Thanks Sebastien. I'm looking into the connection issue on 636 with my windows server. It might be a certificate/key issue.
By the way, two quick questions; 1 - Why does the script continue to run after getting the connection error? I would think it should stop since everything past that point will fail. 2 - Is there an option so that when this runs the only output to stdout would be if there was a failure? When I set this up as a cronjob I would prefer not to get an email unless there was a problem. At a minimum I would prefer an email with just the high level comments and not all of the INFO for each user who's account was synced. Thanks, Brian From: Sébastien Bahloul [mailto:[email protected]] Sent: Wednesday, November 02, 2011 9:36 AM To: Rohler, Brian L Cc: [email protected] Subject: Re: [lsc-users] SSL over LDAP issue This is because the host doesn't seem to accept connections to the 636 port. Try with Apache Directory Studio to connect with the same credentials to check from another tool. Regards, -- Sebastien BAHLOUL IAM / Security specialist Ldap Synchronization Connector : http://lsc-project.org Blog : http://sbahloul.wordpress.com/ 2011/11/2 Rohler, Brian L <[email protected]<mailto:[email protected]>> ~/lsc-1.2.1# clear; bin/lsc -f etc -c all -s all Nov 02 09:10:40 - DEBUG - Reading configuration from /root/lsc-1.2.1/etc/ Nov 02 09:10:40 - DEBUG - Loading configuration url: file:/root/lsc-1.2.1/etc/lsc.properties Nov 02 09:10:40 - INFO - Starting sync for user Nov 02 09:10:40 - INFO - Connecting to LDAP server ldap://localhost/DC=neeshub,DC=org as cn=search,dc=neeshub,dc=org Nov 02 09:10:40 - DEBUG - Using JNDI URL setting of "ldap://localhost:389/dc=neeshub,dc=org??base?(objectclass=*) " Nov 02 09:10:41 - DEBUG - Adding 'F' sync type for attribute name objectClass. Nov 02 09:10:41 - DEBUG - Adding 'F' sync type for attribute name default. Nov 02 09:10:41 - DEBUG - Synchronizing user for {gidnumber=3000, uid=gjie, uidnumber=2718} Nov 02 09:10:41 - INFO - Connecting to LDAP server ldaps://example.neeshub.org/DC=example,DC=local<http://example.neeshub.org/DC=example,DC=local> as CN=administrator,CN=Users,DC=example,DC=local Nov 02 09:10:41 - DEBUG - Using JNDI URL setting of "ldaps://example.neeshub.org:636/dc=example,dc=local??base?(objectclass=*)<http://example.neeshub.org:636/dc=example,dc=local??base?(objectclass=*)> " Nov 02 09:10:41 - ERROR - Error opening the LDAP connection to the destination! Nov 02 09:10:41 - ERROR - Error while synchronizing ID {gidnumber=3000, uid=gjie, uidnumber=2718}: java.lang.RuntimeException: javax.naming.CommunicationException: simple bind failed: example.neeshub.org:636<http://example.neeshub.org:636> [Root exception is java.net.SocketException: Connection reset] Nov 02 09:10:41 - DEBUG - java.lang.RuntimeException: javax.naming.CommunicationException: simple bind failed: example.neeshub.org:636<http://example.neeshub.org:636> [Root exception is java.net.SocketException: Connection reset] I did't paste any more since it failed the connection. From: Sébastien Bahloul [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, November 02, 2011 8:01 AM To: Rohler, Brian L Cc: [email protected]<mailto:[email protected]> Subject: Re: [lsc-users] SSL over LDAP issue Hi Brian, Can you setup the DEBUG level and pastebin the exception ? Regards, -- Sebastien BAHLOUL IAM / Security specialist Ldap Synchronization Connector : http://lsc-project.org Blog : http://sbahloul.wordpress.com/ 2011/11/2 Rohler, Brian L <[email protected]<mailto:[email protected]>> I've have followed the instructions at http://lsc-project.org/wiki/documentation/1.2/howtos/ssltls but I still can't get a connection to AD. Nov 01 16:06:08 - INFO - Starting sync for user Nov 01 16:06:08 - INFO - Connecting to LDAP server ldap://localhost/DC=example,DC=org as cn=search,dc=example,dc=org Nov 01 16:06:09 - INFO - Connecting to LDAP server ldaps://server.example.org/DC=example,DC=local<http://server.example.org/DC=example,DC=local> as CN=administrator,CN=Users,DC=example,DC=local Nov 01 16:06:09 - ERROR - Error opening the LDAP connection to the destination! What else am I doing wrong? Connection to port 389 works great. The firewall has port 389 and 636 open on inbound connections. ######################################################################################### # Destination Server Configuration for Active Directory ######################################################################################### # This section is mandatory since all synchronizations currently go to an LDAP directory. # Connection URL. This must include a valid LDAP context. dst.java.naming.provider.url = ldaps://server.example.org/DC=example,DC=local<http://server.example.org/DC=example,DC=local> dst.java.naming.security.authentication = simple dst.java.naming.tls = true dst.java.naming.security.principal = CN=administrator,CN=Users,DC=example,DC=local dst.java.naming.security.credentials = secret dst.java.naming.referral = ignore dst.java.naming.ldap.derefAliases = never dst.java.naming.ldap.pageSize=1000 dst.java.naming.ldap.sortedBy=sAMAccountName dst.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory dst.java.naming.ldap.version = 3 _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected]<mailto:[email protected]> http://lists.lsc-project.org/listinfo/lsc-users
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
