Re: [Freeipa-users] IPA AD Sync error

Shan Kumaraswamy Tue, 21 Sep 2010 10:13:40 -0700

Hi Rich,
Finall I impoted right CA in to IPA box, now I am getting this error while
executing sycn command:




INFO:root:
INFO:root:
INFO:root:
INFO:root:Starting dirsrv:
    MYDOMAIN-COM...                                         [  OK  ]
INFO:root:
INFO:root:Added CA certificate /etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to
certificate database for saprhds001.mydomain.com
INFO:root:Restarted directory server saprhds001.mydomain.com
INFO:root:Could not validate connection to remote server
sbpaddc003.mydomain.ad:636 - continuing
INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
"Can't contact LDAP server"}
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 0 Incremental
update started: start: 20100921163646Z: end: 20100921163646Z
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
INFO:root:Added agreement for other host sbpaddc003.corp.mydomain.ad



Please advice.

On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson <rmegg...@redhat.com> wrote:

> Shan Kumaraswamy wrote:
>
>> Hi Rich,
>> While executing your command (ldapserch), I am getting the following
>> output:
>>  _Command:_
>> /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
>> /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"
>>  _Output:_
>> ldap_search: Can't contact LDAP server
>>        SSL error -8179 (Peer's Certificate issuer is not recognized.)
>> _Command:_
>> LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
>> fqdn.of.ad.hostname -p 389 -Z -s base -b ""
>>  _Output:_
>>  [r...@saprhds001 ~]#
>> LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer ldapsearch -d 1
>> -x -h sbpaddc003.corp.mydomain.ad <http://sbpaddc003.corp.mydomain.ad> -p
>> 389 -Z -s base -b ""
>> ldap_create
>> ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389 <ldap://
>> sbpaddc003.corp.mydomain.ad:389/>)
>>
>> ldap_extended_operation_s
>> ldap_extended_operation
>> ldap_send_initial_request
>> ldap_new_connection 1 1 0
>> ldap_int_open_connection
>> ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389 <
>> http://sbpaddc003.corp.mydomain.ad:389>
>>
>> ldap_new_socket: 3
>> ldap_prepare_socket: 3
>> ldap_connect_to_host: Trying 10.8.27.22:389 <http://10.8.27.22:389>
>>
>> ldap_connect_timeout: fd: 3 tm: -1 async: 0
>> ldap_open_defconn: successful
>> ldap_send_server_request
>> ber_scanf fmt ({it) ber:
>> ber_scanf fmt ({) ber:
>> ber_flush: 31 bytes to sd 3
>> ldap_result ld 0x1aa8c6f0 msgid 1
>> wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)
>> wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1
>> ** ld 0x1aa8c6f0 Connections:
>> * host: sbpaddc003.corp.mydomain.ad <http://sbpaddc003.corp.mydomain.ad>
>>  port: 389  (default)
>>
>>  refcnt: 2  status: Connected
>>  last used: Tue Sep 21 10:23:41 2010
>> ** ld 0x1aa8c6f0 Outstanding Requests:
>>  * msgid 1,  origid 1, status InProgress
>>   outstanding referrals 0, parent count 0
>> ** ld 0x1aa8c6f0 Response Queue:
>>   Empty
>> ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1
>> ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
>> ldap_int_select
>> read1msg: ld 0x1aa8c6f0 msgid 1 all 1
>> ber_get_next
>> ber_get_next: tag 0x30 len 40 contents:
>> read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result
>> ber_scanf fmt ({eaa) ber:
>> read1msg: ld 0x1aa8c6f0 0 new referrals
>> read1msg:  mark request completed, ld 0x1aa8c6f0 msgid 1
>> request done: ld 0x1aa8c6f0 msgid 1
>> res_errno: 0, res_error: <>, res_matched: <>
>> ldap_free_request (origid 1, msgid 1)
>> ldap_parse_extended_result
>> ber_scanf fmt ({eaa) ber:
>> ber_scanf fmt (a) ber:
>> ldap_parse_result
>> ber_scanf fmt ({iaa) ber:
>> ber_scanf fmt (x) ber:
>> ber_scanf fmt (}) ber:
>> ldap_msgfree
>> TLS trace: SSL_connect:before/connect initialization
>> TLS trace: SSL_connect:SSLv2/v3 write client hello A
>> TLS trace: SSL_connect:SSLv3 read server hello A
>> TLS certificate verification: depth: 0, err: 20, subject: /CN=
>> SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/> <
>> http://SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/>>,
>> issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
>>
>> TLS certificate verification: Error, unable to get local issuer
>> certificate
>>
> Unable to get local issuer certificate?  Is the adcacert.asc file the
> actual CA cert in ascii/pem/base64 format from the AD CA?  Do you have more
> than one CA or subordinate CAs?  If so, you may need to have the entire CA
> cert chain in the file.
>
> If you are sure that adcacert.asc is from the AD CA, then try adding
> TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc file and try the above
> ldapsearch again.
>
> Let's see what the subject and issuer are in the CA cert:
> openssl x509 -in /path/to/adcacert.asc -text
>
>> TLS certificate verification: depth: 0, err: 27, subject: /CN=
>> SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/> <
>> http://SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/>>,
>> issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
>>
>> TLS certificate verification: Error, certificate not trusted
>> TLS certificate verification: depth: 0, err: 21, subject: /CN=
>> SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/> <
>> http://SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/>>,
>> issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
>>
>> TLS certificate verification: Error, unable to verify the first
>> certificate
>> TLS trace: SSL_connect:SSLv3 read server certificate A
>> TLS trace: SSL_connect:SSLv3 read server certificate request A
>> TLS trace: SSL_connect:SSLv3 read server done A
>> TLS trace: SSL_connect:SSLv3 write client certificate A
>> TLS trace: SSL_connect:SSLv3 write client key exchange A
>> TLS trace: SSL_connect:SSLv3 write change cipher spec A
>> TLS trace: SSL_connect:SSLv3 write finished A
>> TLS trace: SSL_connect:SSLv3 flush data
>> TLS trace: SSL_connect:SSLv3 read finished A
>> TLS trace: SSL3 alert write:warning:bad certificate
>> TLS: unable to get peer certificate.
>> ldap_bind
>> ldap_simple_bind
>> ldap_sasl_bind
>> ldap_send_initial_request
>> ldap_send_server_request
>> ber_scanf fmt ({it) ber:
>> ber_scanf fmt ({i) ber:
>> ber_flush: 14 bytes to sd 3
>> ldap_result ld 0x1aa8c6f0 msgid 2
>> wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout)
>> wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1
>> ** ld 0x1aa8c6f0 Connections:
>> * host: sbpaddc003.corp.mydomain.ad <http://sbpaddc003.corp.mydomain.ad>
>>  port: 389  (default)
>>
>>  refcnt: 2  status: Connected
>>  last used: Tue Sep 21 10:23:41 2010
>> ** ld 0x1aa8c6f0 Outstanding Requests:
>>  * msgid 2,  origid 2, status InProgress
>>   outstanding referrals 0, parent count 0
>> ** ld 0x1aa8c6f0 Response Queue:
>>   Empty
>> ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1
>> ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
>> ldap_int_select
>> read1msg: ld 0x1aa8c6f0 msgid 2 all 1
>> ber_get_next
>> ldap_perror
>> ldap_result: Can't contact LDAP server (-1)
>>  Please help to resolve this issue.
>>
>
>
>>
>>
>>  On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson <rmegg...@redhat.com<mailto:
>> rmegg...@redhat.com>> wrote:
>>
>>    Shan Kumaraswamy wrote:
>>
>>        Rich,
>>        I am again facing some issue with IPA+AD Sync and I tested all
>>        the levels:
>>         Windows PassSync entry exists, not resetting password
>>        INFO:root:Added new sync agreement, waiting for it to become
>>        ready . . .
>>        INFO:root:Replication Update in progress: FALSE: status: 81  -
>>        LDAP error: Can't contact LDAP server: start: 0: end: 0
>>        INFO:root:Agreement is ready, starting replication . . .
>>        Starting replication, please wait until this has completed.
>>        [saprhds001.bmibank.com <http://saprhds001.bmibank.com/>
>>        <http://saprhds001.bmibank.com
>>
>>        <http://saprhds001.bmibank.com/>>] reports: Update failed!
>>        Status: [81  - LDAP error: Can't contact LDAP server]
>>
>>        I have imported right CA to IPA box and the out put is:
>>         Certificate Nickname
>>  Trust Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>        CA certificate
>>  CTu,u,Cu
>>        Imported CA                                                  CT,,C
>>        Server-Cert                                                  u,u,u
>>         And also I done the openssl s_client option too, but no luck.
>>
>>    What exactly did you do? with openssl s_client?
>>
>>    Did you try
>>    /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
>>    /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"
>>
>>    LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
>>    fqdn.of.ad.hostname -p 389 -Z -s base -b ""
>>
>>        Without cert when I try ldap search its gives out put. but
>>        with cert (AD CA) through error.
>>         Please help me fix this issue.
>>
>>        --         Thanks & Regards
>>        Shan Kumaraswamy
>>
>>
>>
>>
>>
>> --
>> Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>


-- 
Thanks & Regards
Shan Kumaraswamy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA AD Sync error

Reply via email to