d /etc/dirsrv/slapd-BMITEST-COM-
Its listing
installed cert
I am trying to creating syn agreement from IPA
server using
following syntex:
ipa-replica-manage add --winsync --binddn
CN=Administrator,CN=Users,CN=Accounts,DC=bmitest,DC=com
--bindpw secretpw --cacert
/etc/dirsrv/slapd-BMITEST-COM/dsca.cer
sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>> -v
Please corret me where I am doing worng?
ldap_simple_bind: Can't contact LDAP server
SSL error -5961 (TCP connection reset by peer.)
This usually indicates some low level error. Let's
try this:
/usr/lib64/mozldap/ldapsearch -h
sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/> -D
"CN=administrator,CN=users,DC=bmitest,DC=com" -w
"secretpw" -s
base -b "" "objectclass=*"
Does that work?
On Mon, Mar 8, 2010 at 6:30 PM, Rich Megginson
<[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>>> wrote:
Shan Kumaraswamy wrote:
Hi Rich,
Sorry for the delay replay, after I
executed your
command I am
getting the following error from my directory
server.
Please
help me to resolve this error.
[r...@sbttipa001 ~]#
/usr/lib64/mozldap/ldapsearch -h
sbtaddc001.bmitest.com
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>> -p 636
-Z -P
/etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
CN=administrator,CN=users,DC=bmitest,DC=com -w
"secretpw" -s
base -b "" "objectclass=*"
ldap_simple_bind: Can't contact LDAP server
SSL error -5961 (TCP connection
reset by
peer.)
Is sbtaddc001.bmitest.com
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>>
the real, registered DNS address for the Active
Directory
server?
On both the linux machine and the windows
machine?
Does a reverse DNS lookup on the IP address
return that
hostname?
Is Active Directory configured to use/listen
to SSL?
Does the cert db
/etc/dirsrv/slapd-BMITEST-COM/cert8.db contain
the CA cert of the windows CA?
certutil -L -d /etc/dirsrv/slapd-BMITEST-COM
On Wed, Feb 24,
2010 at 6:20 PM, Rich Megginson
<[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>> <mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>>>> wrote:
Shan Kumaraswamy wrote:
Dear All,
I am facing the AD Sync issue with
FreeIPA to Active
Directory, and as per the
redhat-ds doc I
have
done all the
settings from AD front. please
help me to
resolve this
issue.
And find the below error message:
[r...@sbttipa001 ~]#
ipa-replica-manage add
--winsync
--binddn
CN=ipaadmin,CN=users,DC=bmitest,DC=com
--bindpw
secretpw --ca cert
/etc/dirsrv/slapd-BMITEST-COM/adsync.cer
sbtaddc001.bmitest.com
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>> -v
--passsync
bmi.123
Directory Manager password:
INFO:root:Shutting down dirsrv:
BMITEST-COM...
[ OK ]
INFO:root:
INFO:root:
INFO:root:
INFO:root:Starting dirsrv:
BMITEST-COM...
[ OK ]
INFO:root:
INFO:root:Added CA certificate
/etc/dirsrv/slapd-BMITEST-COM/adsync.cer to
certificate
database for
sbttipa001.bmitest.com <http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>>
INFO:root:Restarted directory server
sbttipa001.bmitest.com
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>>
INFO:root:Could not validate
connection to
remote server
sbtaddc001.bmitest.com:636
<http://sbtaddc001.bmitest.com:636/>
<http://sbtaddc001.bmitest.com:636/>
<http://sbtaddc001.bmitest.com:636/>
<http://sbtaddc001.bmitest.com:636/>
<http://sbtaddc001.bmitest.com:636/>
<http://sbtaddc001.bmitest.com:636
<http://sbtaddc001.bmitest.com:636/>
<http://sbtaddc001.bmitest.com:636/>
<http://sbtaddc001.bmitest.com:636/>
<http://sbtaddc001.bmitest.com:636/>
<http://sbtaddc001.bmitest.com:636/>> -
continuing
INFO:root:The error was: {'info':
'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify
failed', 'desc ': "Can't contact LDAP
server"}
The user for the Windows PassSync
service is
uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com
Windows PassSync entry exists, not
resetting
password
INFO:root:Added new sync agreement,
waiting for
it to
become
ready . . .
INFO:root:Replication Update in
progress:
FALSE:
status: 49 -
LDAP error: Invalid credentials:
start:
0: end: 0
INFO:root:Agreement is ready, starting
replication . . .
Starting replication, please wait
until
this has
completed.
[sbttipa001.bmitest.com
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>>]
reports:
Update failed!
Status: [49 - LDAP error: Invalid
credentials]
INFO:root:Added agreement for
other host
sbtaddc001.bmitest.com
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>>
Error 49 usually means the password is not
correct. You
can use
mozldap ldapsearch to test the connection
like this:
/usr/lib/mozldap/ldapsearch -h dchost
-p 636
-Z -P
/etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
CN=ipaadmin,CN=users,DC=bmitest,DC=com -w
"secretpw" -s
base -b ""
"objectclass=*"
-- Thanks & Regards
Shan Kumaraswamy
------------------------------------------------------------------------
_______________________________________________
Freeipa-users mailing list
[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>>>
https://www.redhat.com/mailman/listinfo/freeipa-users
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
--
Thanks & Regards
Shan Kumaraswamy
--
Thanks & Regards
Shan Kumaraswamy
