Shan Kumaraswamy wrote:
Rich,
Can I know command to trust IPA genearated CA cert file?
See below

So I don't think that is the problem here. If that were the problem, I would expect a different error message. I think you're just going to have to use something like openssl s_client to examine the server cert used by AD.

On Tue, Aug 17, 2010 at 7:26 PM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    Shan Kumaraswamy wrote:


        Certificate:
           Data:
               Version: 3 (0x2)
               Serial Number:
                   46:90:cd:94:c6:53:d4:ae:44:a6:df:e2:6b:24:15:56
               Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
               Issuer: "CN=test-WINDOWS-CA,DC=test,DC=ad"
               Validity:
                   Not Before: Tue Aug 17 01:39:07 2010
                   Not After : Mon Aug 17 01:49:05 2015
               Subject: "CN=test-WINDOWS-CA,DC=test,DC=ad"
               Subject Public Key Info:
                   Public Key Algorithm: PKCS #1 RSA Encryption
                   RSA Public Key:
                       Modulus:
a9:6e:1a:54:c2:70:1c:d7:dc:06:b4:d3:09:0f:8d:25: e5:8f:9f:1f:f6:f9:ee:fb:9c:6b:9c:84:c3:01:f7:45: f1:8e:43:d3:ed:ad:01:e6:92:6c:52:f4:d7:03:03:19: 0a:93:84:18:42:92:2b:6b:74:3d:77:8c:31:b9:bf:75: 84:cb:a0:8c:a5:df:c2:5a:d6:cb:a3:78:a2:1a:6d:a6: e1:b4:81:ea:22:e7:83:bb:1f:0d:70:f8:44:29:24:96: f3:f0:01:12:49:7a:59:b8:f7:1a:84:e4:e4:a4:0d:60: 58:db:d9:9c:b4:51:7a:21:f2:a2:f9:ed:ee:92:6f:c0: 00:39:dc:26:9f:c5:0b:e3:e1:72:62:5d:9f:8e:4a:79: f3:95:56:a0:37:63:9a:d1:53:af:74:0b:c9:88:b7:43: ff:11:cb:91:02:4a:5c:8c:35:41:cb:39:4e:fb:8c:a4: 2d:a6:88:7b:dc:29:04:7a:f0:0a:89:25:24:76:b1:34: 57:1e:c2:3f:48:79:21:47:f0:f1:1a:70:15:d8:b5:9b: cb:bc:a2:3c:42:f6:da:91:a7:24:5b:fa:08:ec:41:8b: c5:82:7c:81:76:3c:ef:84:58:93:cd:92:36:5d:96:55:
                           40:72:21:5e:14:7c:fe:78:cf:35:69:97:4a:49:35:81
                       Exponent: 65537 (0x10001)
               Signed Extensions:
                   Name: Microsoft Enrollment Cert Type Extension
                   Data: "CA"

                   Name: Certificate Key Usage
                   Critical: True
                   Usages: Digital Signature
                           Certificate Signing
                           CRL Signing

                   Name: Certificate Basic Constraints
                   Critical: True
                   Data: Is a CA with no maximum path length.

                   Name: Certificate Subject Key ID
                   Data:
                       a9:7a:6e:7c:dd:dd:4f:9e:75:78:86:6a:ff:f1:b4:06:
                       e6:fb:3a:6d

                   Name: Microsoft CertServ CA version
                   Data: 0 (0x0)

           Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
           Signature:
               02:50:bd:c6:3a:80:85:9d:46:16:94:8c:e2:e8:2f:0d:
               35:09:d7:af:e1:ce:c0:23:94:19:ef:a7:df:de:56:17:
               c8:9e:d5:a0:80:7e:31:46:1d:c0:c1:5a:e9:7d:fe:c3:
               bb:08:c0:6d:35:3a:f2:43:c2:b7:2f:44:2b:89:7f:f1:
               ad:e8:9e:51:fa:98:12:d9:2b:2d:08:00:80:c3:78:93:
               e7:bc:ee:17:ae:a3:07:81:6b:63:ac:bf:65:d5:e9:a8:
               e9:81:42:56:24:fc:2f:b8:d1:76:5b:72:c0:8f:62:66:
               cc:4d:5b:84:85:fb:63:06:6c:0a:54:a0:55:08:bf:11:
               4b:30:ab:ba:49:19:39:ee:4f:57:3c:7b:0b:d3:8d:fe:
               10:d8:18:63:ee:86:e9:cb:89:1e:ea:7e:0a:68:8c:f8:
               da:40:69:ca:2c:bc:5d:24:18:bc:2b:d7:ce:08:ca:d7:
               e8:aa:4b:d8:cb:ee:17:f3:4f:18:29:fc:48:59:ae:98:
               18:37:f0:a7:cd:42:1f:5d:79:cd:a1:0f:30:41:7f:97:
               81:43:68:8b:74:0c:d8:21:b6:eb:76:14:bf:44:14:13:
               dd:07:ee:ce:68:95:29:b1:14:f6:93:81:90:b5:e6:6a:
               2b:38:6a:f0:4c:20:3f:fc:88:84:3f:43:5e:5f:6e:ed
           Fingerprint (MD5):
               4B:AE:EB:7D:D0:B6:C8:D3:15:1B:08:ED:39:A0:68:6C
           Fingerprint (SHA1):
               84:17:7E:EE:93:B2:A3:4F:D9:7B:72:C6:ED:D6:61:9E:0E:82:51:BC

           Certificate Trust Flags:
               SSL Flags:
                   Valid CA
                   Trusted CA
                   Trusted Client CA
               Email Flags:
               Object Signing Flags:
                   Valid CA
                   Trusted CA

    This looks ok.  So is it possible the AD server cert was not
    issued by this CA?  I suppose you could use an SSL test program
    like /usr/bin/ssltap
    or openssl s_client like this:
    openssl s_client -connect windows.test.ad:636
    <http://windows.test.ad:636/> -CAfile /path/to/msadcacert.asc
    You can also add -verify 3 and -showcerts and -debug
    see "man s_client" for more information




        On Tue, Aug 17, 2010 at 7:04 PM, Shan Kumaraswamy
        <shan.sys...@gmail.com <mailto:shan.sys...@gmail.com>
        <mailto:shan.sys...@gmail.com <mailto:shan.sys...@gmail.com>>>
        wrote:

           done, and it came the output also, can plz let me know the
        next step.


           On Tue, Aug 17, 2010 at 7:00 PM, Rich Megginson
           <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>> wrote:

               Shan Kumaraswamy wrote:

                   Rich,
                   Please find the below out put of the command:
                    [r...@saprhds001 ~]# certutil -d
                   /etc/dirsrv/slapd-XXXX-COM -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Imported CA CT,,C CA certificate CTu,u,Cu

The CT means the CA is trusted for SSL client and server certs.
certutil -H
...
trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,
...
                         c      valid CA
T trusted CA to issue client certs (implies c) C trusted CA to issue server certs (implies c)

Server-Cert u,u,u

               I'm assuming "Imported CA" is the MS AD CA.  Do this:
               certutil -d /etc/dirsrv/slapd-XXXX-COM -L -n "Imported CA"



                   On Tue, Aug 17, 2010 at 6:35 PM, Rich Megginson
                   <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
                   <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>
                   wrote:

                      Shan Kumaraswamy wrote:

                          After this error, I have triyed your the
        following
                   steps:
                           /usr/lib64/mozldap/ldapsearch -h
        windows.test.ad <http://windows.test.ad/>
                   <http://windows.test.ad/>
                          <http://windows.test.ad/>
        <http://windows.test.ad <http://windows.test.ad/>
                   <http://windows.test.ad/>

                          <http://windows.test.ad/>> -D
                          "CN=administrator,CN=users,DC=test,DC=ad" -w
        "xxxx"
                   -s base -b
                          "" "objectclass=*"

                           Then I got output like this:
                                   version: 1
                          dn:
                          currentTime: 20100817220245.0Z
                          subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
                          dsServiceName: CN=NTDS
Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
                           me,CN=Sites,CN=Configuration,DC=test,DC=ad
                          namingContexts: DC=test,DC=ad
                          namingContexts: CN=Configuration,DC=test,DC=ad
                          namingContexts:
                   CN=Schema,CN=Configuration,DC=test,DC=ad
                          namingContexts: DC=DomainDnsZones,DC=test,DC=ad
                          namingContexts: DC=ForestDnsZones,DC=test,DC=ad
                          defaultNamingContext: DC=test,DC=ad
                          schemaNamingContext:
                   CN=Schema,CN=Configuration,DC=test,DC=ad
                          configurationNamingContext:
                   CN=Configuration,DC=test,DC=ad
                          rootDomainNamingContext: DC=test,DC=ad
                          supportedControl: 1.2.840.113556.1.4.319
                          supportedControl: 1.2.840.113556.1.4.801
                          supportedControl: 1.2.840.113556.1.4.473
                          supportedControl: 1.2.840.113556.1.4.528
                          supportedControl: 1.2.840.113556.1.4.417
                          supportedControl: 1.2.840.113556.1.4.619
                          supportedControl: 1.2.840.113556.1.4.841
                          supportedControl: 1.2.840.113556.1.4.529
                          supportedControl: 1.2.840.113556.1.4.805
                          supportedControl: 1.2.840.113556.1.4.521
                          supportedControl: 1.2.840.113556.1.4.970
                          supportedControl: 1.2.840.113556.1.4.1338
                          supportedControl: 1.2.840.113556.1.4.474
                          supportedControl: 1.2.840.113556.1.4.1339
                          supportedControl: 1.2.840.113556.1.4.1340
                          supportedControl: 1.2.840.113556.1.4.1413
                          supportedControl: 2.16.840.1.113730.3.4.9
                          supportedControl: 2.16.840.1.113730.3.4.10
                          supportedControl: 1.2.840.113556.1.4.1504
                          supportedControl: 1.2.840.113556.1.4.1852
                          supportedControl: 1.2.840.113556.1.4.802
                          supportedControl: 1.2.840.113556.1.4.1907
                          supportedControl: 1.2.840.113556.1.4.1948
                          supportedControl: 1.2.840.113556.1.4.1974
                          supportedControl: 1.2.840.113556.1.4.1341
                          supportedControl: 1.2.840.113556.1.4.2026
                          supportedControl: 1.2.840.113556.1.4.2064
                          supportedControl: 1.2.840.113556.1.4.2065
                          supportedLDAPVersion: 3
                          supportedLDAPVersion: 2
                          supportedLDAPPolicies: MaxPoolThreads
                          supportedLDAPPolicies: MaxDatagramRecv
                          supportedLDAPPolicies: MaxReceiveBuffer
                          supportedLDAPPolicies: InitRecvTimeout
                          supportedLDAPPolicies: MaxConnections
                          supportedLDAPPolicies: MaxConnIdleTime
                          supportedLDAPPolicies: MaxPageSize
                          supportedLDAPPolicies: MaxQueryDuration
                          supportedLDAPPolicies: MaxTempTableSize
                          supportedLDAPPolicies: MaxResultSetSize
                          supportedLDAPPolicies: MinResultSets
                          supportedLDAPPolicies: MaxResultSetsPerConn
                          supportedLDAPPolicies: MaxNotificationPerConn
                          supportedLDAPPolicies: MaxValRange
                          highestCommittedUSN: 73772
                          supportedSASLMechanisms: GSSAPI
                          supportedSASLMechanisms: GSS-SPNEGO
                          supportedSASLMechanisms: EXTERNAL
                          supportedSASLMechanisms: DIGEST-MD5
                          dnsHostName: Windows.test.ad
        <http://windows.test.ad/>
                   <http://windows.test.ad/> <http://windows.test.ad/>

                          <http://Windows.test.ad
        <http://windows.test.ad/> <http://windows.test.ad/>
                   <http://windows.test.ad/>>
                          ldapServiceName: test.ad:windo...@test.ad
        <http://test.ad/>
                   <http://test.ad/> <http://test.ad/>
                          <http://TEST.AD <http://test.ad/>
        <http://test.ad/> <http://test.ad/>>



                          serverName:
CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
                           guration,DC=test,DC=ad
                          supportedCapabilities: 1.2.840.113556.1.4.800
                          supportedCapabilities: 1.2.840.113556.1.4.1670
                          supportedCapabilities: 1.2.840.113556.1.4.1791
                          supportedCapabilities: 1.2.840.113556.1.4.1935
                          supportedCapabilities: 1.2.840.113556.1.4.2080
                          isSynchronized: TRUE
                          isGlobalCatalogReady: TRUE
                          domainFunctionality: 4
                          forestFunctionality: 4
                          domainControllerFunctionality: 4

                          Then I tried next step:
                           /usr/lib64/mozldap/ldapsearch -ZZ -P
                          /etc/dirsrv/slapd-XXXX-COM/cert8.db -h
                   windows.test.ad <http://windows.test.ad/>
        <http://windows.test.ad/>
                          <http://windows.test.ad/>
        <http://windows.test.ad <http://windows.test.ad/>
                   <http://windows.test.ad/>

                          <http://windows.test.ad/>> -D
                          "CN=administrator,CN=users,DC=test,DC=ad" -w
                   "xxxxx" -s base
                          -b "" "objectclass=*"

                          ldap_simple_bind: Can't contact LDAP server
                                 TLS/SSL error -8179 (Peer's Certificate
                   issuer is not
                          recognized.)
                           Please help me to fix this.....

                      This usually means the SSL server's CA cert is not
                   recognized.
                       What does this say:
                      certutil -d /etc/dirsrv/slapd-XXXX-COM -L
                      ?


                           On Tue, Aug 17, 2010 at 2:02 PM, Shan
        Kumaraswamy
                          <shan.sys...@gmail.com
        <mailto:shan.sys...@gmail.com>
                   <mailto:shan.sys...@gmail.com
        <mailto:shan.sys...@gmail.com>>
                   <mailto:shan.sys...@gmail.com
        <mailto:shan.sys...@gmail.com> <mailto:shan.sys...@gmail.com
        <mailto:shan.sys...@gmail.com>>>
                          <mailto:shan.sys...@gmail.com
        <mailto:shan.sys...@gmail.com>
                   <mailto:shan.sys...@gmail.com
        <mailto:shan.sys...@gmail.com>>
                   <mailto:shan.sys...@gmail.com
        <mailto:shan.sys...@gmail.com>
                   <mailto:shan.sys...@gmail.com
        <mailto:shan.sys...@gmail.com>>>>>

                          wrote:

                             Hi Rich,
                             After I did all the steps, I am getting
        this error:
                                       INFO:root:Added CA certificate
                             /etc/dirsrv/slapd-XXXX-COM/adcert.cer to
        certificate
                          database for
                             tesipa001.test.com
        <http://tesipa001.test.com/> <http://tesipa001.test.com/>
                   <http://tesipa001.test.com/>
                          <http://tesipa001.test.com/>

                             INFO:root:Restarted directory server
                   tesipa001.test.com <http://tesipa001.test.com/>
        <http://tesipa001.test.com/>
                          <http://tesipa001.test.com/>
                             <http://tesipa001.test.com/>

                             INFO:root:Could not validate connection to
                   remote server
                             windows.test.ad:636
        <http://windows.test.ad:636/>
                   <http://windows.test.ad:636/>
        <http://windows.test.ad:636/>
                          <http://windows.test.ad:636/> - continuing

                             INFO:root:The error was: {'info':
                   'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
                   verify
                          failed',
                             'desc': "Can't contact LDAP server"}
                             The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
                             Windows PassSync entry exists, not resetting
                   password
                             INFO:root:Added new sync agreement,
        waiting for
                   it to
                          become ready
                             . . .
                             INFO:root:Replication Update in progress:
        FALSE:
                   status: 81  -
                             LDAP error: Can't contact LDAP server:
        start: 0:
                   end: 0
                             INFO:root:Agreement is ready, starting
                   replication . . .
                             Starting replication, please wait until
        this has
                   completed.
                             [saprhds001.bmibank.com
        <http://saprhds001.bmibank.com/>
                   <http://saprhds001.bmibank.com/>
                   <http://saprhds001.bmibank.com/>
                          <http://saprhds001.bmibank.com/>] reports:

                             Update failed! Status: [81  - LDAP error:
        Can't
                   contact
                          LDAP server]
                             INFO:root:Added agreement for other host
                   windows.test.ad <http://windows.test.ad/>
        <http://windows.test.ad/>
                          <http://windows.test.ad/>
                             <http://windows.test.ad/>


                             Please help me to fix this issue.
                                  The syntex I used:
        ipa-replica-manage add
                   --winsync
                          --binddn
                             CN=Administrator,CN=Users,DC=test,DC=com
                   --bindpw "password"
                             --cacert
        /etc/dirsrv/slapd-TEST-COM/adcert.cer
                          windows.test.ad <http://windows.test.ad/>
        <http://windows.test.ad/>
                   <http://windows.test.ad/>
                             <http://windows.test.ad/> -v --passsync
        "password"

                                             On Mon, Aug 16, 2010 at
        6:06 PM,
                   Rich Megginson
                             <rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
                   <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
                   <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                          <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
                   <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
                   <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>> wrote:

                                 Shan Kumaraswamy wrote:

                                     Rich,
                                      While installing IPA its creates its
                   won CA cert
                          right?
                                     (cacert.p12),

                                 Right.

                                     and also I done the setep of
        export this
                   CA file as
                          dsca.crt.

                                 Right.  You have to do that so that
        AD can
                   be an SSL
                          client to
                                 the IPA SSL server.

                                     Please let me know steps to
        generate the
                   IPA CA and
                          server
                                     cert?

                                 The other part is that you have to
        install
                   the AD CA
                          cert in
                                 IPA so that IPA can be the SSL client
        to the
                   AD SSL server.

                                                         On Mon, Aug
        16, 2010
                   at 5:41 PM, Rich Megginson
                                     <rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
                   <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
                   <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                          <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
                   <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
                   <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>
                                     <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
                   <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>
                          <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
                   <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
                   <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>
                          <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
                   <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>>>

                                     wrote:

                                        Shan Kumaraswamy wrote:


                                            Hi,

                                            I have deployed FreeIPA
        1.2.1 in
                   RHEL 5.5 and I
                                     want to sync
                                            with Active Directory (windows
                   2008 R2). Can
                          please
                                     anyone
                                            have step-by-step
        configuration
                   doc and
                          share to me?
                                            Previously I have done the
        same
                   exercise,
                          but now
                                     that is not
                                            working for me and I am
        facing lot of
                          challenges to
                                     make this
                                            happen.

                                            Please find the steps what
                   exactly I done so
                          for:

                                            1.       Installed RHDS
        8.1 and
                   FreeIPA
                          1.2.1 and
                                     configured
                                            properly and tested its
        working fine

                                            2.       In AD side, installed
                   Active Directory
                                     certificate
                                            Server as a Enterprise Root

                                            3.       Copy the “cacert.p12”
                   file and
                          imported under
                                            Certificates –Service (Active
                   Directory Domain
                                     service) on
                                            Local Computer using MMC.

                                            4.       Installed PasSync.msi
                   file and
                          given all
                                     the required
                                            information

                                            5.       Run the command
                   “certutil -d . -L
                          -n "CA
                                     certificate"
                                            -a > dsca.crt” from IPA server
                   and copied
                          the .crt
                                     file in to
                                            AD server and ran this command
                   from “cd
                          "C:\Program
                                     Files\Red
                                            Hat Directory Password
                   Synchronization"

                                            6.       certutil.exe -d . -N

                                            7.       certutil.exe -d .
        -A -n
                   "DS CA cert" -t
                                     CT,, -a -i
                                            \path\to\dsca.crt

                                            8.       certutil.exe -d .
        -L -n
                   "DS CA
                          cert" and
                                     rebooted the
                                            AD server.

                                            After this steps, when try to
                   create sync
                          agreement
                                     from IPA
                                            server I am getting  this
        error:

                                                     ldap_simple_bind:
        Can't
                   contact
                          LDAP server

                                                   SSL error -8179 (Peer's
                   Certificate
                          issuer
                                     is not
                                            recognized.)

                                            Please share the steps to
                   configure AD Sync with
                                     IPA server.

http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html

                                        But it looks as though there is a
                   step missing.
                           If you
                                     use MS AD
                                        CA to generate the AD cert,
        and use
                   IPA to
                          generate the
                                     IPA CA and
                                        server cert, then you have to
        import
                   the MS AD
                          CA cert
                                     into IPA.


-- Thanks & Regards
                                            Shan Kumaraswamy





                                     --             Thanks & Regards
                                     Shan Kumaraswamy





                             --     Thanks & Regards
                             Shan Kumaraswamy




                          --         Thanks & Regards
                          Shan Kumaraswamy





                   --             Thanks & Regards
                   Shan Kumaraswamy





           --     Thanks & Regards
           Shan Kumaraswamy




-- Thanks & Regards
        Shan Kumaraswamy





--
Thanks & Regards
Shan Kumaraswamy


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to