Try editing /etc/openldap/ldap.conf:

TLS_CACERT      /etc/ipa/ca.crt
TLS_REQCERT allow


See if that helps

"Keeping your head in the cloud"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino | Sr. Information Security Specialist
GIAC Exploit Researcher and Advanced Penetration Tester |
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117<x-apple-data-detectors://0/0>
T:  +1 805.690.3478<tel:+1%C2%A0805.690.3478>
C: +1 805.717.0365<tel:+1%20805.717.0365>
jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>

On Jan 11, 2013, at 8:05 AM, Johnathan Phan 
<j...@ox-consulting.com<mailto:j...@ox-consulting.com>> wrote:

Hi There,

This is driving me up the wall.

I have two servers. 1 is a live openldap/kerberous AAA server running on RHEL6. 
The LDAP service has SSL/TS support. The second server is a test environment 
running on fedora and has 3.1 IPA installed.

As a last step of my POC I need to migrate the users and passwords from the 
LDAP server to IPA server.

I ran this command perfectly fine.

ipa config-mod --enable-migration=TRUE

However the next step was where my issues began.

In the end after a lot of IRC communication and troubleshooting I now run the 
following command.

ipa migrate-ds --bind-dn="cn=admin,dc=example,dc=com" 
--user-container="ou=users,ou=live,dc=example,dc=com" 
--group-container="ou=groups,ou=live,dc=example,dc=com" 
ldaps://ldap1.live.example.com<http://ldap1.live.example.com/>

I get the following error.

ipa: DEBUG: Caught fault 4203 from server 
http://fedoraipaserver.test.example.com/ipa/xml: Can't contact LDAP server: TLS 
error -8179:Peer's Certificate issuer is not recognized.
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Can't contact LDAP server: TLS error -8179:Peer's Certificate 
issuer is not recognized.

I have summarized that the IPA server does not trust the cert served by the 
openldap or the other way around. Does anyone know how to get around this? Or 
allow me to finish the migration of user data.

Regards

John

--
Johnathan Phan

T: +44 (0)784 118 7080



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to