Shan Kumaraswamy wrote:
After this error, I have triyed your the following steps:
/usr/lib64/mozldap/ldapsearch -h windows.test.ad <http://windows.test.ad> -D "CN=administrator,CN=users,DC=test,DC=ad" -w "xxxx" -s base -b "" "objectclass=*" Then I got output like this:
version: 1
dn:
currentTime: 20100817220245.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
dsServiceName: CN=NTDS Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
 me,CN=Sites,CN=Configuration,DC=test,DC=ad
namingContexts: DC=test,DC=ad
namingContexts: CN=Configuration,DC=test,DC=ad
namingContexts: CN=Schema,CN=Configuration,DC=test,DC=ad
namingContexts: DC=DomainDnsZones,DC=test,DC=ad
namingContexts: DC=ForestDnsZones,DC=test,DC=ad
defaultNamingContext: DC=test,DC=ad
schemaNamingContext: CN=Schema,CN=Configuration,DC=test,DC=ad
configurationNamingContext: CN=Configuration,DC=test,DC=ad
rootDomainNamingContext: DC=test,DC=ad
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
highestCommittedUSN: 73772
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: Windows.test.ad <http://Windows.test.ad>
ldapServiceName: test.ad:windo...@test.ad <http://TEST.AD>
serverName: CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
 guration,DC=test,DC=ad
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 4
forestFunctionality: 4
domainControllerFunctionality: 4

Then I tried next step:
/usr/lib64/mozldap/ldapsearch -ZZ -P /etc/dirsrv/slapd-XXXX-COM/cert8.db -h windows.test.ad <http://windows.test.ad> -D "CN=administrator,CN=users,DC=test,DC=ad" -w "xxxxx" -s base -b "" "objectclass=*"
ldap_simple_bind: Can't contact LDAP server
        TLS/SSL error -8179 (Peer's Certificate issuer is not recognized.)
Please help me to fix this.....
This usually means the SSL server's CA cert is not recognized. What does this say:
certutil -d /etc/dirsrv/slapd-XXXX-COM -L
?

On Tue, Aug 17, 2010 at 2:02 PM, Shan Kumaraswamy <shan.sys...@gmail.com <mailto:shan.sys...@gmail.com>> wrote:

    Hi Rich,
    After I did all the steps, I am getting this error:
INFO:root:Added CA certificate
    /etc/dirsrv/slapd-XXXX-COM/adcert.cer to certificate database for
    tesipa001.test.com <http://tesipa001.test.com/>
    INFO:root:Restarted directory server tesipa001.test.com
    <http://tesipa001.test.com/>
    INFO:root:Could not validate connection to remote server
    windows.test.ad:636 <http://windows.test.ad:636/> - continuing
    INFO:root:The error was: {'info': 'error:14090086:SSL
    routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed',
    'desc': "Can't contact LDAP server"}
    The user for the Windows PassSync service is
    uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
    Windows PassSync entry exists, not resetting password
    INFO:root:Added new sync agreement, waiting for it to become ready
    . . .
    INFO:root:Replication Update in progress: FALSE: status: 81  -
    LDAP error: Can't contact LDAP server: start: 0: end: 0
    INFO:root:Agreement is ready, starting replication . . .
    Starting replication, please wait until this has completed.
    [saprhds001.bmibank.com <http://saprhds001.bmibank.com/>] reports:
    Update failed! Status: [81  - LDAP error: Can't contact LDAP server]
    INFO:root:Added agreement for other host windows.test.ad
    <http://windows.test.ad/>

    Please help me to fix this issue.
The syntex I used: ipa-replica-manage add --winsync --binddn
    CN=Administrator,CN=Users,DC=test,DC=com --bindpw "password"
    --cacert /etc/dirsrv/slapd-TEST-COM/adcert.cer windows.test.ad
    <http://windows.test.ad/> -v --passsync "password"
On Mon, Aug 16, 2010 at 6:06 PM, Rich Megginson
    <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

        Shan Kumaraswamy wrote:

            Rich,
             While installing IPA its creates its won CA cert right?
            (cacert.p12),

        Right.

            and also I done the setep of export this CA file as dsca.crt.

        Right.  You have to do that so that AD can be an SSL client to
        the IPA SSL server.

            Please let me know steps to generate the IPA CA and server
            cert?

        The other part is that you have to install the AD CA cert in
        IPA so that IPA can be the SSL client to the AD SSL server.

             On Mon, Aug 16, 2010 at 5:41 PM, Rich Megginson
            <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
            <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>>
            wrote:

               Shan Kumaraswamy wrote:


                   Hi,

                   I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I
            want to sync
                   with Active Directory (windows 2008 R2). Can please
            anyone
                   have step-by-step configuration doc and share to me?
                   Previously I have done the same exercise, but now
            that is not
                   working for me and I am facing lot of challenges to
            make this
                   happen.

                   Please find the steps what exactly I done so for:

                   1.       Installed RHDS 8.1 and FreeIPA 1.2.1 and
            configured
                   properly and tested its working fine

                   2.       In AD side, installed Active Directory
            certificate
                   Server as a Enterprise Root

                   3.       Copy the “cacert.p12” file and imported under
                   Certificates –Service (Active Directory Domain
            service) on
                   Local Computer using MMC.

                   4.       Installed PasSync.msi file and given all
            the required
                   information

                   5.       Run the command “certutil -d . -L -n "CA
            certificate"
                   -a > dsca.crt” from IPA server and copied the .crt
            file in to
                   AD server and ran this command from “cd "C:\Program
            Files\Red
                   Hat Directory Password Synchronization"

                   6.       certutil.exe -d . -N

                   7.       certutil.exe -d . -A -n "DS CA cert" -t
            CT,, -a -i
                   \path\to\dsca.crt

                   8.       certutil.exe -d . -L -n "DS CA cert" and
            rebooted the
                   AD server.

                   After this steps, when try to create sync agreement
            from IPA
                   server I am getting  this error:

                            ldap_simple_bind: Can't contact LDAP server

                          SSL error -8179 (Peer's Certificate issuer
            is not
                   recognized.)

                   Please share the steps to configure AD Sync with
            IPA server.

http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html

               But it looks as though there is a step missing.  If you
            use MS AD
               CA to generate the AD cert, and use IPA to generate the
            IPA CA and
               server cert, then you have to import the MS AD CA cert
            into IPA.


-- Thanks & Regards
                   Shan Kumaraswamy





-- Thanks & Regards
            Shan Kumaraswamy





-- Thanks & Regards
    Shan Kumaraswamy




--
Thanks & Regards
Shan Kumaraswamy


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to