On Wed, Sep 22, 2010 at 4:17 PM, Rich Megginson <[email protected]
<mailto:[email protected]>> wrote:
Shan Kumaraswamy wrote:
And also I checked the directory server log (error log) its
show error:
NSMMReplicationPlugin - failed to send dirsync search request: 2
Can you post more of the errors log?
Also, the replication log level is also used for winsync
debugging: http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
On Tue, Sep 21, 2010 at 8:20 PM, Rich Megginson
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
Shan Kumaraswamy wrote:
Hi Rich,
Finall I impoted right CA in to IPA box, now I am
getting this
error while executing sycn command:
INFO:root:
INFO:root:
INFO:root:
INFO:root:Starting dirsrv:
MYDOMAIN-COM...
[
OK ]
INFO:root:
INFO:root:Added CA certificate
/etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to certificate
database for saprhds001.mydomain.com
<http://saprhds001.mydomain.com/>
<http://saprhds001.mydomain.com/>
<http://saprhds001.mydomain.com
<http://saprhds001.mydomain.com/>
<http://saprhds001.mydomain.com/>>
INFO:root:Restarted directory server
saprhds001.mydomain.com <http://saprhds001.mydomain.com/>
<http://saprhds001.mydomain.com/>
<http://saprhds001.mydomain.com
<http://saprhds001.mydomain.com/>
<http://saprhds001.mydomain.com/>>
INFO:root:Could not validate connection to remote server
sbpaddc003.mydomain.ad:636
<http://sbpaddc003.mydomain.ad:636/>
<http://sbpaddc003.mydomain.ad:636/>
<http://sbpaddc003.mydomain.ad:636
<http://sbpaddc003.mydomain.ad:636/>
<http://sbpaddc003.mydomain.ad:636/>> - continuing
INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed', 'desc': "Can't contact LDAP server"}
This is normal, due to a limitation in the way python-ldap
loads
CA certs. You can ignore this.
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to
become
ready . . .
INFO:root:Replication Update in progress: FALSE: status: 0
Incremental update started: start: 20100921163646Z: end:
20100921163646Z
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
INFO:root:Added agreement for other host
sbpaddc003.corp.mydomain.ad
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>>
Looks like it is working - so far, so good.
Please advice.
On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>> wrote:
Shan Kumaraswamy wrote:
Hi Rich,
While executing your command (ldapserch), I am
getting the
following output:
_Command:_
/usr/lib64/mozldap/ldapsearch -h
fqdn.of.ad.hostname -Z -P
/etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base
-b ""
"objectclass=*"
_Output:_
ldap_search: Can't contact LDAP server
SSL error -8179 (Peer's Certificate
issuer is not
recognized.)
_Command:_
LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch
-d 1 -x -h
fqdn.of.ad.hostname -p 389 -Z -s base -b ""
_Output:_
[r...@saprhds001 ~]#
LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer
ldapsearch -d 1 -x -h
sbpaddc003.corp.mydomain.ad <http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>> -p 389 -Z -s
base -b ""
ldap_create
ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389
<http://sbpaddc003.corp.mydomain.ad:389/>
<http://sbpaddc003.corp.mydomain.ad:389/>
<http://sbpaddc003.corp.mydomain.ad:389/>
<ldap://sbpaddc003.corp.mydomain.ad:389/
<http://sbpaddc003.corp.mydomain.ad:389/>
<http://sbpaddc003.corp.mydomain.ad:389/>
<http://sbpaddc003.corp.mydomain.ad:389/>>)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP
sbpaddc003.corp.mydomain.ad:389
<http://sbpaddc003.corp.mydomain.ad:389/>
<http://sbpaddc003.corp.mydomain.ad:389/>
<http://sbpaddc003.corp.mydomain.ad:389/>
<http://sbpaddc003.corp.mydomain.ad:389
<http://sbpaddc003.corp.mydomain.ad:389/>
<http://sbpaddc003.corp.mydomain.ad:389/>
<http://sbpaddc003.corp.mydomain.ad:389/>>
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.8.27.22:389
<http://10.8.27.22:389/>
<http://10.8.27.22:389/>
<http://10.8.27.22:389/> <http://10.8.27.22:389
<http://10.8.27.22:389/>
<http://10.8.27.22:389/>
<http://10.8.27.22:389/>>
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x1aa8c6f0 msgid 1
wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)
wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1
** ld 0x1aa8c6f0 Connections:
* host: sbpaddc003.corp.mydomain.ad
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>> port: 389
(default)
refcnt: 2 status: Connected
last used: Tue Sep 21 10:23:41 2010
** ld 0x1aa8c6f0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x1aa8c6f0 Response Queue:
Empty
ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1
ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
ldap_int_select
read1msg: ld 0x1aa8c6f0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
read1msg: ld 0x1aa8c6f0 msgid 1 message type
extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x1aa8c6f0 0 new referrals
read1msg: mark request completed, ld 0x1aa8c6f0
msgid 1
request done: ld 0x1aa8c6f0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20,
subject:
/CN=SBPADDC003.Corp.MYDOMAIN.AD
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://SBPADDC003.Corp.MYDOMAIN.AD
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>>, issuer:
/DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, unable to
get local
issuer certificate
Unable to get local issuer certificate? Is the
adcacert.asc file
the actual CA cert in ascii/pem/base64 format from
the AD
CA? Do
you have more than one CA or subordinate CAs? If
so, you
may need
to have the entire CA cert chain in the file.
If you are sure that adcacert.asc is from the AD CA,
then try
adding TLS_CACERT /path/to/adcacert.asc to your
~/.ldaprc
file and
try the above ldapsearch again.
Let's see what the subject and issuer are in the CA
cert:
openssl x509 -in /path/to/adcacert.asc -text
TLS certificate verification: depth: 0, err: 27,
subject:
/CN=SBPADDC003.Corp.MYDOMAIN.AD
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://SBPADDC003.Corp.MYDOMAIN.AD
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>>, issuer:
/DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, certificate not
trusted
TLS certificate verification: depth: 0, err: 21,
subject:
/CN=SBPADDC003.Corp.MYDOMAIN.AD
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://SBPADDC003.Corp.MYDOMAIN.AD
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>>, issuer:
/DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, unable to
verify the
first certificate
TLS trace: SSL_connect:SSLv3 read server
certificate A
TLS trace: SSL_connect:SSLv3 read server certificate
request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client
certificate A
TLS trace: SSL_connect:SSLv3 write client key
exchange A
TLS trace: SSL_connect:SSLv3 write change cipher
spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer certificate.
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush: 14 bytes to sd 3
ldap_result ld 0x1aa8c6f0 msgid 2
wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout)
wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1
** ld 0x1aa8c6f0 Connections:
* host: sbpaddc003.corp.mydomain.ad
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>
<http://sbpaddc003.corp.mydomain.ad/>> port: 389
(default)
refcnt: 2 status: Connected
last used: Tue Sep 21 10:23:41 2010
** ld 0x1aa8c6f0 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** ld 0x1aa8c6f0 Response Queue:
Empty
ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1
ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
ldap_int_select
read1msg: ld 0x1aa8c6f0 msgid 2 all 1
ber_get_next
ldap_perror
ldap_result: Can't contact LDAP server (-1)
Please help to resolve this issue.
On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson
<[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>>> wrote:
Shan Kumaraswamy wrote:
Rich,
I am again facing some issue with IPA+AD
Sync and I
tested all
the levels:
Windows PassSync entry exists, not resetting
password
INFO:root:Added new sync agreement,
waiting for
it to
become
ready . . .
INFO:root:Replication Update in progress:
FALSE:
status: 81 -
LDAP error: Can't contact LDAP server:
start: 0:
end: 0
INFO:root:Agreement is ready, starting
replication . . .
Starting replication, please wait until
this has
completed.
[saprhds001.bmibank.com
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>>] reports:
Update failed!
Status: [81 - LDAP error: Can't contact LDAP
server]
I have imported right CA to IPA box and
the out
put is:
Certificate Nickname
Trust Attributes
SSL,S/MIME,JAR/XPI
CA certificate
CTu,u,Cu
Imported CA
CT,,C
Server-Cert
u,u,u
And also I done the openssl s_client option
too, but
no luck.
What exactly did you do? with openssl s_client?
Did you try
/usr/lib64/mozldap/ldapsearch -h
fqdn.of.ad.hostname
-Z -P
/etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s
base -b ""
"objectclass=*"
LDAPTLS_CACERT=/path/to/adcacert.asc
ldapsearch -d 1
-x -h
fqdn.of.ad.hostname -p 389 -Z -s base -b ""
Without cert when I try ldap search its gives
out put. but
with cert (AD CA) through error.
Please help me fix this issue.
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
--
Thanks & Regards
Shan Kumaraswamy
--
Thanks & Regards
Shan Kumaraswamy
