Shan Kumaraswamy wrote:
done, and it came the output also, can plz let me know the next step.
Can you post the output?

On Tue, Aug 17, 2010 at 7:00 PM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    Shan Kumaraswamy wrote:

        Rich,
        Please find the below out put of the command:
         [r...@saprhds001 ~]# certutil -d /etc/dirsrv/slapd-XXXX-COM -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
        Imported CA                                                  CT,,C
CA certificate CTu,u,Cu
        Server-Cert                                                  u,u,u

    I'm assuming "Imported CA" is the MS AD CA.  Do this:
    certutil -d /etc/dirsrv/slapd-XXXX-COM -L -n "Imported CA"



        On Tue, Aug 17, 2010 at 6:35 PM, Rich Megginson
        <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>> wrote:

           Shan Kumaraswamy wrote:

               After this error, I have triyed your the following steps:
                /usr/lib64/mozldap/ldapsearch -h windows.test.ad
        <http://windows.test.ad/>
               <http://windows.test.ad/> <http://windows.test.ad
        <http://windows.test.ad/>

               <http://windows.test.ad/>> -D
               "CN=administrator,CN=users,DC=test,DC=ad" -w "xxxx" -s
        base -b
               "" "objectclass=*"

                Then I got output like this:
                        version: 1
               dn:
               currentTime: 20100817220245.0Z
               subschemaSubentry:
               CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
               dsServiceName: CN=NTDS
               Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
                me,CN=Sites,CN=Configuration,DC=test,DC=ad
               namingContexts: DC=test,DC=ad
               namingContexts: CN=Configuration,DC=test,DC=ad
               namingContexts: CN=Schema,CN=Configuration,DC=test,DC=ad
               namingContexts: DC=DomainDnsZones,DC=test,DC=ad
               namingContexts: DC=ForestDnsZones,DC=test,DC=ad
               defaultNamingContext: DC=test,DC=ad
               schemaNamingContext:
        CN=Schema,CN=Configuration,DC=test,DC=ad
               configurationNamingContext: CN=Configuration,DC=test,DC=ad
               rootDomainNamingContext: DC=test,DC=ad
               supportedControl: 1.2.840.113556.1.4.319
               supportedControl: 1.2.840.113556.1.4.801
               supportedControl: 1.2.840.113556.1.4.473
               supportedControl: 1.2.840.113556.1.4.528
               supportedControl: 1.2.840.113556.1.4.417
               supportedControl: 1.2.840.113556.1.4.619
               supportedControl: 1.2.840.113556.1.4.841
               supportedControl: 1.2.840.113556.1.4.529
               supportedControl: 1.2.840.113556.1.4.805
               supportedControl: 1.2.840.113556.1.4.521
               supportedControl: 1.2.840.113556.1.4.970
               supportedControl: 1.2.840.113556.1.4.1338
               supportedControl: 1.2.840.113556.1.4.474
               supportedControl: 1.2.840.113556.1.4.1339
               supportedControl: 1.2.840.113556.1.4.1340
               supportedControl: 1.2.840.113556.1.4.1413
               supportedControl: 2.16.840.1.113730.3.4.9
               supportedControl: 2.16.840.1.113730.3.4.10
               supportedControl: 1.2.840.113556.1.4.1504
               supportedControl: 1.2.840.113556.1.4.1852
               supportedControl: 1.2.840.113556.1.4.802
               supportedControl: 1.2.840.113556.1.4.1907
               supportedControl: 1.2.840.113556.1.4.1948
               supportedControl: 1.2.840.113556.1.4.1974
               supportedControl: 1.2.840.113556.1.4.1341
               supportedControl: 1.2.840.113556.1.4.2026
               supportedControl: 1.2.840.113556.1.4.2064
               supportedControl: 1.2.840.113556.1.4.2065
               supportedLDAPVersion: 3
               supportedLDAPVersion: 2
               supportedLDAPPolicies: MaxPoolThreads
               supportedLDAPPolicies: MaxDatagramRecv
               supportedLDAPPolicies: MaxReceiveBuffer
               supportedLDAPPolicies: InitRecvTimeout
               supportedLDAPPolicies: MaxConnections
               supportedLDAPPolicies: MaxConnIdleTime
               supportedLDAPPolicies: MaxPageSize
               supportedLDAPPolicies: MaxQueryDuration
               supportedLDAPPolicies: MaxTempTableSize
               supportedLDAPPolicies: MaxResultSetSize
               supportedLDAPPolicies: MinResultSets
               supportedLDAPPolicies: MaxResultSetsPerConn
               supportedLDAPPolicies: MaxNotificationPerConn
               supportedLDAPPolicies: MaxValRange
               highestCommittedUSN: 73772
               supportedSASLMechanisms: GSSAPI
               supportedSASLMechanisms: GSS-SPNEGO
               supportedSASLMechanisms: EXTERNAL
               supportedSASLMechanisms: DIGEST-MD5
               dnsHostName: Windows.test.ad <http://windows.test.ad/>
        <http://windows.test.ad/>
               <http://Windows.test.ad <http://windows.test.ad/>
        <http://windows.test.ad/>>
               ldapServiceName: test.ad:windo...@test.ad
        <http://test.ad/> <http://test.ad/>
               <http://TEST.AD <http://test.ad/> <http://test.ad/>>


               serverName:
CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
                guration,DC=test,DC=ad
               supportedCapabilities: 1.2.840.113556.1.4.800
               supportedCapabilities: 1.2.840.113556.1.4.1670
               supportedCapabilities: 1.2.840.113556.1.4.1791
               supportedCapabilities: 1.2.840.113556.1.4.1935
               supportedCapabilities: 1.2.840.113556.1.4.2080
               isSynchronized: TRUE
               isGlobalCatalogReady: TRUE
               domainFunctionality: 4
               forestFunctionality: 4
               domainControllerFunctionality: 4

               Then I tried next step:
                /usr/lib64/mozldap/ldapsearch -ZZ -P
               /etc/dirsrv/slapd-XXXX-COM/cert8.db -h windows.test.ad
        <http://windows.test.ad/>
               <http://windows.test.ad/> <http://windows.test.ad
        <http://windows.test.ad/>

               <http://windows.test.ad/>> -D
               "CN=administrator,CN=users,DC=test,DC=ad" -w "xxxxx" -s
        base
               -b "" "objectclass=*"

               ldap_simple_bind: Can't contact LDAP server
                      TLS/SSL error -8179 (Peer's Certificate issuer
        is not
               recognized.)
                Please help me to fix this.....

           This usually means the SSL server's CA cert is not recognized.
            What does this say:
           certutil -d /etc/dirsrv/slapd-XXXX-COM -L
           ?


                On Tue, Aug 17, 2010 at 2:02 PM, Shan Kumaraswamy
               <shan.sys...@gmail.com <mailto:shan.sys...@gmail.com>
        <mailto:shan.sys...@gmail.com <mailto:shan.sys...@gmail.com>>
               <mailto:shan.sys...@gmail.com
        <mailto:shan.sys...@gmail.com> <mailto:shan.sys...@gmail.com
        <mailto:shan.sys...@gmail.com>>>>

               wrote:

                  Hi Rich,
                  After I did all the steps, I am getting this error:
                            INFO:root:Added CA certificate
                  /etc/dirsrv/slapd-XXXX-COM/adcert.cer to certificate
               database for
                  tesipa001.test.com <http://tesipa001.test.com/>
        <http://tesipa001.test.com/>
               <http://tesipa001.test.com/>

                  INFO:root:Restarted directory server
        tesipa001.test.com <http://tesipa001.test.com/>
               <http://tesipa001.test.com/>
                  <http://tesipa001.test.com/>

                  INFO:root:Could not validate connection to remote server
                  windows.test.ad:636 <http://windows.test.ad:636/>
        <http://windows.test.ad:636/>
               <http://windows.test.ad:636/> - continuing

                  INFO:root:The error was: {'info': 'error:14090086:SSL
                  routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
               failed',
                  'desc': "Can't contact LDAP server"}
                  The user for the Windows PassSync service is
                  uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
                  Windows PassSync entry exists, not resetting password
                  INFO:root:Added new sync agreement, waiting for it to
               become ready
                  . . .
                  INFO:root:Replication Update in progress: FALSE:
        status: 81  -
                  LDAP error: Can't contact LDAP server: start: 0: end: 0
                  INFO:root:Agreement is ready, starting replication . . .
                  Starting replication, please wait until this has
        completed.
                  [saprhds001.bmibank.com
        <http://saprhds001.bmibank.com/> <http://saprhds001.bmibank.com/>
               <http://saprhds001.bmibank.com/>] reports:

                  Update failed! Status: [81  - LDAP error: Can't contact
               LDAP server]
                  INFO:root:Added agreement for other host
        windows.test.ad <http://windows.test.ad/>
               <http://windows.test.ad/>
                  <http://windows.test.ad/>


                  Please help me to fix this issue.
                       The syntex I used: ipa-replica-manage add --winsync
               --binddn
                  CN=Administrator,CN=Users,DC=test,DC=com --bindpw
        "password"
                  --cacert /etc/dirsrv/slapd-TEST-COM/adcert.cer
               windows.test.ad <http://windows.test.ad/>
        <http://windows.test.ad/>
                  <http://windows.test.ad/> -v --passsync "password"

                                  On Mon, Aug 16, 2010 at 6:06 PM,
        Rich Megginson
                  <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>> wrote:

                      Shan Kumaraswamy wrote:

                          Rich,
                           While installing IPA its creates its won CA
        cert
               right?
                          (cacert.p12),

                      Right.

                          and also I done the setep of export this CA
        file as
               dsca.crt.

                      Right.  You have to do that so that AD can be an SSL
               client to
                      the IPA SSL server.

                          Please let me know steps to generate the IPA
        CA and
               server
                          cert?

                      The other part is that you have to install the AD CA
               cert in
                      IPA so that IPA can be the SSL client to the AD
        SSL server.

                                              On Mon, Aug 16, 2010 at
        5:41 PM, Rich Megginson
                          <rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                          <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>>

                          wrote:

                             Shan Kumaraswamy wrote:


                                 Hi,

                                 I have deployed FreeIPA 1.2.1 in RHEL
        5.5 and I
                          want to sync
                                 with Active Directory (windows 2008
        R2). Can
               please
                          anyone
                                 have step-by-step configuration doc and
               share to me?
                                 Previously I have done the same exercise,
               but now
                          that is not
                                 working for me and I am facing lot of
               challenges to
                          make this
                                 happen.

                                 Please find the steps what exactly I
        done so
               for:

                                 1.       Installed RHDS 8.1 and FreeIPA
               1.2.1 and
                          configured
                                 properly and tested its working fine

                                 2.       In AD side, installed Active
        Directory
                          certificate
                                 Server as a Enterprise Root

                                 3.       Copy the “cacert.p12” file and
               imported under
                                 Certificates –Service (Active
        Directory Domain
                          service) on
                                 Local Computer using MMC.

                                 4.       Installed PasSync.msi file and
               given all
                          the required
                                 information

                                 5.       Run the command “certutil -d
        . -L
               -n "CA
                          certificate"
                                 -a > dsca.crt” from IPA server and copied
               the .crt
                          file in to
                                 AD server and ran this command from “cd
               "C:\Program
                          Files\Red
                                 Hat Directory Password Synchronization"

                                 6.       certutil.exe -d . -N

                                 7.       certutil.exe -d . -A -n "DS
        CA cert" -t
                          CT,, -a -i
                                 \path\to\dsca.crt

                                 8.       certutil.exe -d . -L -n "DS CA
               cert" and
                          rebooted the
                                 AD server.

                                 After this steps, when try to create sync
               agreement
                          from IPA
                                 server I am getting  this error:

                                          ldap_simple_bind: Can't contact
               LDAP server

                                        SSL error -8179 (Peer's
        Certificate
               issuer
                          is not
                                 recognized.)

                                 Please share the steps to configure
        AD Sync with
                          IPA server.

http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html

                             But it looks as though there is a step
        missing.
                If you
                          use MS AD
                             CA to generate the AD cert, and use IPA to
               generate the
                          IPA CA and
                             server cert, then you have to import the
        MS AD
               CA cert
                          into IPA.


-- Thanks & Regards
                                 Shan Kumaraswamy





                          --             Thanks & Regards
                          Shan Kumaraswamy





                  --     Thanks & Regards
                  Shan Kumaraswamy




               --         Thanks & Regards
               Shan Kumaraswamy





-- Thanks & Regards
        Shan Kumaraswamy





--
Thanks & Regards
Shan Kumaraswamy


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to