Re: [Freeipa-users] cant create winsync reolication

Fri, 31 Jan 2014 16:02:28 -0800 

On 01/31/2014 04:13 PM, Todd Maugh wrote:


asked:   Can you provide your /etc/openldap/ldap.conf?


answer:

/etc/openldap/ldap.con
#File modified by ipa-client-install

URI ldaps://se-idm-01.boingo.com
BASE dc=boingo,dc=com
TLS_CACERT /etc/ipa/ca.crt
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow



This will allow errors where the hostname in the cert subject DN does 
not match the IP address or vice versa.


What happens if you set it to TLS_REQCERT demand?


Or, if you don't want to touch this file (because it will probably break 
other things), try this:



LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ 
ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm 
admin,cn=users,dc=boingoqa,dc=local" -D  "cn=idm 
admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn


If that works, then please provide the output of

rpm -q 389-ds-base openldap nss


ping


TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error 
-8179:Peer's Certificate issuer is not recognized..



This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP 
address does not match.



This is usually a problem, but perhaps you have set your ldap.conf to 
continue despite this problem?

PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of data.

64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=1 
ttl=124 time=0.559 ms
64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=2 
ttl=124 time=0.660 ms

^C
--- qatestdc2.boingoqa.local ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1070ms
rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms


Ok.  Does 10.194.55.48 resolve to qatestdc2.boingoqa.local?







TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, 
issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security 
level: high, secret key bits: 128, total key bits: 128, cache hits: 
0, cache misses: 0, cache not reusable: 0

Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request





_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users





















					Reply via email to