Shan Kumaraswamy wrote:
Yes I can able to get the output using the port, but without password.
/usr/lib64/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-BMITEST-COM/cert8.db -h sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com> -p 636 -D "CN=administrator,CN=users,DC=bmitest,DC=com" -s base -b "" "objectclass=*"
Ok.  Now try doing a search of your user subtree:
/usr/lib64/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-BMITEST-COM/cert8.db -h sbtaddc001.bmitest.com -p 636 -D "CN=administrator,CN=users,DC=bmitest,DC=com" -b "CN=users,DC=bmitest,DC=com" "objectclass=*" dn


You will likely have to provide a password for this

On Tue, Mar 9, 2010 at 7:38 PM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    Shan Kumaraswamy wrote:

        Yes I can get the output when I ran this step:
         Command: /usr/lib64/mozldap/ldapsearch -ZZ -P
        /etc/dirsrv/slapd-BMITEST-COM/cert8.db -h
        sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>> -D
        "CN=administrator,CN=users,DC=bmitest,DC=com" -s base -b ""
        "objectclass=*"

        Output:
         version: 1
        dn:
        currentTime: 20100309160730.0Z
        subschemaSubentry:
        CN=Aggregate,CN=Schema,CN=Configuration,DC=BMITEST,DC=COM
        dsServiceName: CN=NTDS
        Settings,CN=SBTADDC001,CN=Servers,CN=Bahrain-Site,CN=Si
         tes,CN=Configuration,DC=BMITEST,DC=COM
        namingContexts: DC=BMITEST,DC=COM
        namingContexts: CN=Configuration,DC=BMITEST,DC=COM
        namingContexts: CN=Schema,CN=Configuration,DC=BMITEST,DC=COM
        namingContexts: DC=DomainDnsZones,DC=BMITEST,DC=COM
        namingContexts: DC=ForestDnsZones,DC=BMITEST,DC=COM
        defaultNamingContext: DC=BMITEST,DC=COM
        schemaNamingContext: CN=Schema,CN=Configuration,DC=BMITEST,DC=COM
        configurationNamingContext: CN=Configuration,DC=BMITEST,DC=COM
        rootDomainNamingContext: DC=BMITEST,DC=COM
        supportedControl: 1.2.840.113556.1.4.319
        supportedControl: 1.2.840.113556.1.4.801
        supportedControl: 1.2.840.113556.1.4.473
        supportedControl: 1.2.840.113556.1.4.528
        supportedControl: 1.2.840.113556.1.4.417
        supportedControl: 1.2.840.113556.1.4.619
        supportedControl: 1.2.840.113556.1.4.841
        supportedControl: 1.2.840.113556.1.4.529
        supportedControl: 1.2.840.113556.1.4.805
        supportedControl: 1.2.840.113556.1.4.521
        supportedControl: 1.2.840.113556.1.4.970
        supportedControl: 1.2.840.113556.1.4.1338
        supportedControl: 1.2.840.113556.1.4.474
        supportedControl: 1.2.840.113556.1.4.1339
        supportedControl: 1.2.840.113556.1.4.1340
        supportedControl: 1.2.840.113556.1.4.1413
        supportedControl: 2.16.840.1.113730.3.4.9
        supportedControl: 2.16.840.1.113730.3.4.10
        supportedControl: 1.2.840.113556.1.4.1504
        supportedControl: 1.2.840.113556.1.4.1852
        supportedControl: 1.2.840.113556.1.4.802
        supportedControl: 1.2.840.113556.1.4.1907
        supportedControl: 1.2.840.113556.1.4.1948
        supportedControl: 1.2.840.113556.1.4.1974
        supportedControl: 1.2.840.113556.1.4.1341
        supportedControl: 1.2.840.113556.1.4.2026
        supportedLDAPVersion: 3
        supportedLDAPVersion: 2
        supportedLDAPPolicies: MaxPoolThreads
        supportedLDAPPolicies: MaxDatagramRecv
        supportedLDAPPolicies: MaxReceiveBuffer
        supportedLDAPPolicies: InitRecvTimeout
        supportedLDAPPolicies: MaxConnections
        supportedLDAPPolicies: MaxConnIdleTime
        supportedLDAPPolicies: MaxPageSize
        supportedLDAPPolicies: MaxQueryDuration
        supportedLDAPPolicies: MaxTempTableSize
        supportedLDAPPolicies: MaxResultSetSize
        supportedLDAPPolicies: MaxNotificationPerConn
        supportedLDAPPolicies: MaxValRange
        highestCommittedUSN: 905371
        supportedSASLMechanisms: GSSAPI
        supportedSASLMechanisms: GSS-SPNEGO
        supportedSASLMechanisms: EXTERNAL
        supportedSASLMechanisms: DIGEST-MD5
        dnsHostName: SBTADDC001.BMITEST.COM
        <http://sbtaddc001.bmitest.com/>
        <http://SBTADDC001.BMITEST.COM <http://sbtaddc001.bmitest.com/>>

          Please let me know the syntex of IPA Ad sync

    Ok.  Now try it with the ldaps port (-p 636)
    /usr/lib64/mozldap/ldapsearch -Z -P
    /etc/dirsrv/slapd-BMITEST-COM/cert8.db -h sbtaddc001.bmitest.com
    <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com
    <http://sbtaddc001.bmitest.com/>> -p 636 -D
    "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s
    base -b "" "objectclass=*"

         On Tue, Mar 9, 2010 at 7:03 PM, Rich Megginson
        <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>> wrote:

           Shan Kumaraswamy wrote:

               Rich again some errors:
                [r...@sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h
               sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com/>

               <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>> -D
               "CN=administrator,CN=users,DC=bmitest,DC=com" -w
        "Str1ve2XL"
               -s base -b "" "objectclass=*"

               ldap_simple_bind: Strong authentication required
               ldap_simple_bind: additional info: 00002028: LdapErr:
               DSID-0C0901FC, comment: The server requires binds to
        turn on
               integrity checking if SSL\TLS are not already active on the
               connection, data 0, v1771

           If this is your real password, as simo said, please change it
           immediately.

           So at least you are talking to the AD server now.  It is
        telling
           you that it will not accept a bind using a clear text password
           over an insecure connection - that is, try using SSL as we did
           previously:

           /usr/lib64/mozldap/ldapsearch -ZZ -P
           /etc/dirsrv/slapd-BMITEST-COM/cert8.db -h
        sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
           <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>

           <http://sbtaddc001.bmitest.com/>> -D
           "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s
           base -b "" "objectclass=*"

                         On Tue, Mar 9, 2010 at 6:38 PM, Rich Megginson
               <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>> wrote:

                  Shan Kumaraswamy wrote:

                      Rich,
                      Your mean the AD Administrator password or IPA admin
               password?

                  AD

                  I'm trying to find out why IPA cannot make a
        connection to
               AD.  So
                  the hostname should be the AD hostname, and the -D
        (binddn)
               should
                  be the DN of the user that IPA uses to bind to AD,
        and the
                  password should be the password for that user.


                      On Tue, Mar 9, 2010 at 6:32 PM, Rich Megginson
                      <rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>> wrote:

                         Shan Kumaraswamy wrote:

                             When I try to run this command I am
        getting this
               error:
                              [r...@sbttipa001 ~]#
               /usr/lib64/mozldap/ldapsearch -h
                             sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>> -D

"CN=administrator,CN=users,DC=bmitest,DC=com" -w
                      "secretpw" -s
                             base -b "" "objectclass=*"

                             ldap_simple_bind: Invalid credentials
                             ldap_simple_bind: additional info: 80090308:
               LdapErr:
                             DSID-0C0903AA, comment:
        AcceptSecurityContext error,
                      data 52e,
                             v1771

                         You are not providing the correct password.



                              On Tue, Mar 9, 2010 at 6:16 PM, Rich
        Megginson
                             <rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>>>
                             <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>>> wrote:

                                Please keep replies on list

                                Shan Kumaraswamy wrote:

                                    Rich,
                                     Does a reverse DNS lookup on the
        IP address
                      return that
                                    hostname? -Yes
                                     Is Active Directory configured to
               use/listen to
                      SSL? -Yes,
                                    Active Directory Cert Auth
        installed and
                      exported the and
                                    verifityed.

                                     Does the cert db
                      /etc/dirsrv/slapd-BMITEST-COM/cert8.db
                                    contain the CA cert of the windows
        CA? -yes
                      "Imported
                             CA cert"

                                    certutil -L -d
        /etc/dirsrv/slapd-BMITEST-COM-
                      Its listing
                                    installed cert
                                    I am trying to creating syn agreement
               from IPA
                      server using
                                    following syntex:
                                     ipa-replica-manage add --winsync
        --binddn
CN=Administrator,CN=Users,CN=Accounts,DC=bmitest,DC=com
                                    --bindpw secretpw --cacert
                                    /etc/dirsrv/slapd-BMITEST-COM/dsca.cer
                             sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
        <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                                    <http://sbtaddc001.bmitest.com/>

                                    <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
                                    <http://sbtaddc001.bmitest.com/>> -v

                                     Please corret me where I am doing
        worng?

                                ldap_simple_bind: Can't contact LDAP
        server
                                     SSL error -5961 (TCP connection
        reset by
               peer.)

                                This usually indicates some low level
        error.
                Let's
                      try this:
                                /usr/lib64/mozldap/ldapsearch -h
                      sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
                                <http://sbtaddc001.bmitest.com/> -D

"CN=administrator,CN=users,DC=bmitest,DC=com" -w
                      "secretpw" -s
                                base -b "" "objectclass=*"

                                Does that work?

                                                         On Mon, Mar
        8, 2010
               at 6:30 PM, Rich Megginson
                                    <rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>
                             <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>>
                                    <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                             <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                             <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>>>> wrote:

                                       Shan Kumaraswamy wrote:

                                           Hi Rich,

                                           Sorry for the delay replay,
        after I
                      executed your
                                    command I am
                                           getting the following error
        from
               my directory
                             server.
                                    Please
                                           help me to resolve this error.

                                           [r...@sbttipa001 ~]#
                             /usr/lib64/mozldap/ldapsearch -h
                                           sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                                    <http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
                                    <http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>>
               -p 636
                      -Z -P

/etc/dirsrv/slapd-BMITEST-COM/cert8.db -D CN=administrator,CN=users,DC=bmitest,DC=com -w
                                    "secretpw" -s
                                           base -b "" "objectclass=*"

                                           ldap_simple_bind: Can't contact
               LDAP server
                                                  SSL error -5961 (TCP
        connection
                      reset by
                             peer.)

                                       Is sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                                    <http://sbtaddc001.bmitest.com/>
                                       <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
                                    <http://sbtaddc001.bmitest.com/>
                                    <http://sbtaddc001.bmitest.com/>>

                                       the real, registered DNS
        address for
               the Active
                             Directory
                                    server?
                                        On both the linux machine and
        the windows
                      machine?
                                       Does a reverse DNS lookup on the IP
               address
                      return that
                                    hostname?
                                       Is Active Directory configured to
               use/listen
                      to SSL?
                                       Does the cert db
                             /etc/dirsrv/slapd-BMITEST-COM/cert8.db
        contain
                                       the CA cert of the windows CA?
                                       certutil -L -d
               /etc/dirsrv/slapd-BMITEST-COM

                                                                 On
        Wed, Feb 24,
                      2010 at 6:20 PM, Rich Megginson
                                           <rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                             <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                             <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>>
                                    <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                             <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                             <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>>>
                                           <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                             <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>>>
                                    <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                             <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                             <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>>>
                                    <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                             <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>>>>> wrote:

                                              Shan Kumaraswamy wrote:

                                                  Dear All,
                                                  I am facing the AD Sync
               issue with
                             FreeIPA to Active
                                                  Directory, and as
        per the
                      redhat-ds doc I
                             have
                                    done all the
                                                  settings from AD
        front. please
                      help me to
                                    resolve this
                                           issue.
                                                  And find the below error
               message:
                                                   [r...@sbttipa001 ~]#
                      ipa-replica-manage add
                                    --winsync
                                                  --binddn
                             CN=ipaadmin,CN=users,DC=bmitest,DC=com
                                    --bindpw
                                                  secretpw --ca cert
/etc/dirsrv/slapd-BMITEST-COM/adsync.cer sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
                                    <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
                                    <http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/>

<http://sbtaddc001.bmitest.com/>> -v
                             --passsync
                                    bmi.123

                                                  Directory Manager
        password:
                                                  INFO:root:Shutting
        down dirsrv:
BMITEST-COM... [ OK ]
                                                  INFO:root:
                                                  INFO:root:
                                                  INFO:root:
                                                  INFO:root:Starting
        dirsrv:
BMITEST-COM... [ OK ]
                                                  INFO:root:
                                                  INFO:root:Added CA
        certificate
/etc/dirsrv/slapd-BMITEST-COM/adsync.cer to
                                    certificate
                                                  database for
                      sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>
                                    <http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>
                                    <http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>>

                                                  INFO:root:Restarted
               directory server
                                           sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                                    <http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>
                                    <http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>>

                                                  INFO:root:Could not
        validate
                      connection to
                                    remote server
sbtaddc001.bmitest.com:636 <http://sbtaddc001.bmitest.com:636/>
               <http://sbtaddc001.bmitest.com:636/>
                      <http://sbtaddc001.bmitest.com:636/>
                             <http://sbtaddc001.bmitest.com:636/>
                                    <http://sbtaddc001.bmitest.com:636/>
<http://sbtaddc001.bmitest.com:636/> <http://sbtaddc001.bmitest.com:636/>

<http://sbtaddc001.bmitest.com:636
        <http://sbtaddc001.bmitest.com:636/>
               <http://sbtaddc001.bmitest.com:636/>
                      <http://sbtaddc001.bmitest.com:636/>
                             <http://sbtaddc001.bmitest.com:636/>
                                    <http://sbtaddc001.bmitest.com:636/>
<http://sbtaddc001.bmitest.com:636/> <http://sbtaddc001.bmitest.com:636/>> -
                             continuing

                                                  INFO:root:The error was:
               {'info':
                                    'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
                                    verify
                                                  failed', 'desc ': "Can't
               contact LDAP
                             server"}
                                                  The user for the Windows
               PassSync
                      service is
uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com
                                                  Windows PassSync entry
               exists, not
                      resetting
                                    password
                                                  INFO:root:Added new sync
               agreement,
                             waiting for
                                    it to
                                           become
                                                  ready . . .
INFO:root:Replication Update in
                      progress:
                             FALSE:
                                           status: 49  -
                                                  LDAP error: Invalid
               credentials:
                      start:
                             0: end: 0
                                                  INFO:root:Agreement is
               ready, starting
                                    replication . . .
                                                  Starting replication,
               please wait
                      until
                             this has
                                    completed.
[sbttipa001.bmitest.com <http://sbttipa001.bmitest.com/>
               <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>
                                    <http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>
                                    <http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com
        <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>
                      <http://sbttipa001.bmitest.com/>
                             <http://sbttipa001.bmitest.com/>
                                    <http://sbttipa001.bmitest.com/>
<http://sbttipa001.bmitest.com/>

<http://sbttipa001.bmitest.com/>>]
                      reports:
                                    Update failed!
                                                  Status: [49  - LDAP
        error:
               Invalid
                             credentials]
                                                  INFO:root:Added
        agreement for
                      other host
sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
               <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
                                    <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com
        <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/>
                      <http://sbtaddc001.bmitest.com/>
                             <http://sbtaddc001.bmitest.com/>
                                    <http://sbtaddc001.bmitest.com/>
<http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/>>


                                              Error 49 usually means the
               password is not
                             correct.  You
                                           can use
                                              mozldap ldapsearch to
        test the
               connection
                             like this:

/usr/lib/mozldap/ldapsearch -h
               dchost
                      -p 636
                             -Z -P
/etc/dirsrv/slapd-BMITEST-COM/cert8.db -D CN=ipaadmin,CN=users,DC=bmitest,DC=com -w
                             "secretpw" -s
                                           base -b ""
                                              "objectclass=*"

-- Thanks
               & Regards
                                                  Shan Kumaraswamy

------------------------------------------------------------------------

_______________________________________________
                                                  Freeipa-users
        mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>
                             <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>>
                                    <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>
                             <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>>>
<mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>
                             <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>>
                                    <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>
                             <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>>>>
<mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>
                             <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>>
                                    <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>
                             <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>>>
<mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>
                             <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>>
                                    <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>
                             <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>
                      <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>
               <mailto:Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com>>>>>>>

https://www.redhat.com/mailman/listinfo/freeipa-users





                                           --         Thanks & Regards
                                           Shan Kumaraswamy





                                    --         Thanks & Regards
                                    Shan Kumaraswamy





                             --         Thanks & Regards
                             Shan Kumaraswamy





                      --         Thanks & Regards
                      Shan Kumaraswamy





               --         Thanks & Regards
               Shan Kumaraswamy





-- Thanks & Regards
        Shan Kumaraswamy





--
Thanks & Regards
Shan Kumaraswamy


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to