Hi Rich, Finall I impoted right CA in to IPA box, now I am getting this error while executing sycn command:
INFO:root: INFO:root: INFO:root: INFO:root:Starting dirsrv: MYDOMAIN-COM... [ OK ] INFO:root: INFO:root:Added CA certificate /etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to certificate database for saprhds001.mydomain.com INFO:root:Restarted directory server saprhds001.mydomain.com INFO:root:Could not validate connection to remote server sbpaddc003.mydomain.ad:636 - continuing INFO:root:The error was: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"} The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com Windows PassSync entry exists, not resetting password INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 0 Incremental update started: start: 20100921163646Z: end: 20100921163646Z INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update succeeded INFO:root:Added agreement for other host sbpaddc003.corp.mydomain.ad Please advice. On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson <rmegg...@redhat.com> wrote: > Shan Kumaraswamy wrote: > >> Hi Rich, >> While executing your command (ldapserch), I am getting the following >> output: >> _Command:_ >> /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P >> /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" >> _Output:_ >> ldap_search: Can't contact LDAP server >> SSL error -8179 (Peer's Certificate issuer is not recognized.) >> _Command:_ >> LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h >> fqdn.of.ad.hostname -p 389 -Z -s base -b "" >> _Output:_ >> [r...@saprhds001 ~]# >> LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer ldapsearch -d 1 >> -x -h sbpaddc003.corp.mydomain.ad <http://sbpaddc003.corp.mydomain.ad> -p >> 389 -Z -s base -b "" >> ldap_create >> ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389 <ldap:// >> sbpaddc003.corp.mydomain.ad:389/>) >> >> ldap_extended_operation_s >> ldap_extended_operation >> ldap_send_initial_request >> ldap_new_connection 1 1 0 >> ldap_int_open_connection >> ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389 < >> http://sbpaddc003.corp.mydomain.ad:389> >> >> ldap_new_socket: 3 >> ldap_prepare_socket: 3 >> ldap_connect_to_host: Trying 10.8.27.22:389 <http://10.8.27.22:389> >> >> ldap_connect_timeout: fd: 3 tm: -1 async: 0 >> ldap_open_defconn: successful >> ldap_send_server_request >> ber_scanf fmt ({it) ber: >> ber_scanf fmt ({) ber: >> ber_flush: 31 bytes to sd 3 >> ldap_result ld 0x1aa8c6f0 msgid 1 >> wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout) >> wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1 >> ** ld 0x1aa8c6f0 Connections: >> * host: sbpaddc003.corp.mydomain.ad <http://sbpaddc003.corp.mydomain.ad> >> port: 389 (default) >> >> refcnt: 2 status: Connected >> last used: Tue Sep 21 10:23:41 2010 >> ** ld 0x1aa8c6f0 Outstanding Requests: >> * msgid 1, origid 1, status InProgress >> outstanding referrals 0, parent count 0 >> ** ld 0x1aa8c6f0 Response Queue: >> Empty >> ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1 >> ldap_chkResponseList returns ld 0x1aa8c6f0 NULL >> ldap_int_select >> read1msg: ld 0x1aa8c6f0 msgid 1 all 1 >> ber_get_next >> ber_get_next: tag 0x30 len 40 contents: >> read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result >> ber_scanf fmt ({eaa) ber: >> read1msg: ld 0x1aa8c6f0 0 new referrals >> read1msg: mark request completed, ld 0x1aa8c6f0 msgid 1 >> request done: ld 0x1aa8c6f0 msgid 1 >> res_errno: 0, res_error: <>, res_matched: <> >> ldap_free_request (origid 1, msgid 1) >> ldap_parse_extended_result >> ber_scanf fmt ({eaa) ber: >> ber_scanf fmt (a) ber: >> ldap_parse_result >> ber_scanf fmt ({iaa) ber: >> ber_scanf fmt (x) ber: >> ber_scanf fmt (}) ber: >> ldap_msgfree >> TLS trace: SSL_connect:before/connect initialization >> TLS trace: SSL_connect:SSLv2/v3 write client hello A >> TLS trace: SSL_connect:SSLv3 read server hello A >> TLS certificate verification: depth: 0, err: 20, subject: /CN= >> SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/> < >> http://SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/>>, >> issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA >> >> TLS certificate verification: Error, unable to get local issuer >> certificate >> > Unable to get local issuer certificate? Is the adcacert.asc file the > actual CA cert in ascii/pem/base64 format from the AD CA? Do you have more > than one CA or subordinate CAs? If so, you may need to have the entire CA > cert chain in the file. > > If you are sure that adcacert.asc is from the AD CA, then try adding > TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc file and try the above > ldapsearch again. > > Let's see what the subject and issuer are in the CA cert: > openssl x509 -in /path/to/adcacert.asc -text > >> TLS certificate verification: depth: 0, err: 27, subject: /CN= >> SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/> < >> http://SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/>>, >> issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA >> >> TLS certificate verification: Error, certificate not trusted >> TLS certificate verification: depth: 0, err: 21, subject: /CN= >> SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/> < >> http://SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/>>, >> issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA >> >> TLS certificate verification: Error, unable to verify the first >> certificate >> TLS trace: SSL_connect:SSLv3 read server certificate A >> TLS trace: SSL_connect:SSLv3 read server certificate request A >> TLS trace: SSL_connect:SSLv3 read server done A >> TLS trace: SSL_connect:SSLv3 write client certificate A >> TLS trace: SSL_connect:SSLv3 write client key exchange A >> TLS trace: SSL_connect:SSLv3 write change cipher spec A >> TLS trace: SSL_connect:SSLv3 write finished A >> TLS trace: SSL_connect:SSLv3 flush data >> TLS trace: SSL_connect:SSLv3 read finished A >> TLS trace: SSL3 alert write:warning:bad certificate >> TLS: unable to get peer certificate. >> ldap_bind >> ldap_simple_bind >> ldap_sasl_bind >> ldap_send_initial_request >> ldap_send_server_request >> ber_scanf fmt ({it) ber: >> ber_scanf fmt ({i) ber: >> ber_flush: 14 bytes to sd 3 >> ldap_result ld 0x1aa8c6f0 msgid 2 >> wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout) >> wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1 >> ** ld 0x1aa8c6f0 Connections: >> * host: sbpaddc003.corp.mydomain.ad <http://sbpaddc003.corp.mydomain.ad> >> port: 389 (default) >> >> refcnt: 2 status: Connected >> last used: Tue Sep 21 10:23:41 2010 >> ** ld 0x1aa8c6f0 Outstanding Requests: >> * msgid 2, origid 2, status InProgress >> outstanding referrals 0, parent count 0 >> ** ld 0x1aa8c6f0 Response Queue: >> Empty >> ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1 >> ldap_chkResponseList returns ld 0x1aa8c6f0 NULL >> ldap_int_select >> read1msg: ld 0x1aa8c6f0 msgid 2 all 1 >> ber_get_next >> ldap_perror >> ldap_result: Can't contact LDAP server (-1) >> Please help to resolve this issue. >> > > >> >> >> On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson <rmegg...@redhat.com<mailto: >> rmegg...@redhat.com>> wrote: >> >> Shan Kumaraswamy wrote: >> >> Rich, >> I am again facing some issue with IPA+AD Sync and I tested all >> the levels: >> Windows PassSync entry exists, not resetting password >> INFO:root:Added new sync agreement, waiting for it to become >> ready . . . >> INFO:root:Replication Update in progress: FALSE: status: 81 - >> LDAP error: Can't contact LDAP server: start: 0: end: 0 >> INFO:root:Agreement is ready, starting replication . . . >> Starting replication, please wait until this has completed. >> [saprhds001.bmibank.com <http://saprhds001.bmibank.com/> >> <http://saprhds001.bmibank.com >> >> <http://saprhds001.bmibank.com/>>] reports: Update failed! >> Status: [81 - LDAP error: Can't contact LDAP server] >> >> I have imported right CA to IPA box and the out put is: >> Certificate Nickname >> Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> CA certificate >> CTu,u,Cu >> Imported CA CT,,C >> Server-Cert u,u,u >> And also I done the openssl s_client option too, but no luck. >> >> What exactly did you do? with openssl s_client? >> >> Did you try >> /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P >> /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" >> >> LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h >> fqdn.of.ad.hostname -p 389 -Z -s base -b "" >> >> Without cert when I try ldap search its gives out put. but >> with cert (AD CA) through error. >> Please help me fix this issue. >> >> -- Thanks & Regards >> Shan Kumaraswamy >> >> >> >> >> >> -- >> Thanks & Regards >> Shan Kumaraswamy >> >> > -- Thanks & Regards Shan Kumaraswamy
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users