On Wed, Aug 18, 2010 at 5:09 PM, Rich Megginson <rmegg...@redhat.com
<mailto:rmegg...@redhat.com>> wrote:
Shan Kumaraswamy wrote:
Ok sure, I will do the test and can please let me know command
to import AD CA in to dirsrv cert db?
It is already in there? This is the certificate called "Imported
CA" with Subject: "CN=test-WINDOWS-CA,DC=test,DC=ad" and Issuer:
"CN=test-WINDOWS-CA,DC=test,DC=ad"
Or are you asking because you don't know how it got in there in
the first place, or forgot?
On Wed, Aug 18, 2010 at 4:44 PM, Rich Megginson
<rmegg...@redhat.com <mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>> wrote:
Shan Kumaraswamy wrote:
Rich,
Can I know command to trust IPA genearated CA cert file?
See below
So I don't think that is the problem here. If that were the
problem, I would expect a different error message. I think
you're
just going to have to use something like openssl s_client to
examine the server cert used by AD.
On Tue, Aug 17, 2010 at 7:26 PM, Rich Megginson
<rmegg...@redhat.com <mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>> wrote:
Shan Kumaraswamy wrote:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
46:90:cd:94:c6:53:d4:ae:44:a6:df:e2:6b:24:15:56
Signature Algorithm: PKCS #1 SHA-1 With RSA
Encryption
Issuer: "CN=test-WINDOWS-CA,DC=test,DC=ad"
Validity:
Not Before: Tue Aug 17 01:39:07 2010
Not After : Mon Aug 17 01:49:05 2015
Subject: "CN=test-WINDOWS-CA,DC=test,DC=ad"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA
Encryption
RSA Public Key:
Modulus:
a9:6e:1a:54:c2:70:1c:d7:dc:06:b4:d3:09:0f:8d:25:
e5:8f:9f:1f:f6:f9:ee:fb:9c:6b:9c:84:c3:01:f7:45:
f1:8e:43:d3:ed:ad:01:e6:92:6c:52:f4:d7:03:03:19:
0a:93:84:18:42:92:2b:6b:74:3d:77:8c:31:b9:bf:75:
84:cb:a0:8c:a5:df:c2:5a:d6:cb:a3:78:a2:1a:6d:a6:
e1:b4:81:ea:22:e7:83:bb:1f:0d:70:f8:44:29:24:96:
f3:f0:01:12:49:7a:59:b8:f7:1a:84:e4:e4:a4:0d:60:
58:db:d9:9c:b4:51:7a:21:f2:a2:f9:ed:ee:92:6f:c0:
00:39:dc:26:9f:c5:0b:e3:e1:72:62:5d:9f:8e:4a:79:
f3:95:56:a0:37:63:9a:d1:53:af:74:0b:c9:88:b7:43:
ff:11:cb:91:02:4a:5c:8c:35:41:cb:39:4e:fb:8c:a4:
2d:a6:88:7b:dc:29:04:7a:f0:0a:89:25:24:76:b1:34:
57:1e:c2:3f:48:79:21:47:f0:f1:1a:70:15:d8:b5:9b:
cb:bc:a2:3c:42:f6:da:91:a7:24:5b:fa:08:ec:41:8b:
c5:82:7c:81:76:3c:ef:84:58:93:cd:92:36:5d:96:55:
40:72:21:5e:14:7c:fe:78:cf:35:69:97:4a:49:35:81
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Microsoft Enrollment Cert Type
Extension
Data: "CA"
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Certificate Signing
CRL Signing
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path
length.
Name: Certificate Subject Key ID
Data:
a9:7a:6e:7c:dd:dd:4f:9e:75:78:86:6a:ff:f1:b4:06:
e6:fb:3a:6d
Name: Microsoft CertServ CA version
Data: 0 (0x0)
Signature Algorithm: PKCS #1 SHA-1 With RSA
Encryption
Signature:
02:50:bd:c6:3a:80:85:9d:46:16:94:8c:e2:e8:2f:0d:
35:09:d7:af:e1:ce:c0:23:94:19:ef:a7:df:de:56:17:
c8:9e:d5:a0:80:7e:31:46:1d:c0:c1:5a:e9:7d:fe:c3:
bb:08:c0:6d:35:3a:f2:43:c2:b7:2f:44:2b:89:7f:f1:
ad:e8:9e:51:fa:98:12:d9:2b:2d:08:00:80:c3:78:93:
e7:bc:ee:17:ae:a3:07:81:6b:63:ac:bf:65:d5:e9:a8:
e9:81:42:56:24:fc:2f:b8:d1:76:5b:72:c0:8f:62:66:
cc:4d:5b:84:85:fb:63:06:6c:0a:54:a0:55:08:bf:11:
4b:30:ab:ba:49:19:39:ee:4f:57:3c:7b:0b:d3:8d:fe:
10:d8:18:63:ee:86:e9:cb:89:1e:ea:7e:0a:68:8c:f8:
da:40:69:ca:2c:bc:5d:24:18:bc:2b:d7:ce:08:ca:d7:
e8:aa:4b:d8:cb:ee:17:f3:4f:18:29:fc:48:59:ae:98:
18:37:f0:a7:cd:42:1f:5d:79:cd:a1:0f:30:41:7f:97:
81:43:68:8b:74:0c:d8:21:b6:eb:76:14:bf:44:14:13:
dd:07:ee:ce:68:95:29:b1:14:f6:93:81:90:b5:e6:6a:
2b:38:6a:f0:4c:20:3f:fc:88:84:3f:43:5e:5f:6e:ed
Fingerprint (MD5):
4B:AE:EB:7D:D0:B6:C8:D3:15:1B:08:ED:39:A0:68:6C
Fingerprint (SHA1):
84:17:7E:EE:93:B2:A3:4F:D9:7B:72:C6:ED:D6:61:9E:0E:82:51:BC
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Object Signing Flags:
Valid CA
Trusted CA
This looks ok. So is it possible the AD server cert
was not
issued by this CA? I suppose you could use an SSL
test program
like /usr/bin/ssltap
or openssl s_client like this:
openssl s_client -connect windows.test.ad:636
<http://windows.test.ad:636/>
<http://windows.test.ad:636/>
<http://windows.test.ad:636/> -CAfile
/path/to/msadcacert.asc
You can also add -verify 3 and -showcerts and -debug
see "man s_client" for more information
On Tue, Aug 17, 2010 at 7:04 PM, Shan Kumaraswamy
<shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com> <mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com> <mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>> <mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>>>>
wrote:
done, and it came the output also, can plz let me
know the
next step.
On Tue, Aug 17, 2010 at 7:00 PM, Rich Megginson
<rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>>> wrote:
Shan Kumaraswamy wrote:
Rich,
Please find the below out put of the
command:
[r...@saprhds001 ~]# certutil -d
/etc/dirsrv/slapd-XXXX-COM -L
Certificate Nickname
Trust Attributes
SSL,S/MIME,JAR/XPI
Imported CA
CT,,C
CA certificate
CTu,u,Cu
The CT means the CA is trusted for SSL client and server certs.
certutil -H
...
trustargs is of the form x,y,z
where x is
for SSL, y is for S/MIME,
...
c valid CA
T trusted CA to issue client certs
(implies c)
C trusted CA to issue server certs
(implies c)
Server-Cert
u,u,u
I'm assuming "Imported CA" is the MS AD
CA. Do
this:
certutil -d /etc/dirsrv/slapd-XXXX-COM -L -n
"Imported CA"
On Tue, Aug 17, 2010 at 6:35 PM, Rich
Megginson
<rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>>>>
wrote:
Shan Kumaraswamy wrote:
After this error, I have
triyed your the
following
steps:
/usr/lib64/mozldap/ldapsearch -h
windows.test.ad <http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad
<http://windows.test.ad/> <http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>> -D
"CN=administrator,CN=users,DC=test,DC=ad" -w
"xxxx"
-s base -b
"" "objectclass=*"
Then I got output like this:
version: 1
dn:
currentTime: 20100817220245.0Z
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
dsServiceName: CN=NTDS
Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=test,DC=ad
namingContexts: DC=test,DC=ad
namingContexts:
CN=Configuration,DC=test,DC=ad
namingContexts:
CN=Schema,CN=Configuration,DC=test,DC=ad
namingContexts:
DC=DomainDnsZones,DC=test,DC=ad
namingContexts:
DC=ForestDnsZones,DC=test,DC=ad
defaultNamingContext:
DC=test,DC=ad
schemaNamingContext:
CN=Schema,CN=Configuration,DC=test,DC=ad
configurationNamingContext:
CN=Configuration,DC=test,DC=ad
rootDomainNamingContext:
DC=test,DC=ad
supportedControl:
1.2.840.113556.1.4.319
supportedControl:
1.2.840.113556.1.4.801
supportedControl:
1.2.840.113556.1.4.473
supportedControl:
1.2.840.113556.1.4.528
supportedControl:
1.2.840.113556.1.4.417
supportedControl:
1.2.840.113556.1.4.619
supportedControl:
1.2.840.113556.1.4.841
supportedControl:
1.2.840.113556.1.4.529
supportedControl:
1.2.840.113556.1.4.805
supportedControl:
1.2.840.113556.1.4.521
supportedControl:
1.2.840.113556.1.4.970
supportedControl:
1.2.840.113556.1.4.1338
supportedControl:
1.2.840.113556.1.4.474
supportedControl:
1.2.840.113556.1.4.1339
supportedControl:
1.2.840.113556.1.4.1340
supportedControl:
1.2.840.113556.1.4.1413
supportedControl:
2.16.840.1.113730.3.4.9
supportedControl:
2.16.840.1.113730.3.4.10
supportedControl:
1.2.840.113556.1.4.1504
supportedControl:
1.2.840.113556.1.4.1852
supportedControl:
1.2.840.113556.1.4.802
supportedControl:
1.2.840.113556.1.4.1907
supportedControl:
1.2.840.113556.1.4.1948
supportedControl:
1.2.840.113556.1.4.1974
supportedControl:
1.2.840.113556.1.4.1341
supportedControl:
1.2.840.113556.1.4.2026
supportedControl:
1.2.840.113556.1.4.2064
supportedControl:
1.2.840.113556.1.4.2065
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies:
MaxPoolThreads
supportedLDAPPolicies:
MaxDatagramRecv
supportedLDAPPolicies:
MaxReceiveBuffer
supportedLDAPPolicies:
InitRecvTimeout
supportedLDAPPolicies:
MaxConnections
supportedLDAPPolicies:
MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies:
MaxQueryDuration
supportedLDAPPolicies:
MaxTempTableSize
supportedLDAPPolicies:
MaxResultSetSize
supportedLDAPPolicies:
MinResultSets
supportedLDAPPolicies:
MaxResultSetsPerConn
supportedLDAPPolicies:
MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
highestCommittedUSN: 73772
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms:
GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms:
DIGEST-MD5
dnsHostName: Windows.test.ad
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://Windows.test.ad
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/> <http://windows.test.ad/>
<http://windows.test.ad/>>
ldapServiceName:
test.ad:windo...@test.ad <http://test.ad/>
<http://test.ad/>
<http://test.ad/>
<http://test.ad/> <http://test.ad/>
<http://TEST.AD
<http://test.ad/> <http://test.ad/>
<http://test.ad/>
<http://test.ad/> <http://test.ad/>>
serverName:
CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=test,DC=ad
supportedCapabilities:
1.2.840.113556.1.4.800
supportedCapabilities:
1.2.840.113556.1.4.1670
supportedCapabilities:
1.2.840.113556.1.4.1791
supportedCapabilities:
1.2.840.113556.1.4.1935
supportedCapabilities:
1.2.840.113556.1.4.2080
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 4
forestFunctionality: 4
domainControllerFunctionality: 4
Then I tried next step:
/usr/lib64/mozldap/ldapsearch
-ZZ -P
/etc/dirsrv/slapd-XXXX-COM/cert8.db -h
windows.test.ad
<http://windows.test.ad/> <http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad
<http://windows.test.ad/> <http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>> -D
"CN=administrator,CN=users,DC=test,DC=ad" -w
"xxxxx" -s base
-b "" "objectclass=*"
ldap_simple_bind: Can't
contact LDAP
server
TLS/SSL error -8179 (Peer's
Certificate
issuer is not
recognized.)
Please help me to fix this.....
This usually means the SSL server's CA
cert is not
recognized.
What does this say:
certutil -d
/etc/dirsrv/slapd-XXXX-COM -L
?
On Tue, Aug 17, 2010 at 2:02
PM, Shan
Kumaraswamy
<shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>> <mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>>>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>
<mailto:shan.sys...@gmail.com
<mailto:shan.sys...@gmail.com>>>>>>>
wrote:
Hi Rich,
After I did all the steps, I am
getting
this error:
INFO:root:Added CA
certificate
/etc/dirsrv/slapd-XXXX-COM/adcert.cer to
certificate
database for
tesipa001.test.com
<http://tesipa001.test.com/>
<http://tesipa001.test.com/>
<http://tesipa001.test.com/>
<http://tesipa001.test.com/>
<http://tesipa001.test.com/>
<http://tesipa001.test.com/>
INFO:root:Restarted
directory server
tesipa001.test.com
<http://tesipa001.test.com/>
<http://tesipa001.test.com/> <http://tesipa001.test.com/>
<http://tesipa001.test.com/>
<http://tesipa001.test.com/>
<http://tesipa001.test.com/>
INFO:root:Could not validate
connection to
remote server
windows.test.ad:636
<http://windows.test.ad:636/>
<http://windows.test.ad:636/>
<http://windows.test.ad:636/>
<http://windows.test.ad:636/>
<http://windows.test.ad:636/>
<http://windows.test.ad:636/> -
continuing
INFO:root:The error was:
{'info':
'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify
failed',
'desc': "Can't contact LDAP
server"}
The user for the Windows
PassSync
service is
uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
Windows PassSync entry
exists, not
resetting
password
INFO:root:Added new sync
agreement,
waiting for
it to
become ready
. . .
INFO:root:Replication Update in
progress:
FALSE:
status: 81 -
LDAP error: Can't contact
LDAP server:
start: 0:
end: 0
INFO:root:Agreement is
ready, starting
replication . . .
Starting replication,
please wait
until
this has
completed.
[saprhds001.bmibank.com
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>]
reports:
Update failed! Status: [81
- LDAP
error:
Can't
contact
LDAP server]
INFO:root:Added agreement for
other host
windows.test.ad
<http://windows.test.ad/> <http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
Please help me to fix this
issue.
The syntex I used:
ipa-replica-manage add
--winsync
--binddn
CN=Administrator,CN=Users,DC=test,DC=com
--bindpw "password"
--cacert
/etc/dirsrv/slapd-TEST-COM/adcert.cer
windows.test.ad
<http://windows.test.ad/>
<http://windows.test.ad/> <http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/> -v
--passsync
"password"
On Mon, Aug 16,
2010 at
6:06 PM,
Rich Megginson
<rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>>>>> wrote:
Shan Kumaraswamy wrote:
Rich,
While installing
IPA its
creates its
won CA cert
right?
(cacert.p12),
Right.
and also I done the
setep of
export this
CA file as
dsca.crt.
Right. You have to do
that so
that
AD can
be an SSL
client to
the IPA SSL server.
Please let me know
steps to
generate the
IPA CA and
server
cert?
The other part is that
you have to
install
the AD CA
cert in
IPA so that IPA can be
the SSL
client
to the
AD SSL server.
On
Mon, Aug
16, 2010
at 5:41 PM, Rich Megginson
<rmegg...@redhat.com <mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>>>>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>>> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>
<mailto:rmegg...@redhat.com
<mailto:rmegg...@redhat.com>>>>>>>>
wrote:
Shan Kumaraswamy
wrote:
Hi,
I have
deployed FreeIPA
1.2.1 in
RHEL 5.5 and I
want to sync
with Active
Directory (windows
2008 R2). Can
please
anyone
have
step-by-step
configuration
doc and
share to me?
Previously I
have
done the
same
exercise,
but now
that is not
working for
me and I am
facing lot of
challenges to
make this
happen.
Please find the
steps what
exactly I done so
for:
1.
Installed RHDS
8.1 and
FreeIPA
1.2.1 and
configured
properly and
tested its
working fine
2. In AD
side, installed
Active Directory
certificate
Server as a
Enterprise Root
3.
Copy the
“cacert.p12”
file and
imported under
Certificates
–Service (Active
Directory Domain
service) on
Local Computer
using MMC.
4.
Installed
PasSync.msi
file and
given all
the required
information
5. Run the
command
“certutil -d . -L
-n "CA
certificate"
-a >
dsca.crt” from
IPA server
and copied
the .crt
file in to
AD server
and ran
this command
from “cd
"C:\Program
Files\Red
Hat
Directory Password
Synchronization"
6.
certutil.exe -d . -N
7.
certutil.exe -d .
-A -n
"DS CA cert" -t
CT,, -a -i
\path\to\dsca.crt
8.
certutil.exe -d .
-L -n
"DS CA
cert" and
rebooted the
AD server.
After this
steps,
when try to
create sync
agreement
from IPA
server I am
getting
this
error:
ldap_simple_bind:
Can't
contact
LDAP server
SSL error
-8179 (Peer's
Certificate
issuer
is not
recognized.)
Please share the
steps to
configure AD Sync with
IPA server.
http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html
But it looks as
though
there is a
step missing.
If you
use MS AD
CA to generate
the AD cert,
and use
IPA to
generate the
IPA CA and
server cert,
then you
have to
import
the MS AD
CA cert
into IPA.
--
Thanks & Regards
Shan Kumaraswamy
-- Thanks &
Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
--
Thanks & Regards
Shan Kumaraswamy
--
Thanks & Regards
Shan Kumaraswamy
