Shan Kumaraswamy wrote:
Hi Rich,
Please find the attached error log file.
Please file a bug and include all of the steps necessary to reproduce the issue.


On Wed, Sep 22, 2010 at 4:17 PM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    Shan Kumaraswamy wrote:

        And also I checked the directory server log (error log) its
        show error:
         NSMMReplicationPlugin - failed to send dirsync search request: 2

    Can you post more of the errors log?
    Also, the replication log level is also used for winsync
    debugging: http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting

         On Tue, Sep 21, 2010 at 8:20 PM, Rich Megginson
        <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>> wrote:

           Shan Kumaraswamy wrote:

               Hi Rich,

               Finall I impoted right CA in to IPA box, now I am
        getting this
               error while executing sycn command:
                        INFO:root:
               INFO:root:
               INFO:root:
               INFO:root:Starting dirsrv:
MYDOMAIN-COM... [
                OK  ]
               INFO:root:
               INFO:root:Added CA certificate
               /etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to certificate
               database for saprhds001.mydomain.com
        <http://saprhds001.mydomain.com/>
               <http://saprhds001.mydomain.com/>
               <http://saprhds001.mydomain.com
        <http://saprhds001.mydomain.com/>
        <http://saprhds001.mydomain.com/>>

               INFO:root:Restarted directory server
        saprhds001.mydomain.com <http://saprhds001.mydomain.com/>
               <http://saprhds001.mydomain.com/>
               <http://saprhds001.mydomain.com
        <http://saprhds001.mydomain.com/>
        <http://saprhds001.mydomain.com/>>

               INFO:root:Could not validate connection to remote server
               sbpaddc003.mydomain.ad:636
        <http://sbpaddc003.mydomain.ad:636/>
               <http://sbpaddc003.mydomain.ad:636/>

               <http://sbpaddc003.mydomain.ad:636
        <http://sbpaddc003.mydomain.ad:636/>
               <http://sbpaddc003.mydomain.ad:636/>> - continuing

               INFO:root:The error was: {'info': 'error:14090086:SSL
               routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
               failed', 'desc': "Can't contact LDAP server"}

           This is normal, due to a limitation in the way python-ldap
        loads
           CA certs.  You can ignore this.

               The user for the Windows PassSync service is
               uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
               Windows PassSync entry exists, not resetting password
               INFO:root:Added new sync agreement, waiting for it to
        become
               ready . . .
               INFO:root:Replication Update in progress: FALSE: status: 0
               Incremental update started: start: 20100921163646Z: end:
               20100921163646Z
               INFO:root:Agreement is ready, starting replication . . .
               Starting replication, please wait until this has completed.
               Update succeeded
               INFO:root:Added agreement for other host
               sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>

               <http://sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>>

Looks like it is working - so far, so good.

                Please advice.


               On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson
               <rmegg...@redhat.com <mailto:rmegg...@redhat.com>
        <mailto:rmegg...@redhat.com <mailto:rmegg...@redhat.com>>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>> wrote:

                  Shan Kumaraswamy wrote:

                      Hi Rich,
                      While executing your command (ldapserch), I am
        getting the
                      following output:
                       _Command:_
                      /usr/lib64/mozldap/ldapsearch -h
        fqdn.of.ad.hostname -Z -P
                      /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base
        -b ""
                      "objectclass=*"
                       _Output:_
                      ldap_search: Can't contact LDAP server
                             SSL error -8179 (Peer's Certificate
        issuer is not
                      recognized.)
                      _Command:_
                      LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch
        -d 1 -x -h
                      fqdn.of.ad.hostname -p 389 -Z -s base -b ""
                       _Output:_
                       [r...@saprhds001 ~]#
LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer
                      ldapsearch -d 1 -x -h
        sbpaddc003.corp.mydomain.ad <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
                      <http://sbpaddc003.corp.mydomain.ad/>

                      <http://sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
                      <http://sbpaddc003.corp.mydomain.ad/>> -p 389 -Z -s
               base -b ""
                      ldap_create
ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389
        <http://sbpaddc003.corp.mydomain.ad:389/>
               <http://sbpaddc003.corp.mydomain.ad:389/>
                      <http://sbpaddc003.corp.mydomain.ad:389/>
                      <ldap://sbpaddc003.corp.mydomain.ad:389/
        <http://sbpaddc003.corp.mydomain.ad:389/>
               <http://sbpaddc003.corp.mydomain.ad:389/>

                      <http://sbpaddc003.corp.mydomain.ad:389/>>)

                      ldap_extended_operation_s
                      ldap_extended_operation
                      ldap_send_initial_request
                      ldap_new_connection 1 1 0
                      ldap_int_open_connection
                      ldap_connect_to_host: TCP
               sbpaddc003.corp.mydomain.ad:389
        <http://sbpaddc003.corp.mydomain.ad:389/>
               <http://sbpaddc003.corp.mydomain.ad:389/>
                      <http://sbpaddc003.corp.mydomain.ad:389/>

                      <http://sbpaddc003.corp.mydomain.ad:389
        <http://sbpaddc003.corp.mydomain.ad:389/>
               <http://sbpaddc003.corp.mydomain.ad:389/>
                      <http://sbpaddc003.corp.mydomain.ad:389/>>

                      ldap_new_socket: 3
                      ldap_prepare_socket: 3
                      ldap_connect_to_host: Trying 10.8.27.22:389
        <http://10.8.27.22:389/>
               <http://10.8.27.22:389/>
                      <http://10.8.27.22:389/> <http://10.8.27.22:389
        <http://10.8.27.22:389/>
               <http://10.8.27.22:389/>

                      <http://10.8.27.22:389/>>

                      ldap_connect_timeout: fd: 3 tm: -1 async: 0
                      ldap_open_defconn: successful
                      ldap_send_server_request
                      ber_scanf fmt ({it) ber:
                      ber_scanf fmt ({) ber:
                      ber_flush: 31 bytes to sd 3
                      ldap_result ld 0x1aa8c6f0 msgid 1
                      wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)
                      wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1
                      ** ld 0x1aa8c6f0 Connections:
                      * host: sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
                      <http://sbpaddc003.corp.mydomain.ad/>

                      <http://sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
                      <http://sbpaddc003.corp.mydomain.ad/>>  port: 389
                (default)

                       refcnt: 2  status: Connected
                       last used: Tue Sep 21 10:23:41 2010
                      ** ld 0x1aa8c6f0 Outstanding Requests:
                       * msgid 1,  origid 1, status InProgress
                        outstanding referrals 0, parent count 0
                      ** ld 0x1aa8c6f0 Response Queue:
                        Empty
                      ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1
                      ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
                      ldap_int_select
                      read1msg: ld 0x1aa8c6f0 msgid 1 all 1
                      ber_get_next
                      ber_get_next: tag 0x30 len 40 contents:
                      read1msg: ld 0x1aa8c6f0 msgid 1 message type
               extended-result
                      ber_scanf fmt ({eaa) ber:
                      read1msg: ld 0x1aa8c6f0 0 new referrals
                      read1msg:  mark request completed, ld 0x1aa8c6f0
        msgid 1
                      request done: ld 0x1aa8c6f0 msgid 1
                      res_errno: 0, res_error: <>, res_matched: <>
                      ldap_free_request (origid 1, msgid 1)
                      ldap_parse_extended_result
                      ber_scanf fmt ({eaa) ber:
                      ber_scanf fmt (a) ber:
                      ldap_parse_result
                      ber_scanf fmt ({iaa) ber:
                      ber_scanf fmt (x) ber:
                      ber_scanf fmt (}) ber:
                      ldap_msgfree
                      TLS trace: SSL_connect:before/connect initialization
                      TLS trace: SSL_connect:SSLv2/v3 write client hello A
                      TLS trace: SSL_connect:SSLv3 read server hello A
                      TLS certificate verification: depth: 0, err: 20,
        subject:
                      /CN=SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
                      <http://sbpaddc003.corp.mydomain.ad/>
                      <http://SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
                      <http://sbpaddc003.corp.mydomain.ad/>>, issuer:

                      /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA

                      TLS certificate verification: Error, unable to
        get local
                      issuer certificate

                  Unable to get local issuer certificate?  Is the
               adcacert.asc file
                  the actual CA cert in ascii/pem/base64 format from
        the AD
               CA?  Do
                  you have more than one CA or subordinate CAs?  If
        so, you
               may need
                  to have the entire CA cert chain in the file.

                  If you are sure that adcacert.asc is from the AD CA,
        then try
                  adding TLS_CACERT /path/to/adcacert.asc to your
        ~/.ldaprc
               file and
                  try the above ldapsearch again.

                  Let's see what the subject and issuer are in the CA
        cert:
                  openssl x509 -in /path/to/adcacert.asc -text

                      TLS certificate verification: depth: 0, err: 27,
        subject:
                      /CN=SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
                      <http://sbpaddc003.corp.mydomain.ad/>
                      <http://SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
                      <http://sbpaddc003.corp.mydomain.ad/>>, issuer:

                      /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA

                      TLS certificate verification: Error, certificate not
               trusted
                      TLS certificate verification: depth: 0, err: 21,
        subject:
                      /CN=SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
                      <http://sbpaddc003.corp.mydomain.ad/>
                      <http://SBPADDC003.Corp.MYDOMAIN.AD
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
                      <http://sbpaddc003.corp.mydomain.ad/>>, issuer:

                      /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA

                      TLS certificate verification: Error, unable to
        verify the
                      first certificate
                      TLS trace: SSL_connect:SSLv3 read server
        certificate A
                      TLS trace: SSL_connect:SSLv3 read server certificate
               request A
                      TLS trace: SSL_connect:SSLv3 read server done A
                      TLS trace: SSL_connect:SSLv3 write client
        certificate A
                      TLS trace: SSL_connect:SSLv3 write client key
        exchange A
                      TLS trace: SSL_connect:SSLv3 write change cipher
        spec A
                      TLS trace: SSL_connect:SSLv3 write finished A
                      TLS trace: SSL_connect:SSLv3 flush data
                      TLS trace: SSL_connect:SSLv3 read finished A
                      TLS trace: SSL3 alert write:warning:bad certificate
                      TLS: unable to get peer certificate.
                      ldap_bind
                      ldap_simple_bind
                      ldap_sasl_bind
                      ldap_send_initial_request
                      ldap_send_server_request
                      ber_scanf fmt ({it) ber:
                      ber_scanf fmt ({i) ber:
                      ber_flush: 14 bytes to sd 3
                      ldap_result ld 0x1aa8c6f0 msgid 2
                      wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout)
                      wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1
                      ** ld 0x1aa8c6f0 Connections:
                      * host: sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
                      <http://sbpaddc003.corp.mydomain.ad/>

                      <http://sbpaddc003.corp.mydomain.ad
        <http://sbpaddc003.corp.mydomain.ad/>
               <http://sbpaddc003.corp.mydomain.ad/>
                      <http://sbpaddc003.corp.mydomain.ad/>>  port: 389
                (default)

                       refcnt: 2  status: Connected
                       last used: Tue Sep 21 10:23:41 2010
                      ** ld 0x1aa8c6f0 Outstanding Requests:
                       * msgid 2,  origid 2, status InProgress
                        outstanding referrals 0, parent count 0
                      ** ld 0x1aa8c6f0 Response Queue:
                        Empty
                      ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1
                      ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
                      ldap_int_select
                      read1msg: ld 0x1aa8c6f0 msgid 2 all 1
                      ber_get_next
                      ldap_perror
                      ldap_result: Can't contact LDAP server (-1)
                       Please help to resolve this issue.





                       On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson
                      <rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>
                      <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>> <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>
               <mailto:rmegg...@redhat.com
        <mailto:rmegg...@redhat.com>>>>> wrote:

                         Shan Kumaraswamy wrote:

                             Rich,
                             I am again facing some issue with IPA+AD
        Sync and I
                      tested all
                             the levels:
                              Windows PassSync entry exists, not resetting
               password
                             INFO:root:Added new sync agreement,
        waiting for
               it to
                      become
                             ready . . .
                             INFO:root:Replication Update in progress:
        FALSE:
                      status: 81  -
                             LDAP error: Can't contact LDAP server:
        start: 0:
               end: 0
                             INFO:root:Agreement is ready, starting
               replication . . .
                             Starting replication, please wait until
        this has
               completed.
                             [saprhds001.bmibank.com
        <http://saprhds001.bmibank.com/>
               <http://saprhds001.bmibank.com/>
                      <http://saprhds001.bmibank.com/>
               <http://saprhds001.bmibank.com/>
                             <http://saprhds001.bmibank.com
        <http://saprhds001.bmibank.com/>
               <http://saprhds001.bmibank.com/>
                      <http://saprhds001.bmibank.com/>

                             <http://saprhds001.bmibank.com/>>] reports:
               Update failed!
                             Status: [81  - LDAP error: Can't contact LDAP
               server]

                             I have imported right CA to IPA box and
        the out
               put is:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CTu,u,Cu Imported CA CT,,C Server-Cert u,u,u
                              And also I done the openssl s_client option
               too, but
                      no luck.

                         What exactly did you do? with openssl s_client?

                         Did you try
                         /usr/lib64/mozldap/ldapsearch -h
        fqdn.of.ad.hostname
               -Z -P
                         /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s
        base -b ""
                      "objectclass=*"

                         LDAPTLS_CACERT=/path/to/adcacert.asc
        ldapsearch -d 1
               -x -h
                         fqdn.of.ad.hostname -p 389 -Z -s base -b ""

                             Without cert when I try ldap search its gives
               out put. but
                             with cert (AD CA) through error.
                              Please help me fix this issue.
                                            --         Thanks & Regards
                             Shan Kumaraswamy





                      --         Thanks & Regards
                      Shan Kumaraswamy





               --         Thanks & Regards
               Shan Kumaraswamy





-- Thanks & Regards
        Shan Kumaraswamy





--
Thanks & Regards
Shan Kumaraswamy


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to