Shan Kumaraswamy wrote:
Hi Rich,
Finall I impoted right CA in to IPA box, now I am getting this error while executing sycn command:
INFO:root:
INFO:root:
INFO:root:
INFO:root:Starting dirsrv:
    MYDOMAIN-COM...                                         [  OK  ]
INFO:root:
INFO:root:Added CA certificate /etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to certificate database for saprhds001.mydomain.com <http://saprhds001.mydomain.com> INFO:root:Restarted directory server saprhds001.mydomain.com <http://saprhds001.mydomain.com> INFO:root:Could not validate connection to remote server sbpaddc003.mydomain.ad:636 <http://sbpaddc003.mydomain.ad:636> - continuing INFO:root:The error was: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"}
This is normal, due to a limitation in the way python-ldap loads CA certs. You can ignore this.
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 0 Incremental update started: start: 20100921163646Z: end: 20100921163646Z
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
INFO:root:Added agreement for other host sbpaddc003.corp.mydomain.ad <http://sbpaddc003.corp.mydomain.ad>
Looks like it is working - so far, so good.
Please advice.


On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    Shan Kumaraswamy wrote:

        Hi Rich,
        While executing your command (ldapserch), I am getting the
        following output:
         _Command:_
        /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
        /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b ""
        "objectclass=*"
         _Output:_
        ldap_search: Can't contact LDAP server
               SSL error -8179 (Peer's Certificate issuer is not
        recognized.)
        _Command:_
        LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
        fqdn.of.ad.hostname -p 389 -Z -s base -b ""
         _Output:_
         [r...@saprhds001 ~]#
        LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer
        ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
        <http://sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>> -p 389 -Z -s base -b ""
        ldap_create
        ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389
        <http://sbpaddc003.corp.mydomain.ad:389/>
        <ldap://sbpaddc003.corp.mydomain.ad:389/
        <http://sbpaddc003.corp.mydomain.ad:389/>>)

        ldap_extended_operation_s
        ldap_extended_operation
        ldap_send_initial_request
        ldap_new_connection 1 1 0
        ldap_int_open_connection
        ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389
        <http://sbpaddc003.corp.mydomain.ad:389/>
        <http://sbpaddc003.corp.mydomain.ad:389
        <http://sbpaddc003.corp.mydomain.ad:389/>>

        ldap_new_socket: 3
        ldap_prepare_socket: 3
        ldap_connect_to_host: Trying 10.8.27.22:389
        <http://10.8.27.22:389/> <http://10.8.27.22:389
        <http://10.8.27.22:389/>>

        ldap_connect_timeout: fd: 3 tm: -1 async: 0
        ldap_open_defconn: successful
        ldap_send_server_request
        ber_scanf fmt ({it) ber:
        ber_scanf fmt ({) ber:
        ber_flush: 31 bytes to sd 3
        ldap_result ld 0x1aa8c6f0 msgid 1
        wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)
        wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1
        ** ld 0x1aa8c6f0 Connections:
        * host: sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
        <http://sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>>  port: 389  (default)

         refcnt: 2  status: Connected
         last used: Tue Sep 21 10:23:41 2010
        ** ld 0x1aa8c6f0 Outstanding Requests:
         * msgid 1,  origid 1, status InProgress
          outstanding referrals 0, parent count 0
        ** ld 0x1aa8c6f0 Response Queue:
          Empty
        ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1
        ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
        ldap_int_select
        read1msg: ld 0x1aa8c6f0 msgid 1 all 1
        ber_get_next
        ber_get_next: tag 0x30 len 40 contents:
        read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result
        ber_scanf fmt ({eaa) ber:
        read1msg: ld 0x1aa8c6f0 0 new referrals
        read1msg:  mark request completed, ld 0x1aa8c6f0 msgid 1
        request done: ld 0x1aa8c6f0 msgid 1
        res_errno: 0, res_error: <>, res_matched: <>
        ldap_free_request (origid 1, msgid 1)
        ldap_parse_extended_result
        ber_scanf fmt ({eaa) ber:
        ber_scanf fmt (a) ber:
        ldap_parse_result
        ber_scanf fmt ({iaa) ber:
        ber_scanf fmt (x) ber:
        ber_scanf fmt (}) ber:
        ldap_msgfree
        TLS trace: SSL_connect:before/connect initialization
        TLS trace: SSL_connect:SSLv2/v3 write client hello A
        TLS trace: SSL_connect:SSLv3 read server hello A
        TLS certificate verification: depth: 0, err: 20, subject:
        /CN=SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
        <http://SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>>, issuer:
        /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA

        TLS certificate verification: Error, unable to get local
        issuer certificate

    Unable to get local issuer certificate?  Is the adcacert.asc file
    the actual CA cert in ascii/pem/base64 format from the AD CA?  Do
    you have more than one CA or subordinate CAs?  If so, you may need
    to have the entire CA cert chain in the file.

    If you are sure that adcacert.asc is from the AD CA, then try
    adding TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc file and
    try the above ldapsearch again.

    Let's see what the subject and issuer are in the CA cert:
    openssl x509 -in /path/to/adcacert.asc -text

        TLS certificate verification: depth: 0, err: 27, subject:
        /CN=SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
        <http://SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>>, issuer:
        /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA

        TLS certificate verification: Error, certificate not trusted
        TLS certificate verification: depth: 0, err: 21, subject:
        /CN=SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
        <http://SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>>, issuer:
        /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA

        TLS certificate verification: Error, unable to verify the
        first certificate
        TLS trace: SSL_connect:SSLv3 read server certificate A
        TLS trace: SSL_connect:SSLv3 read server certificate request A
        TLS trace: SSL_connect:SSLv3 read server done A
        TLS trace: SSL_connect:SSLv3 write client certificate A
        TLS trace: SSL_connect:SSLv3 write client key exchange A
        TLS trace: SSL_connect:SSLv3 write change cipher spec A
        TLS trace: SSL_connect:SSLv3 write finished A
        TLS trace: SSL_connect:SSLv3 flush data
        TLS trace: SSL_connect:SSLv3 read finished A
        TLS trace: SSL3 alert write:warning:bad certificate
        TLS: unable to get peer certificate.
        ldap_bind
        ldap_simple_bind
        ldap_sasl_bind
        ldap_send_initial_request
        ldap_send_server_request
        ber_scanf fmt ({it) ber:
        ber_scanf fmt ({i) ber:
        ber_flush: 14 bytes to sd 3
        ldap_result ld 0x1aa8c6f0 msgid 2
        wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout)
        wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1
        ** ld 0x1aa8c6f0 Connections:
        * host: sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
        <http://sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>>  port: 389  (default)

         refcnt: 2  status: Connected
         last used: Tue Sep 21 10:23:41 2010
        ** ld 0x1aa8c6f0 Outstanding Requests:
         * msgid 2,  origid 2, status InProgress
          outstanding referrals 0, parent count 0
        ** ld 0x1aa8c6f0 Response Queue:
          Empty
        ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1
        ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
        ldap_int_select
        read1msg: ld 0x1aa8c6f0 msgid 2 all 1
        ber_get_next
        ldap_perror
        ldap_result: Can't contact LDAP server (-1)
         Please help to resolve this issue.





         On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson
        <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>> wrote:

           Shan Kumaraswamy wrote:

               Rich,
               I am again facing some issue with IPA+AD Sync and I
        tested all
               the levels:
                Windows PassSync entry exists, not resetting password
               INFO:root:Added new sync agreement, waiting for it to
        become
               ready . . .
               INFO:root:Replication Update in progress: FALSE:
        status: 81  -
               LDAP error: Can't contact LDAP server: start: 0: end: 0
               INFO:root:Agreement is ready, starting replication . . .
               Starting replication, please wait until this has completed.
               [saprhds001.bmibank.com
        <http://saprhds001.bmibank.com/> <http://saprhds001.bmibank.com/>
               <http://saprhds001.bmibank.com
        <http://saprhds001.bmibank.com/>

               <http://saprhds001.bmibank.com/>>] reports: Update failed!
               Status: [81  - LDAP error: Can't contact LDAP server]

               I have imported right CA to IPA box and the out put is:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CTu,u,Cu Imported CA CT,,C Server-Cert u,u,u
                And also I done the openssl s_client option too, but
        no luck.

           What exactly did you do? with openssl s_client?

           Did you try
           /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
           /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b ""
        "objectclass=*"

           LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
           fqdn.of.ad.hostname -p 389 -Z -s base -b ""

               Without cert when I try ldap search its gives out put. but
               with cert (AD CA) through error.
                Please help me fix this issue.
-- Thanks & Regards
               Shan Kumaraswamy





-- Thanks & Regards
        Shan Kumaraswamy





--
Thanks & Regards
Shan Kumaraswamy


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to