Shan Kumaraswamy wrote:
Hi Rich,
While executing your command (ldapserch), I am getting the following
output:
_Command:_
/usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
/etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"
_Output:_
ldap_search: Can't contact LDAP server
SSL error -8179 (Peer's Certificate issuer is not recognized.)
_Command:_
LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
fqdn.of.ad.hostname -p 389 -Z -s base -b ""
_Output:_
[r...@saprhds001 ~]#
LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer
ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad
<http://sbpaddc003.corp.mydomain.ad> -p 389 -Z -s base -b ""
ldap_create
ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389
<ldap://sbpaddc003.corp.mydomain.ad:389/>)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389
<http://sbpaddc003.corp.mydomain.ad:389>
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.8.27.22:389 <http://10.8.27.22:389>
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x1aa8c6f0 msgid 1
wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)
wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1
** ld 0x1aa8c6f0 Connections:
* host: sbpaddc003.corp.mydomain.ad
<http://sbpaddc003.corp.mydomain.ad> port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Sep 21 10:23:41 2010
** ld 0x1aa8c6f0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x1aa8c6f0 Response Queue:
Empty
ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1
ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
ldap_int_select
read1msg: ld 0x1aa8c6f0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x1aa8c6f0 0 new referrals
read1msg: mark request completed, ld 0x1aa8c6f0 msgid 1
request done: ld 0x1aa8c6f0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/CN=SBPADDC003.Corp.MYDOMAIN.AD <http://SBPADDC003.Corp.MYDOMAIN.AD>,
issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, unable to get local issuer
certificate
Unable to get local issuer certificate? Is the adcacert.asc file the
actual CA cert in ascii/pem/base64 format from the AD CA? Do you have
more than one CA or subordinate CAs? If so, you may need to have the
entire CA cert chain in the file.
If you are sure that adcacert.asc is from the AD CA, then try adding
TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc file and try the
above ldapsearch again.
Let's see what the subject and issuer are in the CA cert:
openssl x509 -in /path/to/adcacert.asc -text
TLS certificate verification: depth: 0, err: 27, subject:
/CN=SBPADDC003.Corp.MYDOMAIN.AD <http://SBPADDC003.Corp.MYDOMAIN.AD>,
issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, certificate not trusted
TLS certificate verification: depth: 0, err: 21, subject:
/CN=SBPADDC003.Corp.MYDOMAIN.AD <http://SBPADDC003.Corp.MYDOMAIN.AD>,
issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, unable to verify the first
certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer certificate.
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush: 14 bytes to sd 3
ldap_result ld 0x1aa8c6f0 msgid 2
wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout)
wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1
** ld 0x1aa8c6f0 Connections:
* host: sbpaddc003.corp.mydomain.ad
<http://sbpaddc003.corp.mydomain.ad> port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Sep 21 10:23:41 2010
** ld 0x1aa8c6f0 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** ld 0x1aa8c6f0 Response Queue:
Empty
ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1
ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
ldap_int_select
read1msg: ld 0x1aa8c6f0 msgid 2 all 1
ber_get_next
ldap_perror
ldap_result: Can't contact LDAP server (-1)
Please help to resolve this issue.
On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson <rmegg...@redhat.com
<mailto:rmegg...@redhat.com>> wrote:
Shan Kumaraswamy wrote:
Rich,
I am again facing some issue with IPA+AD Sync and I tested all
the levels:
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become
ready . . .
INFO:root:Replication Update in progress: FALSE: status: 81 -
LDAP error: Can't contact LDAP server: start: 0: end: 0
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[saprhds001.bmibank.com <http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com
<http://saprhds001.bmibank.com/>>] reports: Update failed!
Status: [81 - LDAP error: Can't contact LDAP server]
I have imported right CA to IPA box and the out put is:
Certificate Nickname
Trust Attributes
SSL,S/MIME,JAR/XPI
CA certificate
CTu,u,Cu
Imported CA CT,,C
Server-Cert u,u,u
And also I done the openssl s_client option too, but no luck.
What exactly did you do? with openssl s_client?
Did you try
/usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
/etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"
LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
fqdn.of.ad.hostname -p 389 -Z -s base -b ""
Without cert when I try ldap search its gives out put. but
with cert (AD CA) through error.
Please help me fix this issue.
--
Thanks & Regards
Shan Kumaraswamy
--
Thanks & Regards
Shan Kumaraswamy
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users