[Freeipa-users] Fwd: passsync ssl help?
I'm pretty sure this is an ssl problem, but the steps for troubleshooting in the 389 server docs don't seem to work well here. I think they use a different version of ldapsearch that seems to allow me to specify the location of my cert db. the ldapsearch I'm using doesn't work that way. The question then, is how to test ssl for passsync with freeipa. I try to run this on my freeipa server: openssl s_client -connect ad domaincontroller:636 and I get: verify error:num=20:unable to get local issuer certificate but I don't even knwo if that's a valid, relevant test for passync. do I need that to run error free in both directions? do I need to add an argument to make sure it's using the same DBs as the passsync pocess? -- Forwarded message -- From: Nate Marks npma...@gmail.com Date: Sat, Dec 22, 2012 at 2:19 PM Subject: passsync ssl help? To: freeipa-users@redhat.com I've got a default freeipa installation. account sync is working great. passsync makes me sad. here are the passsync settings: hostname: FQDN of the freeipa server port: 636 username: uid=passsync,cn=sysaccounts,cn=etc,dc=xxx,dc=xxx password: password cert token : tried it with and without the /etc/dirsrv/slapd-instance/pwdfile.txt contents serach base=cn=users,cn=accounts,dc=inframax,dc=ncare I cheked the passsync acocunt/pass work with ldp (not ssl) and it worked fine. it looks like I correctly imported the cert from my freeipa server into the db in program files\389 directory server I just keep getting : ldap bind error in connect 81: can't contact ldap server can not connect to ldap server in syncpassowrds I'd really appreciate some help. I've also disabled UAC. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: passsync ssl help?
On 12/23/2012 08:56 AM, Nate Marks wrote: I'm pretty sure this is an ssl problem, but the steps for troubleshooting in the 389 server docs don't seem to work well here. I think they use a different version of ldapsearch that seems to allow me to specify the location of my cert db. the ldapsearch I'm using doesn't work that way. The question then, is how to test ssl for passsync with freeipa. I try to run this on my freeipa server: openssl s_client -connect ad domaincontroller:636 and I get: verify error:num=20:unable to get local issuer certificate but I don't even knwo if that's a valid, relevant test for passync. do I need that to run error free in both directions? do I need to add an argument to make sure it's using the same DBs as the passsync pocess? I am sorry but most likely you would not hear from us till new year. All knowledgeable people in this area are on vacation next week. Thanks Dmitri -- Forwarded message -- From: *Nate Marks* npma...@gmail.com mailto:npma...@gmail.com Date: Sat, Dec 22, 2012 at 2:19 PM Subject: passsync ssl help? To: freeipa-users@redhat.com mailto:freeipa-users@redhat.com I've got a default freeipa installation. account sync is working great. passsync makes me sad. here are the passsync settings: hostname: FQDN of the freeipa server port: 636 username: uid=passsync,cn=sysaccounts,cn=etc,dc=xxx,dc=xxx password: password cert token : tried it with and without the /etc/dirsrv/slapd-instance/pwdfile.txt contents serach base=cn=users,cn=accounts,dc=inframax,dc=ncare I cheked the passsync acocunt/pass work with ldp (not ssl) and it worked fine. it looks like I correctly imported the cert from my freeipa server into the db in program files\389 directory server I just keep getting : ldap bind error in connect 81: can't contact ldap server can not connect to ldap server in syncpassowrds I'd really appreciate some help. I've also disabled UAC. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: passsync ssl help?
Of course. No need to apologize at all. I'm grateful for all the support I've already received. Please enjoy the holidays and respond at your leisure On Dec 23, 2012 2:03 PM, Dmitri Pal d...@redhat.com wrote: On 12/23/2012 08:56 AM, Nate Marks wrote: I'm pretty sure this is an ssl problem, but the steps for troubleshooting in the 389 server docs don't seem to work well here. I think they use a different version of ldapsearch that seems to allow me to specify the location of my cert db. the ldapsearch I'm using doesn't work that way. The question then, is how to test ssl for passsync with freeipa. I try to run this on my freeipa server: openssl s_client -connect ad domaincontroller:636 and I get: verify error:num=20:unable to get local issuer certificate but I don't even knwo if that's a valid, relevant test for passync. do I need that to run error free in both directions? do I need to add an argument to make sure it's using the same DBs as the passsync pocess? I am sorry but most likely you would not hear from us till new year. All knowledgeable people in this area are on vacation next week. Thanks Dmitri -- Forwarded message -- From: Nate Marks npma...@gmail.com Date: Sat, Dec 22, 2012 at 2:19 PM Subject: passsync ssl help? To: freeipa-users@redhat.com I've got a default freeipa installation. account sync is working great. passsync makes me sad. here are the passsync settings: hostname: FQDN of the freeipa server port: 636 username: uid=passsync,cn=sysaccounts,cn=etc,dc=xxx,dc=xxx password: password cert token : tried it with and without the /etc/dirsrv/slapd-instance/pwdfile.txt contents serach base=cn=users,cn=accounts,dc=inframax,dc=ncare I cheked the passsync acocunt/pass work with ldp (not ssl) and it worked fine. it looks like I correctly imported the cert from my freeipa server into the db in program files\389 directory server I just keep getting : ldap bind error in connect 81: can't contact ldap server can not connect to ldap server in syncpassowrds I'd really appreciate some help. I've also disabled UAC. ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users