Re: [Freeipa-users] IPA AD Sync error

Tue, 21 Sep 2010 06:18:34 -0700 

Shan Kumaraswamy wrote:

Hi Rich,
While executing your command (ldapserch), I am getting the following output: _Command:_ /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" _Output:_ 
ldap_search: Can't contact LDAP server
        SSL error -8179 (Peer's Certificate issuer is not recognized.)
_Command:_
LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h fqdn.of.ad.hostname -p 389 -Z -s base -b "" _Output:_ [r...@saprhds001 ~]# LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad <http://sbpaddc003.corp.mydomain.ad> -p 389 -Z -s base -b "" 
ldap_create
ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389 <ldap://sbpaddc003.corp.mydomain.ad:389/>) 
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389 <http://sbpaddc003.corp.mydomain.ad:389> 
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.8.27.22:389 <http://10.8.27.22:389>
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x1aa8c6f0 msgid 1
wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)
wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1
** ld 0x1aa8c6f0 Connections:
* host: sbpaddc003.corp.mydomain.ad <http://sbpaddc003.corp.mydomain.ad> port: 389 (default) 
  refcnt: 2  status: Connected
  last used: Tue Sep 21 10:23:41 2010
** ld 0x1aa8c6f0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x1aa8c6f0 Response Queue:
   Empty
ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1
ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
ldap_int_select
read1msg: ld 0x1aa8c6f0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x1aa8c6f0 0 new referrals
read1msg:  mark request completed, ld 0x1aa8c6f0 msgid 1
request done: ld 0x1aa8c6f0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: /CN=SBPADDC003.Corp.MYDOMAIN.AD <http://SBPADDC003.Corp.MYDOMAIN.AD>, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, unable to get local issuer certificate
Unable to get local issuer certificate? Is the adcacert.asc file the actual CA cert in ascii/pem/base64 format from the AD CA? Do you have more than one CA or subordinate CAs? If so, you may need to have the entire CA cert chain in the file. 


If you are sure that adcacert.asc is from the AD CA, then try adding 
TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc file and try the 
above ldapsearch again.


Let's see what the subject and issuer are in the CA cert:
openssl x509 -in /path/to/adcacert.asc -text

TLS certificate verification: depth: 0, err: 27, subject: 
/CN=SBPADDC003.Corp.MYDOMAIN.AD <http://SBPADDC003.Corp.MYDOMAIN.AD>, 
issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA

TLS certificate verification: Error, certificate not trusted

TLS certificate verification: depth: 0, err: 21, subject: 
/CN=SBPADDC003.Corp.MYDOMAIN.AD <http://SBPADDC003.Corp.MYDOMAIN.AD>, 
issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, unable to verify the first 
certificate

TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer certificate.
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush: 14 bytes to sd 3
ldap_result ld 0x1aa8c6f0 msgid 2
wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout)
wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1
** ld 0x1aa8c6f0 Connections:

* host: sbpaddc003.corp.mydomain.ad 
<http://sbpaddc003.corp.mydomain.ad>  port: 389  (default)

  refcnt: 2  status: Connected
  last used: Tue Sep 21 10:23:41 2010
** ld 0x1aa8c6f0 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x1aa8c6f0 Response Queue:
   Empty
ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1
ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
ldap_int_select
read1msg: ld 0x1aa8c6f0 msgid 2 all 1
ber_get_next
ldap_perror
ldap_result: Can't contact LDAP server (-1)

 
Please help to resolve this issue.







 
On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson <rmegg...@redhat.com 
<mailto:rmegg...@redhat.com>> wrote:


    Shan Kumaraswamy wrote:

        Rich,
        I am again facing some issue with IPA+AD Sync and I tested all
        the levels:
         Windows PassSync entry exists, not resetting password
        INFO:root:Added new sync agreement, waiting for it to become
        ready . . .
        INFO:root:Replication Update in progress: FALSE: status: 81  -
        LDAP error: Can't contact LDAP server: start: 0: end: 0
        INFO:root:Agreement is ready, starting replication . . .
        Starting replication, please wait until this has completed.
        [saprhds001.bmibank.com <http://saprhds001.bmibank.com/>
        <http://saprhds001.bmibank.com
        <http://saprhds001.bmibank.com/>>] reports: Update failed!
        Status: [81  - LDAP error: Can't contact LDAP server]

        I have imported right CA to IPA box and the out put is:

         Certificate Nickname                                        
        Trust Attributes
                                                                   
        SSL,S/MIME,JAR/XPI
        CA certificate                                              
        CTu,u,Cu

        Imported CA                                                  CT,,C
        Server-Cert                                                  u,u,u
         And also I done the openssl s_client option too, but no luck.

    What exactly did you do? with openssl s_client?

    Did you try
    /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
    /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"

    LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
    fqdn.of.ad.hostname -p 389 -Z -s base -b ""

        Without cert when I try ldap search its gives out put. but
        with cert (AD CA) through error.
         Please help me fix this issue.

         

        -- 
        Thanks & Regards

        Shan Kumaraswamy





--
Thanks & Regards
Shan Kumaraswamy



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users






















					Reply via email to