got a new CA cert and seem to be in buisness [[email protected] cacerts]$ ipa-replica-manage connect --winsync --binddn "cn=idm admin, cn=Users, dc=boingoqa, dc=local" --bindpw "g0_b0ing0" --passsync "l0v3ish@rd" --cacert=/etc/openldap/cacerts/skywarp.cer qatestdc2.boingoqa.local -v Directory Manager password:
Added CA certificate /etc/openldap/cacerts/skywarp.cer to certificate database for se-idm-01.boingo.com ipa: INFO: AD Suffix is: DC=boingoqa,DC=local The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=boingo,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update succeeded Connected 'se-idm-01.boingo.com' to 'qatestdc2.boingoqa.local' then ran your command [[email protected] cacerts]$ LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local) ldap_create ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local:389/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP qatestdc2.boingoqa.local:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.194.55.48:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x1b7c160 msgid 1 wait4msg ld 0x1b7c160 msgid 1 (infinite timeout) wait4msg continue ld 0x1b7c160 msgid 1 all 1 ** ld 0x1b7c160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 23:59:09 2014 ** ld 0x1b7c160 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x1b7c160 request count 1 (abandoned 0) ** ld 0x1b7c160 Response Queue: Empty ld 0x1b7c160 response count 0 ldap_chkResponseList ld 0x1b7c160 msgid 1 all 1 ldap_chkResponseList returns ld 0x1b7c160 NULL ldap_int_select read1msg: ld 0x1b7c160 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 40 contents: read1msg: ld 0x1b7c160 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x1b7c160 0 new referrals read1msg: mark request completed, ld 0x1b7c160 msgid 1 request done: ld 0x1b7c160 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: certdb config: configDir='/etc/dirsrv/slapd-BOINGO-COM/' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/dirsrv/slapd-BOINGO-COM/ prefix . TLS: loaded CA certificate file /etc/ipa/ca.crt. TLS: certificate [CN=QATESTDC2.boingoqa.local] is valid TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 66 bytes to sd 3 ldap_result ld 0x1b7c160 msgid 2 wait4msg ld 0x1b7c160 msgid 2 (infinite timeout) wait4msg continue ld 0x1b7c160 msgid 2 all 1 ** ld 0x1b7c160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 23:59:13 2014 ** ld 0x1b7c160 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x1b7c160 request count 1 (abandoned 0) ** ld 0x1b7c160 Response Queue: Empty ld 0x1b7c160 response count 0 ldap_chkResponseList ld 0x1b7c160 msgid 2 all 1 ldap_chkResponseList returns ld 0x1b7c160 NULL ldap_int_select read1msg: ld 0x1b7c160 msgid 2 all 1 ber_get_next ber_get_next: tag 0x30 len 104 contents: read1msg: ld 0x1b7c160 msgid 2 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x1b7c160 0 new referrals read1msg: mark request completed, ld 0x1b7c160 msgid 2 request done: ld 0x1b7c160 msgid 2 res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_err2string ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 [[email protected] cacerts]$ LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local) ldap_create ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local:389/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP qatestdc2.boingoqa.local:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.194.55.48:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x1fe2160 msgid 1 wait4msg ld 0x1fe2160 msgid 1 (infinite timeout) wait4msg continue ld 0x1fe2160 msgid 1 all 1 ** ld 0x1fe2160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 23:59:19 2014 ** ld 0x1fe2160 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x1fe2160 request count 1 (abandoned 0) ** ld 0x1fe2160 Response Queue: Empty ld 0x1fe2160 response count 0 ldap_chkResponseList ld 0x1fe2160 msgid 1 all 1 ldap_chkResponseList returns ld 0x1fe2160 NULL ldap_int_select read1msg: ld 0x1fe2160 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 40 contents: read1msg: ld 0x1fe2160 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x1fe2160 0 new referrals read1msg: mark request completed, ld 0x1fe2160 msgid 1 request done: ld 0x1fe2160 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: certdb config: configDir='/etc/dirsrv/slapd-BOINGO-COM/' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/dirsrv/slapd-BOINGO-COM/ prefix . TLS: loaded CA certificate file /etc/ipa/ca.crt. TLS: certificate [CN=QATESTDC2.boingoqa.local] is valid TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 65 bytes to sd 3 ldap_result ld 0x1fe2160 msgid 2 wait4msg ld 0x1fe2160 msgid 2 (infinite timeout) wait4msg continue ld 0x1fe2160 msgid 2 all 1 ** ld 0x1fe2160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 23:59:23 2014 ** ld 0x1fe2160 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x1fe2160 request count 1 (abandoned 0) ** ld 0x1fe2160 Response Queue: Empty ld 0x1fe2160 response count 0 ldap_chkResponseList ld 0x1fe2160 msgid 2 all 1 ldap_chkResponseList returns ld 0x1fe2160 NULL ldap_int_select read1msg: ld 0x1fe2160 msgid 2 all 1 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0x1fe2160 msgid 2 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x1fe2160 0 new referrals read1msg: mark request completed, ld 0x1fe2160 msgid 2 request done: ld 0x1fe2160 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search_ext put_filter: "objectclass=*" put_filter: default put_simple_filter: "objectclass=*" ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 85 bytes to sd 3 ldap_result ld 0x1fe2160 msgid -1 wait4msg ld 0x1fe2160 msgid -1 (infinite timeout) wait4msg continue ld 0x1fe2160 msgid -1 all 0 ** ld 0x1fe2160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 23:59:23 2014 ** ld 0x1fe2160 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0x1fe2160 request count 1 (abandoned 0) ** ld 0x1fe2160 Response Queue: Empty ld 0x1fe2160 response count 0 ldap_chkResponseList ld 0x1fe2160 msgid -1 all 0 ldap_chkResponseList returns ld 0x1fe2160 NULL ldap_int_select read1msg: ld 0x1fe2160 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 59 contents: read1msg: ld 0x1fe2160 msgid 3 message type search-entry ldap_get_dn_ber ber_scanf fmt ({ml{) ber: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local ber_scanf fmt ({xx) ber: ldap_get_attribute_ber ldap_msgfree ldap_result ld 0x1fe2160 msgid -1 wait4msg ld 0x1fe2160 msgid -1 (infinite timeout) wait4msg continue ld 0x1fe2160 msgid -1 all 0 ** ld 0x1fe2160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 23:59:23 2014 ** ld 0x1fe2160 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0x1fe2160 request count 1 (abandoned 0) ** ld 0x1fe2160 Response Queue: Empty ld 0x1fe2160 response count 0 ldap_chkResponseList ld 0x1fe2160 msgid -1 all 0 ldap_chkResponseList returns ld 0x1fe2160 NULL read1msg: ld 0x1fe2160 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0x1fe2160 msgid 3 message type search-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x1fe2160 0 new referrals read1msg: mark request completed, ld 0x1fe2160 msgid 3 request done: ld 0x1fe2160 msgid 3 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 3, msgid 3) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_free_connection: actually freed ________________________________ From: Rich Megginson [[email protected]] Sent: Friday, January 31, 2014 3:58 PM To: Todd Maugh; [email protected] Cc: [email protected] Subject: Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 04:13 PM, Todd Maugh wrote: asked: Can you provide your /etc/openldap/ldap.conf? answer: /etc/openldap/ldap.con #File modified by ipa-client-install URI ldaps://se-idm-01.boingo.com<UrlBlockedError.aspx> BASE dc=boingo,dc=com TLS_CACERT /etc/ipa/ca.crt TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow This will allow errors where the hostname in the cert subject DN does not match the IP address or vice versa. What happens if you set it to TLS_REQCERT demand? Or, if you don't want to touch this file (because it will probably break other things), try this: LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local<UrlBlockedError.aspx> -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn If that works, then please provide the output of rpm -q 389-ds-base openldap nss ping TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error -8179:Peer's Certificate issuer is not recognized.. This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP address does not match. This is usually a problem, but perhaps you have set your ldap.conf to continue despite this problem? PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of data. 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=1 ttl=124 time=0.559 ms 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=2 ttl=124 time=0.660 ms ^C --- qatestdc2.boingoqa.local ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1070ms rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms Ok. Does 10.194.55.48 resolve to qatestdc2.boingoqa.local? TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
