Shan Kumaraswamy wrote:
After this error, I have triyed your the following steps:
/usr/lib64/mozldap/ldapsearch -h <> -D "CN=administrator,CN=users,DC=test,DC=ad" -w "xxxx" -s base -b "" "objectclass=*" Then I got output like this:
version: 1
currentTime: 20100817220245.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
dsServiceName: CN=NTDS Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
namingContexts: DC=test,DC=ad
namingContexts: CN=Configuration,DC=test,DC=ad
namingContexts: CN=Schema,CN=Configuration,DC=test,DC=ad
namingContexts: DC=DomainDnsZones,DC=test,DC=ad
namingContexts: DC=ForestDnsZones,DC=test,DC=ad
defaultNamingContext: DC=test,DC=ad
schemaNamingContext: CN=Schema,CN=Configuration,DC=test,DC=ad
configurationNamingContext: CN=Configuration,DC=test,DC=ad
rootDomainNamingContext: DC=test,DC=ad
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
highestCommittedUSN: 73772
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: <>
ldapServiceName: <http://TEST.AD>
serverName: CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 4
forestFunctionality: 4
domainControllerFunctionality: 4

Then I tried next step:
/usr/lib64/mozldap/ldapsearch -ZZ -P /etc/dirsrv/slapd-XXXX-COM/cert8.db -h <> -D "CN=administrator,CN=users,DC=test,DC=ad" -w "xxxxx" -s base -b "" "objectclass=*"
ldap_simple_bind: Can't contact LDAP server
        TLS/SSL error -8179 (Peer's Certificate issuer is not recognized.)
Please help me to fix this.....
This usually means the SSL server's CA cert is not recognized. What does this say:
certutil -d /etc/dirsrv/slapd-XXXX-COM -L

On Tue, Aug 17, 2010 at 2:02 PM, Shan Kumaraswamy < <>> wrote:

    Hi Rich,
    After I did all the steps, I am getting this error:
INFO:root:Added CA certificate
    /etc/dirsrv/slapd-XXXX-COM/adcert.cer to certificate database for <>
    INFO:root:Restarted directory server
    INFO:root:Could not validate connection to remote server <> - continuing
    INFO:root:The error was: {'info': 'error:14090086:SSL
    routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed',
    'desc': "Can't contact LDAP server"}
    The user for the Windows PassSync service is
    Windows PassSync entry exists, not resetting password
    INFO:root:Added new sync agreement, waiting for it to become ready
    . . .
    INFO:root:Replication Update in progress: FALSE: status: 81  -
    LDAP error: Can't contact LDAP server: start: 0: end: 0
    INFO:root:Agreement is ready, starting replication . . .
    Starting replication, please wait until this has completed.
    [ <>] reports:
    Update failed! Status: [81  - LDAP error: Can't contact LDAP server]
    INFO:root:Added agreement for other host

    Please help me to fix this issue.
The syntex I used: ipa-replica-manage add --winsync --binddn
    CN=Administrator,CN=Users,DC=test,DC=com --bindpw "password"
    --cacert /etc/dirsrv/slapd-TEST-COM/adcert.cer
    <> -v --passsync "password"
On Mon, Aug 16, 2010 at 6:06 PM, Rich Megginson
    < <>> wrote:

        Shan Kumaraswamy wrote:

             While installing IPA its creates its won CA cert right?


            and also I done the setep of export this CA file as dsca.crt.

        Right.  You have to do that so that AD can be an SSL client to
        the IPA SSL server.

            Please let me know steps to generate the IPA CA and server

        The other part is that you have to install the AD CA cert in
        IPA so that IPA can be the SSL client to the AD SSL server.

             On Mon, Aug 16, 2010 at 5:41 PM, Rich Megginson
            < <>
            < <>>>

               Shan Kumaraswamy wrote:


                   I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I
            want to sync
                   with Active Directory (windows 2008 R2). Can please
                   have step-by-step configuration doc and share to me?
                   Previously I have done the same exercise, but now
            that is not
                   working for me and I am facing lot of challenges to
            make this

                   Please find the steps what exactly I done so for:

                   1.       Installed RHDS 8.1 and FreeIPA 1.2.1 and
                   properly and tested its working fine

                   2.       In AD side, installed Active Directory
                   Server as a Enterprise Root

                   3.       Copy the “cacert.p12” file and imported under
                   Certificates –Service (Active Directory Domain
            service) on
                   Local Computer using MMC.

                   4.       Installed PasSync.msi file and given all
            the required

                   5.       Run the command “certutil -d . -L -n "CA
                   -a > dsca.crt” from IPA server and copied the .crt
            file in to
                   AD server and ran this command from “cd "C:\Program
                   Hat Directory Password Synchronization"

                   6.       certutil.exe -d . -N

                   7.       certutil.exe -d . -A -n "DS CA cert" -t
            CT,, -a -i

                   8.       certutil.exe -d . -L -n "DS CA cert" and
            rebooted the
                   AD server.

                   After this steps, when try to create sync agreement
            from IPA
                   server I am getting  this error:

                            ldap_simple_bind: Can't contact LDAP server

                          SSL error -8179 (Peer's Certificate issuer
            is not

                   Please share the steps to configure AD Sync with
            IPA server.

               But it looks as though there is a step missing.  If you
            use MS AD
               CA to generate the AD cert, and use IPA to generate the
            IPA CA and
               server cert, then you have to import the MS AD CA cert
            into IPA.

-- Thanks & Regards
                   Shan Kumaraswamy

-- Thanks & Regards
            Shan Kumaraswamy

-- Thanks & Regards
    Shan Kumaraswamy

Thanks & Regards
Shan Kumaraswamy

Freeipa-users mailing list

Reply via email to