Shan Kumaraswamy wrote:
And also I checked the directory server log (error log) its show error:
NSMMReplicationPlugin - failed to send dirsync search request: 2
Can you post more of the errors log?
Also, the replication log level is also used for winsync debugging: http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting


On Tue, Sep 21, 2010 at 8:20 PM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    Shan Kumaraswamy wrote:

        Hi Rich,

        Finall I impoted right CA in to IPA box, now I am getting this
        error while executing sycn command:
INFO:root:
        INFO:root:
        INFO:root:
        INFO:root:Starting dirsrv:
           MYDOMAIN-COM...                                         [
         OK  ]
        INFO:root:
        INFO:root:Added CA certificate
        /etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to certificate
        database for saprhds001.mydomain.com
        <http://saprhds001.mydomain.com/>
        <http://saprhds001.mydomain.com <http://saprhds001.mydomain.com/>>
        INFO:root:Restarted directory server saprhds001.mydomain.com
        <http://saprhds001.mydomain.com/>
        <http://saprhds001.mydomain.com <http://saprhds001.mydomain.com/>>
        INFO:root:Could not validate connection to remote server
        sbpaddc003.mydomain.ad:636
        <http://sbpaddc003.mydomain.ad:636/>
        <http://sbpaddc003.mydomain.ad:636
        <http://sbpaddc003.mydomain.ad:636/>> - continuing

        INFO:root:The error was: {'info': 'error:14090086:SSL
        routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
        failed', 'desc': "Can't contact LDAP server"}

    This is normal, due to a limitation in the way python-ldap loads
    CA certs.  You can ignore this.

        The user for the Windows PassSync service is
        uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
        Windows PassSync entry exists, not resetting password
        INFO:root:Added new sync agreement, waiting for it to become
        ready . . .
        INFO:root:Replication Update in progress: FALSE: status: 0
        Incremental update started: start: 20100921163646Z: end:
        20100921163646Z
        INFO:root:Agreement is ready, starting replication . . .
        Starting replication, please wait until this has completed.
        Update succeeded
        INFO:root:Added agreement for other host
        sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
        <http://sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>>
    Looks like it is working - so far, so good.

         Please advice.


        On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson
        <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>> wrote:

           Shan Kumaraswamy wrote:

               Hi Rich,
               While executing your command (ldapserch), I am getting the
               following output:
                _Command:_
               /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
               /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b ""
               "objectclass=*"
                _Output:_
               ldap_search: Can't contact LDAP server
                      SSL error -8179 (Peer's Certificate issuer is not
               recognized.)
               _Command:_
               LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
               fqdn.of.ad.hostname -p 389 -Z -s base -b ""
                _Output:_
                [r...@saprhds001 ~]#
LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer
               ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>

               <http://sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>> -p 389 -Z -s
        base -b ""
               ldap_create
ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389
        <http://sbpaddc003.corp.mydomain.ad:389/>
               <http://sbpaddc003.corp.mydomain.ad:389/>
               <ldap://sbpaddc003.corp.mydomain.ad:389/
        <http://sbpaddc003.corp.mydomain.ad:389/>

               <http://sbpaddc003.corp.mydomain.ad:389/>>)

               ldap_extended_operation_s
               ldap_extended_operation
               ldap_send_initial_request
               ldap_new_connection 1 1 0
               ldap_int_open_connection
               ldap_connect_to_host: TCP
        sbpaddc003.corp.mydomain.ad:389
        <http://sbpaddc003.corp.mydomain.ad:389/>
               <http://sbpaddc003.corp.mydomain.ad:389/>

               <http://sbpaddc003.corp.mydomain.ad:389
        <http://sbpaddc003.corp.mydomain.ad:389/>
               <http://sbpaddc003.corp.mydomain.ad:389/>>

               ldap_new_socket: 3
               ldap_prepare_socket: 3
               ldap_connect_to_host: Trying 10.8.27.22:389
        <http://10.8.27.22:389/>
               <http://10.8.27.22:389/> <http://10.8.27.22:389
        <http://10.8.27.22:389/>

               <http://10.8.27.22:389/>>

               ldap_connect_timeout: fd: 3 tm: -1 async: 0
               ldap_open_defconn: successful
               ldap_send_server_request
               ber_scanf fmt ({it) ber:
               ber_scanf fmt ({) ber:
               ber_flush: 31 bytes to sd 3
               ldap_result ld 0x1aa8c6f0 msgid 1
               wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)
               wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1
               ** ld 0x1aa8c6f0 Connections:
               * host: sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>

               <http://sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>>  port: 389
         (default)

                refcnt: 2  status: Connected
                last used: Tue Sep 21 10:23:41 2010
               ** ld 0x1aa8c6f0 Outstanding Requests:
                * msgid 1,  origid 1, status InProgress
                 outstanding referrals 0, parent count 0
               ** ld 0x1aa8c6f0 Response Queue:
                 Empty
               ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1
               ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
               ldap_int_select
               read1msg: ld 0x1aa8c6f0 msgid 1 all 1
               ber_get_next
               ber_get_next: tag 0x30 len 40 contents:
               read1msg: ld 0x1aa8c6f0 msgid 1 message type
        extended-result
               ber_scanf fmt ({eaa) ber:
               read1msg: ld 0x1aa8c6f0 0 new referrals
               read1msg:  mark request completed, ld 0x1aa8c6f0 msgid 1
               request done: ld 0x1aa8c6f0 msgid 1
               res_errno: 0, res_error: <>, res_matched: <>
               ldap_free_request (origid 1, msgid 1)
               ldap_parse_extended_result
               ber_scanf fmt ({eaa) ber:
               ber_scanf fmt (a) ber:
               ldap_parse_result
               ber_scanf fmt ({iaa) ber:
               ber_scanf fmt (x) ber:
               ber_scanf fmt (}) ber:
               ldap_msgfree
               TLS trace: SSL_connect:before/connect initialization
               TLS trace: SSL_connect:SSLv2/v3 write client hello A
               TLS trace: SSL_connect:SSLv3 read server hello A
               TLS certificate verification: depth: 0, err: 20, subject:
               /CN=SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
               <http://SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>>, issuer:

               /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA

               TLS certificate verification: Error, unable to get local
               issuer certificate

           Unable to get local issuer certificate?  Is the
        adcacert.asc file
           the actual CA cert in ascii/pem/base64 format from the AD
        CA?  Do
           you have more than one CA or subordinate CAs?  If so, you
        may need
           to have the entire CA cert chain in the file.

           If you are sure that adcacert.asc is from the AD CA, then try
           adding TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc
        file and
           try the above ldapsearch again.

           Let's see what the subject and issuer are in the CA cert:
           openssl x509 -in /path/to/adcacert.asc -text

               TLS certificate verification: depth: 0, err: 27, subject:
               /CN=SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
               <http://SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>>, issuer:

               /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA

               TLS certificate verification: Error, certificate not
        trusted
               TLS certificate verification: depth: 0, err: 21, subject:
               /CN=SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
               <http://SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>>, issuer:

               /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA

               TLS certificate verification: Error, unable to verify the
               first certificate
               TLS trace: SSL_connect:SSLv3 read server certificate A
               TLS trace: SSL_connect:SSLv3 read server certificate
        request A
               TLS trace: SSL_connect:SSLv3 read server done A
               TLS trace: SSL_connect:SSLv3 write client certificate A
               TLS trace: SSL_connect:SSLv3 write client key exchange A
               TLS trace: SSL_connect:SSLv3 write change cipher spec A
               TLS trace: SSL_connect:SSLv3 write finished A
               TLS trace: SSL_connect:SSLv3 flush data
               TLS trace: SSL_connect:SSLv3 read finished A
               TLS trace: SSL3 alert write:warning:bad certificate
               TLS: unable to get peer certificate.
               ldap_bind
               ldap_simple_bind
               ldap_sasl_bind
               ldap_send_initial_request
               ldap_send_server_request
               ber_scanf fmt ({it) ber:
               ber_scanf fmt ({i) ber:
               ber_flush: 14 bytes to sd 3
               ldap_result ld 0x1aa8c6f0 msgid 2
               wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout)
               wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1
               ** ld 0x1aa8c6f0 Connections:
               * host: sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>

               <http://sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>>  port: 389
         (default)

                refcnt: 2  status: Connected
                last used: Tue Sep 21 10:23:41 2010
               ** ld 0x1aa8c6f0 Outstanding Requests:
                * msgid 2,  origid 2, status InProgress
                 outstanding referrals 0, parent count 0
               ** ld 0x1aa8c6f0 Response Queue:
                 Empty
               ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1
               ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
               ldap_int_select
               read1msg: ld 0x1aa8c6f0 msgid 2 all 1
               ber_get_next
               ldap_perror
               ldap_result: Can't contact LDAP server (-1)
                Please help to resolve this issue.





                On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson
               <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>> wrote:

                  Shan Kumaraswamy wrote:

                      Rich,
                      I am again facing some issue with IPA+AD Sync and I
               tested all
                      the levels:
                       Windows PassSync entry exists, not resetting
        password
                      INFO:root:Added new sync agreement, waiting for
        it to
               become
                      ready . . .
                      INFO:root:Replication Update in progress: FALSE:
               status: 81  -
                      LDAP error: Can't contact LDAP server: start: 0:
        end: 0
                      INFO:root:Agreement is ready, starting
        replication . . .
                      Starting replication, please wait until this has
        completed.
                      [saprhds001.bmibank.com
        <http://saprhds001.bmibank.com/>
               <http://saprhds001.bmibank.com/>
        <http://saprhds001.bmibank.com/>
                      <http://saprhds001.bmibank.com
        <http://saprhds001.bmibank.com/>
               <http://saprhds001.bmibank.com/>

                      <http://saprhds001.bmibank.com/>>] reports:
        Update failed!
                      Status: [81  - LDAP error: Can't contact LDAP
        server]

                      I have imported right CA to IPA box and the out
        put is:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CTu,u,Cu Imported CA CT,,C Server-Cert u,u,u
                       And also I done the openssl s_client option
        too, but
               no luck.

                  What exactly did you do? with openssl s_client?

                  Did you try
                  /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname
        -Z -P
                  /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b ""
               "objectclass=*"

                  LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1
        -x -h
                  fqdn.of.ad.hostname -p 389 -Z -s base -b ""

                      Without cert when I try ldap search its gives
        out put. but
                      with cert (AD CA) through error.
                       Please help me fix this issue.
                                     --         Thanks & Regards
                      Shan Kumaraswamy





               --         Thanks & Regards
               Shan Kumaraswamy





-- Thanks & Regards
        Shan Kumaraswamy





--
Thanks & Regards
Shan Kumaraswamy


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to