On Tue, Aug 17, 2010 at 7:04 PM, Shan Kumaraswamy
<shan.sys...@gmail.com <mailto:shan.sys...@gmail.com>> wrote:
done, and it came the output also, can plz let me know the next step.
On Tue, Aug 17, 2010 at 7:00 PM, Rich Megginson
<rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:
Shan Kumaraswamy wrote:
Rich,
Please find the below out put of the command:
[r...@saprhds001 ~]# certutil -d
/etc/dirsrv/slapd-XXXX-COM -L
Certificate Nickname
Trust Attributes
SSL,S/MIME,JAR/XPI
Imported CA
CT,,C
CA certificate
CTu,u,Cu
Server-Cert
u,u,u
I'm assuming "Imported CA" is the MS AD CA. Do this:
certutil -d /etc/dirsrv/slapd-XXXX-COM -L -n "Imported CA"
On Tue, Aug 17, 2010 at 6:35 PM, Rich Megginson
<rmegg...@redhat.com <mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>>
wrote:
Shan Kumaraswamy wrote:
After this error, I have triyed your the following
steps:
/usr/lib64/mozldap/ldapsearch -h windows.test.ad
<http://windows.test.ad/>
<http://windows.test.ad/> <http://windows.test.ad
<http://windows.test.ad/>
<http://windows.test.ad/>> -D
"CN=administrator,CN=users,DC=test,DC=ad" -w "xxxx"
-s base -b
"" "objectclass=*"
Then I got output like this:
version: 1
dn:
currentTime: 20100817220245.0Z
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
dsServiceName: CN=NTDS
Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=test,DC=ad
namingContexts: DC=test,DC=ad
namingContexts: CN=Configuration,DC=test,DC=ad
namingContexts:
CN=Schema,CN=Configuration,DC=test,DC=ad
namingContexts: DC=DomainDnsZones,DC=test,DC=ad
namingContexts: DC=ForestDnsZones,DC=test,DC=ad
defaultNamingContext: DC=test,DC=ad
schemaNamingContext:
CN=Schema,CN=Configuration,DC=test,DC=ad
configurationNamingContext:
CN=Configuration,DC=test,DC=ad
rootDomainNamingContext: DC=test,DC=ad
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
highestCommittedUSN: 73772
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: Windows.test.ad
<http://windows.test.ad/> <http://windows.test.ad/>
<http://Windows.test.ad <http://windows.test.ad/>
<http://windows.test.ad/>>
ldapServiceName: test.ad:windo...@test.ad
<http://test.ad/> <http://test.ad/>
<http://TEST.AD <http://test.ad/> <http://test.ad/>>
serverName:
CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=test,DC=ad
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 4
forestFunctionality: 4
domainControllerFunctionality: 4
Then I tried next step:
/usr/lib64/mozldap/ldapsearch -ZZ -P
/etc/dirsrv/slapd-XXXX-COM/cert8.db -h
windows.test.ad <http://windows.test.ad/>
<http://windows.test.ad/> <http://windows.test.ad
<http://windows.test.ad/>
<http://windows.test.ad/>> -D
"CN=administrator,CN=users,DC=test,DC=ad" -w
"xxxxx" -s base
-b "" "objectclass=*"
ldap_simple_bind: Can't contact LDAP server
TLS/SSL error -8179 (Peer's Certificate
issuer is not
recognized.)
Please help me to fix this.....
This usually means the SSL server's CA cert is not
recognized.
What does this say:
certutil -d /etc/dirsrv/slapd-XXXX-COM -L
?
On Tue, Aug 17, 2010 at 2:02 PM, Shan Kumaraswamy
<shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com <mailto:shan.sys...@gmail.com>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>>>
wrote:
Hi Rich,
After I did all the steps, I am getting this error:
INFO:root:Added CA certificate
/etc/dirsrv/slapd-XXXX-COM/adcert.cer to certificate
database for
tesipa001.test.com <http://tesipa001.test.com/>
<http://tesipa001.test.com/>
<http://tesipa001.test.com/>
INFO:root:Restarted directory server
tesipa001.test.com <http://tesipa001.test.com/>
<http://tesipa001.test.com/>
<http://tesipa001.test.com/>
INFO:root:Could not validate connection to
remote server
windows.test.ad:636
<http://windows.test.ad:636/> <http://windows.test.ad:636/>
<http://windows.test.ad:636/> - continuing
INFO:root:The error was: {'info':
'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify
failed',
'desc': "Can't contact LDAP server"}
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
Windows PassSync entry exists, not resetting
password
INFO:root:Added new sync agreement, waiting for
it to
become ready
. . .
INFO:root:Replication Update in progress: FALSE:
status: 81 -
LDAP error: Can't contact LDAP server: start: 0:
end: 0
INFO:root:Agreement is ready, starting
replication . . .
Starting replication, please wait until this has
completed.
[saprhds001.bmibank.com
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>] reports:
Update failed! Status: [81 - LDAP error: Can't
contact
LDAP server]
INFO:root:Added agreement for other host
windows.test.ad <http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
Please help me to fix this issue.
The syntex I used: ipa-replica-manage add
--winsync
--binddn
CN=Administrator,CN=Users,DC=test,DC=com
--bindpw "password"
--cacert /etc/dirsrv/slapd-TEST-COM/adcert.cer
windows.test.ad <http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/> -v --passsync "password"
On Mon, Aug 16, 2010 at 6:06 PM,
Rich Megginson
<rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>> wrote:
Shan Kumaraswamy wrote:
Rich,
While installing IPA its creates its
won CA cert
right?
(cacert.p12),
Right.
and also I done the setep of export this
CA file as
dsca.crt.
Right. You have to do that so that AD can
be an SSL
client to
the IPA SSL server.
Please let me know steps to generate the
IPA CA and
server
cert?
The other part is that you have to install
the AD CA
cert in
IPA so that IPA can be the SSL client to the
AD SSL server.
On Mon, Aug 16, 2010
at 5:41 PM, Rich Megginson
<rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>>>
wrote:
Shan Kumaraswamy wrote:
Hi,
I have deployed FreeIPA 1.2.1 in
RHEL 5.5 and I
want to sync
with Active Directory (windows
2008 R2). Can
please
anyone
have step-by-step configuration
doc and
share to me?
Previously I have done the same
exercise,
but now
that is not
working for me and I am facing lot of
challenges to
make this
happen.
Please find the steps what
exactly I done so
for:
1. Installed RHDS 8.1 and
FreeIPA
1.2.1 and
configured
properly and tested its working fine
2. In AD side, installed
Active Directory
certificate
Server as a Enterprise Root
3. Copy the “cacert.p12”
file and
imported under
Certificates –Service (Active
Directory Domain
service) on
Local Computer using MMC.
4. Installed PasSync.msi
file and
given all
the required
information
5. Run the command
“certutil -d . -L
-n "CA
certificate"
-a > dsca.crt” from IPA server
and copied
the .crt
file in to
AD server and ran this command
from “cd
"C:\Program
Files\Red
Hat Directory Password
Synchronization"
6. certutil.exe -d . -N
7. certutil.exe -d . -A -n
"DS CA cert" -t
CT,, -a -i
\path\to\dsca.crt
8. certutil.exe -d . -L -n
"DS CA
cert" and
rebooted the
AD server.
After this steps, when try to
create sync
agreement
from IPA
server I am getting this error:
ldap_simple_bind: Can't
contact
LDAP server
SSL error -8179 (Peer's
Certificate
issuer
is not
recognized.)
Please share the steps to
configure AD Sync with
IPA server.
http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html
But it looks as though there is a
step missing.
If you
use MS AD
CA to generate the AD cert, and use
IPA to
generate the
IPA CA and
server cert, then you have to import
the MS AD
CA cert
into IPA.
--
Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
--
Thanks & Regards
Shan Kumaraswamy
--
Thanks & Regards
Shan Kumaraswamy
--
Thanks & Regards
Shan Kumaraswamy
