On 01/31/2014 05:00 PM, Todd Maugh wrote:
got a new CA cert and seem to be in buisness

[r...@se-idm-01.boingo.com cacerts]$ ipa-replica-manage connect --winsync --binddn "cn=idm admin, cn=Users, dc=boingoqa, dc=local" --bindpw "g0_b0ing0" --passsync "l0v3ish@rd" --cacert=/etc/openldap/cacerts/skywarp.cer qatestdc2.boingoqa.local -v
Directory Manager password:

Added CA certificate /etc/openldap/cacerts/skywarp.cer to certificate database for se-idm-01.boingo.com
ipa: INFO: AD Suffix is: DC=boingoqa,DC=local
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=boingo,dc=com
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update in progress
Update succeeded
Connected 'se-idm-01.boingo.com' to 'qatestdc2.boingoqa.local'

Great!



then ran  your command


[r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn
ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local)
ldap_create
ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP qatestdc2.boingoqa.local:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.194.55.48:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x1b7c160 msgid 1
wait4msg ld 0x1b7c160 msgid 1 (infinite timeout)
wait4msg continue ld 0x1b7c160 msgid 1 all 1
** ld 0x1b7c160 Connections:
* host: qatestdc2.boingoqa.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Jan 31 23:59:09 2014


** ld 0x1b7c160 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1b7c160 request count 1 (abandoned 0)
** ld 0x1b7c160 Response Queue:
   Empty
  ld 0x1b7c160 response count 0
ldap_chkResponseList ld 0x1b7c160 msgid 1 all 1
ldap_chkResponseList returns ld 0x1b7c160 NULL
ldap_int_select
read1msg: ld 0x1b7c160 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
read1msg: ld 0x1b7c160 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1b7c160 0 new referrals
read1msg:  mark request completed, ld 0x1b7c160 msgid 1
request done: ld 0x1b7c160 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: certdb config: configDir='/etc/dirsrv/slapd-BOINGO-COM/' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/dirsrv/slapd-BOINGO-COM/ prefix .
TLS: loaded CA certificate file /etc/ipa/ca.crt.
TLS: certificate [CN=QATESTDC2.boingoqa.local] is valid
TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 66 bytes to sd 3
ldap_result ld 0x1b7c160 msgid 2
wait4msg ld 0x1b7c160 msgid 2 (infinite timeout)
wait4msg continue ld 0x1b7c160 msgid 2 all 1
** ld 0x1b7c160 Connections:
* host: qatestdc2.boingoqa.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Jan 31 23:59:13 2014


** ld 0x1b7c160 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1b7c160 request count 1 (abandoned 0)
** ld 0x1b7c160 Response Queue:
   Empty
  ld 0x1b7c160 response count 0
ldap_chkResponseList ld 0x1b7c160 msgid 2 all 1
ldap_chkResponseList returns ld 0x1b7c160 NULL
ldap_int_select
read1msg: ld 0x1b7c160 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 104 contents:
read1msg: ld 0x1b7c160 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1b7c160 0 new referrals
read1msg:  mark request completed, ld 0x1b7c160 msgid 2
request done: ld 0x1b7c160 msgid 2
res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 [r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn
ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local)
ldap_create
ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP qatestdc2.boingoqa.local:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.194.55.48:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x1fe2160 msgid 1
wait4msg ld 0x1fe2160 msgid 1 (infinite timeout)
wait4msg continue ld 0x1fe2160 msgid 1 all 1
** ld 0x1fe2160 Connections:
* host: qatestdc2.boingoqa.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Jan 31 23:59:19 2014


** ld 0x1fe2160 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1fe2160 request count 1 (abandoned 0)
** ld 0x1fe2160 Response Queue:
   Empty
  ld 0x1fe2160 response count 0
ldap_chkResponseList ld 0x1fe2160 msgid 1 all 1
ldap_chkResponseList returns ld 0x1fe2160 NULL
ldap_int_select
read1msg: ld 0x1fe2160 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
read1msg: ld 0x1fe2160 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1fe2160 0 new referrals
read1msg:  mark request completed, ld 0x1fe2160 msgid 1
request done: ld 0x1fe2160 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: certdb config: configDir='/etc/dirsrv/slapd-BOINGO-COM/' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/dirsrv/slapd-BOINGO-COM/ prefix .
TLS: loaded CA certificate file /etc/ipa/ca.crt.
TLS: certificate [CN=QATESTDC2.boingoqa.local] is valid
TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 65 bytes to sd 3
ldap_result ld 0x1fe2160 msgid 2
wait4msg ld 0x1fe2160 msgid 2 (infinite timeout)
wait4msg continue ld 0x1fe2160 msgid 2 all 1
** ld 0x1fe2160 Connections:
* host: qatestdc2.boingoqa.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Jan 31 23:59:23 2014


** ld 0x1fe2160 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1fe2160 request count 1 (abandoned 0)
** ld 0x1fe2160 Response Queue:
   Empty
  ld 0x1fe2160 response count 0
ldap_chkResponseList ld 0x1fe2160 msgid 2 all 1
ldap_chkResponseList returns ld 0x1fe2160 NULL
ldap_int_select
read1msg: ld 0x1fe2160 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x1fe2160 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1fe2160 0 new referrals
read1msg:  mark request completed, ld 0x1fe2160 msgid 2
request done: ld 0x1fe2160 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "objectclass=*"
put_filter: default
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 85 bytes to sd 3
ldap_result ld 0x1fe2160 msgid -1
wait4msg ld 0x1fe2160 msgid -1 (infinite timeout)
wait4msg continue ld 0x1fe2160 msgid -1 all 0
** ld 0x1fe2160 Connections:
* host: qatestdc2.boingoqa.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Jan 31 23:59:23 2014


** ld 0x1fe2160 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1fe2160 request count 1 (abandoned 0)
** ld 0x1fe2160 Response Queue:
   Empty
  ld 0x1fe2160 response count 0
ldap_chkResponseList ld 0x1fe2160 msgid -1 all 0
ldap_chkResponseList returns ld 0x1fe2160 NULL
ldap_int_select
read1msg: ld 0x1fe2160 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 59 contents:
read1msg: ld 0x1fe2160 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x1fe2160 msgid -1
wait4msg ld 0x1fe2160 msgid -1 (infinite timeout)
wait4msg continue ld 0x1fe2160 msgid -1 all 0
** ld 0x1fe2160 Connections:
* host: qatestdc2.boingoqa.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Jan 31 23:59:23 2014


** ld 0x1fe2160 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1fe2160 request count 1 (abandoned 0)
** ld 0x1fe2160 Response Queue:
   Empty
  ld 0x1fe2160 response count 0
ldap_chkResponseList ld 0x1fe2160 msgid -1 all 0
ldap_chkResponseList returns ld 0x1fe2160 NULL
read1msg: ld 0x1fe2160 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x1fe2160 msgid 3 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1fe2160 0 new referrals
read1msg:  mark request completed, ld 0x1fe2160 msgid 3
request done: ld 0x1fe2160 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)

ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed



------------------------------------------------------------------------
*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Friday, January 31, 2014 3:58 PM
*To:* Todd Maugh; d...@redhat.com
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] cant create winsync reolication

On 01/31/2014 04:13 PM, Todd Maugh wrote:

asked:   Can you provide your /etc/openldap/ldap.conf?


answer:

/etc/openldap/ldap.con
#File modified by ipa-client-install

URI ldaps://se-idm-01.boingo.com
BASE dc=boingo,dc=com
TLS_CACERT /etc/ipa/ca.crt
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow

This will allow errors where the hostname in the cert subject DN does not match the IP address or vice versa.

What happens if you set it to TLS_REQCERT demand?

Or, if you don't want to touch this file (because it will probably break other things), try this:

LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn

If that works, then please provide the output of

rpm -q 389-ds-base openldap nss

ping

TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error -8179:Peer's Certificate issuer is not recognized..

This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP address does not match.

This is usually a problem, but perhaps you have set your ldap.conf to continue despite this problem?
PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of data.
64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=1 ttl=124 time=0.559 ms 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=2 ttl=124 time=0.660 ms
^C
--- qatestdc2.boingoqa.local ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1070ms
rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms

Ok.  Does 10.194.55.48 resolve to qatestdc2.boingoqa.local?





TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to