Shan Kumaraswamy wrote:
Please find the below out put of the command:
[r...@saprhds001 ~]# certutil -d /etc/dirsrv/slapd-XXXX-COM -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Imported CA                                                  CT,,C
CA certificate                                               CTu,u,Cu
Server-Cert                                                  u,u,u
I'm assuming "Imported CA" is the MS AD CA.  Do this:
certutil -d /etc/dirsrv/slapd-XXXX-COM -L -n "Imported CA"

On Tue, Aug 17, 2010 at 6:35 PM, Rich Megginson < <>> wrote:

    Shan Kumaraswamy wrote:

        After this error, I have triyed your the following steps:
         /usr/lib64/mozldap/ldapsearch -h
        <> <
        <>> -D
        "CN=administrator,CN=users,DC=test,DC=ad" -w "xxxx" -s base -b
        "" "objectclass=*"

         Then I got output like this:
version: 1
        currentTime: 20100817220245.0Z
        dsServiceName: CN=NTDS
        namingContexts: DC=test,DC=ad
        namingContexts: CN=Configuration,DC=test,DC=ad
        namingContexts: CN=Schema,CN=Configuration,DC=test,DC=ad
        namingContexts: DC=DomainDnsZones,DC=test,DC=ad
        namingContexts: DC=ForestDnsZones,DC=test,DC=ad
        defaultNamingContext: DC=test,DC=ad
        schemaNamingContext: CN=Schema,CN=Configuration,DC=test,DC=ad
        configurationNamingContext: CN=Configuration,DC=test,DC=ad
        rootDomainNamingContext: DC=test,DC=ad
        supportedControl: 1.2.840.113556.1.4.319
        supportedControl: 1.2.840.113556.1.4.801
        supportedControl: 1.2.840.113556.1.4.473
        supportedControl: 1.2.840.113556.1.4.528
        supportedControl: 1.2.840.113556.1.4.417
        supportedControl: 1.2.840.113556.1.4.619
        supportedControl: 1.2.840.113556.1.4.841
        supportedControl: 1.2.840.113556.1.4.529
        supportedControl: 1.2.840.113556.1.4.805
        supportedControl: 1.2.840.113556.1.4.521
        supportedControl: 1.2.840.113556.1.4.970
        supportedControl: 1.2.840.113556.1.4.1338
        supportedControl: 1.2.840.113556.1.4.474
        supportedControl: 1.2.840.113556.1.4.1339
        supportedControl: 1.2.840.113556.1.4.1340
        supportedControl: 1.2.840.113556.1.4.1413
        supportedControl: 2.16.840.1.113730.3.4.9
        supportedControl: 2.16.840.1.113730.3.4.10
        supportedControl: 1.2.840.113556.1.4.1504
        supportedControl: 1.2.840.113556.1.4.1852
        supportedControl: 1.2.840.113556.1.4.802
        supportedControl: 1.2.840.113556.1.4.1907
        supportedControl: 1.2.840.113556.1.4.1948
        supportedControl: 1.2.840.113556.1.4.1974
        supportedControl: 1.2.840.113556.1.4.1341
        supportedControl: 1.2.840.113556.1.4.2026
        supportedControl: 1.2.840.113556.1.4.2064
        supportedControl: 1.2.840.113556.1.4.2065
        supportedLDAPVersion: 3
        supportedLDAPVersion: 2
        supportedLDAPPolicies: MaxPoolThreads
        supportedLDAPPolicies: MaxDatagramRecv
        supportedLDAPPolicies: MaxReceiveBuffer
        supportedLDAPPolicies: InitRecvTimeout
        supportedLDAPPolicies: MaxConnections
        supportedLDAPPolicies: MaxConnIdleTime
        supportedLDAPPolicies: MaxPageSize
        supportedLDAPPolicies: MaxQueryDuration
        supportedLDAPPolicies: MaxTempTableSize
        supportedLDAPPolicies: MaxResultSetSize
        supportedLDAPPolicies: MinResultSets
        supportedLDAPPolicies: MaxResultSetsPerConn
        supportedLDAPPolicies: MaxNotificationPerConn
        supportedLDAPPolicies: MaxValRange
        highestCommittedUSN: 73772
        supportedSASLMechanisms: GSSAPI
        supportedSASLMechanisms: GSS-SPNEGO
        supportedSASLMechanisms: EXTERNAL
        supportedSASLMechanisms: DIGEST-MD5
        dnsHostName: <>
        < <>>
        ldapServiceName: <>
        <http://TEST.AD <>>

        supportedCapabilities: 1.2.840.113556.1.4.800
        supportedCapabilities: 1.2.840.113556.1.4.1670
        supportedCapabilities: 1.2.840.113556.1.4.1791
        supportedCapabilities: 1.2.840.113556.1.4.1935
        supportedCapabilities: 1.2.840.113556.1.4.2080
        isSynchronized: TRUE
        isGlobalCatalogReady: TRUE
        domainFunctionality: 4
        forestFunctionality: 4
        domainControllerFunctionality: 4

        Then I tried next step:
         /usr/lib64/mozldap/ldapsearch -ZZ -P
        /etc/dirsrv/slapd-XXXX-COM/cert8.db -h
        <> <
        <>> -D
        "CN=administrator,CN=users,DC=test,DC=ad" -w "xxxxx" -s base
        -b "" "objectclass=*"

        ldap_simple_bind: Can't contact LDAP server
               TLS/SSL error -8179 (Peer's Certificate issuer is not
         Please help me to fix this.....

    This usually means the SSL server's CA cert is not recognized.
     What does this say:
    certutil -d /etc/dirsrv/slapd-XXXX-COM -L

         On Tue, Aug 17, 2010 at 2:02 PM, Shan Kumaraswamy
        < <>
        < <>>>

           Hi Rich,
           After I did all the steps, I am getting this error:
                     INFO:root:Added CA certificate
           /etc/dirsrv/slapd-XXXX-COM/adcert.cer to certificate
        database for

           INFO:root:Restarted directory server

           INFO:root:Could not validate connection to remote server
        <> - continuing

           INFO:root:The error was: {'info': 'error:14090086:SSL
           routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
           'desc': "Can't contact LDAP server"}
           The user for the Windows PassSync service is
           Windows PassSync entry exists, not resetting password
           INFO:root:Added new sync agreement, waiting for it to
        become ready
           . . .
           INFO:root:Replication Update in progress: FALSE: status: 81  -
           LDAP error: Can't contact LDAP server: start: 0: end: 0
           INFO:root:Agreement is ready, starting replication . . .
           Starting replication, please wait until this has completed.
           [ <>
        <>] reports:

           Update failed! Status: [81  - LDAP error: Can't contact
        LDAP server]
           INFO:root:Added agreement for other host

           Please help me to fix this issue.
                The syntex I used: ipa-replica-manage add --winsync
           CN=Administrator,CN=Users,DC=test,DC=com --bindpw "password"
           --cacert /etc/dirsrv/slapd-TEST-COM/adcert.cer <>
           <> -v --passsync "password"

On Mon, Aug 16, 2010 at 6:06 PM, Rich Megginson
           < <>
        < <>>> wrote:

               Shan Kumaraswamy wrote:

                    While installing IPA its creates its won CA cert


                   and also I done the setep of export this CA file as

               Right.  You have to do that so that AD can be an SSL
        client to
               the IPA SSL server.

                   Please let me know steps to generate the IPA CA and

               The other part is that you have to install the AD CA
        cert in
               IPA so that IPA can be the SSL client to the AD SSL server.

On Mon, Aug 16, 2010 at 5:41 PM, Rich Megginson
                   < <>
        < <>>
        <> <


                      Shan Kumaraswamy wrote:


                          I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I
                   want to sync
                          with Active Directory (windows 2008 R2). Can
                          have step-by-step configuration doc and
        share to me?
                          Previously I have done the same exercise,
        but now
                   that is not
                          working for me and I am facing lot of
        challenges to
                   make this

                          Please find the steps what exactly I done so

                          1.       Installed RHDS 8.1 and FreeIPA
        1.2.1 and
                          properly and tested its working fine

                          2.       In AD side, installed Active Directory
                          Server as a Enterprise Root

                          3.       Copy the “cacert.p12” file and
        imported under
                          Certificates –Service (Active Directory Domain
                   service) on
                          Local Computer using MMC.

                          4.       Installed PasSync.msi file and
        given all
                   the required

                          5.       Run the command “certutil -d . -L
        -n "CA
                          -a > dsca.crt” from IPA server and copied
        the .crt
                   file in to
                          AD server and ran this command from “cd
                          Hat Directory Password Synchronization"

                          6.       certutil.exe -d . -N

                          7.       certutil.exe -d . -A -n "DS CA cert" -t
                   CT,, -a -i

                          8.       certutil.exe -d . -L -n "DS CA
        cert" and
                   rebooted the
                          AD server.

                          After this steps, when try to create sync
                   from IPA
                          server I am getting  this error:

                                   ldap_simple_bind: Can't contact
        LDAP server

                                 SSL error -8179 (Peer's Certificate
                   is not

                          Please share the steps to configure AD Sync with
                   IPA server.

                      But it looks as though there is a step missing.
         If you
                   use MS AD
                      CA to generate the AD cert, and use IPA to
        generate the
                   IPA CA and
                      server cert, then you have to import the MS AD
        CA cert
                   into IPA.

-- Thanks & Regards
                          Shan Kumaraswamy

                   --             Thanks & Regards
                   Shan Kumaraswamy

           --     Thanks & Regards
           Shan Kumaraswamy

-- Thanks & Regards
        Shan Kumaraswamy

Thanks & Regards
Shan Kumaraswamy

Freeipa-users mailing list

Reply via email to