Re: [Freeipa-users] IPA AD Sync error

[Rich Megginson]

Shan Kumaraswamy wrote:

Hi Rich,
Please find the attached error log file.
Please file a bug and include all of the steps necessary to reproduce 
the issue.
 



 
On Wed, Sep 22, 2010 at 4:17 PM, Rich Megginson > wrote:


Shan Kumaraswamy wrote:

And also I checked the directory server log (error log) its
show error:
 NSMMReplicationPlugin - failed to send dirsync search request: 2

Can you post more of the errors log?
Also, the replication log level is also used for winsync
debugging: http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting

 


 On Tue, Sep 21, 2010 at 8:20 PM, Rich Megginson
mailto:rmegg...@redhat.com>
>> wrote:

   Shan Kumaraswamy wrote:

   Hi Rich,

   Finall I impoted right CA in to IPA box, now I am
getting this
   error while executing sycn command:
INFO:root:
   INFO:root:
   INFO:root:
   INFO:root:Starting dirsrv:
  MYDOMAIN-COM...
[

OK  ]
   INFO:root:
   INFO:root:Added CA certificate
   /etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to certificate
   database for saprhds001.mydomain.com

   
   
>

   INFO:root:Restarted directory server
saprhds001.mydomain.com 
   
   
>

   INFO:root:Could not validate connection to remote server
   sbpaddc003.mydomain.ad:636

   

   
   > - continuing

   INFO:root:The error was: {'info': 'error:14090086:SSL
   routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
   failed', 'desc': "Can't contact LDAP server"}

   This is normal, due to a limitation in the way python-ldap
loads
   CA certs.  You can ignore this.

   The user for the Windows PassSync service is
   uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
   Windows PassSync entry exists, not resetting password
   INFO:root:Added new sync agreement, waiting for it to
become
   ready . . .
   INFO:root:Replication Update in progress: FALSE: status: 0
   Incremental update started: start: 20100921163646Z: end:
   20100921163646Z
   INFO:root:Agreement is ready, starting replication . . .
   Starting replication, please wait until this has completed.
   Update succeeded
   INFO:root:Added agreement for other host
   sbpaddc003.corp.mydomain.ad

   

   
   >

   
   Looks like it is working - so far, so good.


Please advice.


   On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson
   mailto:rmegg...@redhat.com>
>
    

Re: [Freeipa-users] IPA AD Sync error

[Rich Megginson]

Shan Kumaraswamy wrote:

And also I checked the directory server log (error log) its show error:
 
 
NSMMReplicationPlugin - failed to send dirsync search request: 2

Can you post more of the errors log?
Also, the replication log level is also used for winsync debugging: 
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
 



 
On Tue, Sep 21, 2010 at 8:20 PM, Rich Megginson > wrote:


Shan Kumaraswamy wrote:

Hi Rich,

Finall I impoted right CA in to IPA box, now I am getting this
error while executing sycn command:
 
INFO:root:

INFO:root:
INFO:root:
INFO:root:Starting dirsrv:
   MYDOMAIN-COM... [
 OK  ]
INFO:root:
INFO:root:Added CA certificate
/etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to certificate
database for saprhds001.mydomain.com

>
INFO:root:Restarted directory server saprhds001.mydomain.com

>
INFO:root:Could not validate connection to remote server
sbpaddc003.mydomain.ad:636

> - continuing

INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed', 'desc': "Can't contact LDAP server"}

This is normal, due to a limitation in the way python-ldap loads
CA certs.  You can ignore this.

The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become
ready . . .
INFO:root:Replication Update in progress: FALSE: status: 0
Incremental update started: start: 20100921163646Z: end:
20100921163646Z
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
INFO:root:Added agreement for other host
sbpaddc003.corp.mydomain.ad

>
 


Looks like it is working - so far, so good.

 Please advice.


On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson
mailto:rmegg...@redhat.com>
>> wrote:

   Shan Kumaraswamy wrote:

   Hi Rich,
   While executing your command (ldapserch), I am getting the
   following output:
_Command:_
   /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
   /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b ""
   "objectclass=*"
_Output:_
   ldap_search: Can't contact LDAP server
  SSL error -8179 (Peer's Certificate issuer is not
   recognized.)
   _Command:_
   LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
   fqdn.of.ad.hostname -p 389 -Z -s base -b ""
_Output:_
[r...@saprhds001 ~]#
 
 LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer

   ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad

   

   
   > -p 389 -Z -s
base -b ""
   ldap_create
 
 ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389


   
   

   >)

   ldap_extended_operation_s
   ldap_extended_operation
   ldap_send_initial_request
   ldap_new_connection 1 1 0
   ldap_int_open_connection
   ldap_connect_to_host: TCP
sbpaddc003.corp.mydomain.ad:389

   

   
   >

   ldap_

Re: [Freeipa-users] IPA AD Sync error

[Rich Megginson]

Shan Kumaraswamy wrote:

Hi Rich,
Finall I impoted right CA in to IPA box, now I am getting this error 
while executing sycn command:
 
 


INFO:root:
INFO:root:
INFO:root:
INFO:root:Starting dirsrv:
MYDOMAIN-COM... [  OK  ]
INFO:root:
INFO:root:Added CA certificate 
/etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to certificate database for 
saprhds001.mydomain.com 
INFO:root:Restarted directory server saprhds001.mydomain.com 

INFO:root:Could not validate connection to remote server 
sbpaddc003.mydomain.ad:636  - 
continuing
INFO:root:The error was: {'info': 'error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 
'desc': "Can't contact LDAP server"}
This is normal, due to a limitation in the way python-ldap loads CA 
certs.  You can ignore this.
The user for the Windows PassSync service is 
uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com

Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 0 Incremental 
update started: start: 20100921163646Z: end: 20100921163646Z

INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
INFO:root:Added agreement for other host sbpaddc003.corp.mydomain.ad 

 

Looks like it is working - so far, so good.
 
 
Please advice.


On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson > wrote:


Shan Kumaraswamy wrote:

Hi Rich,
While executing your command (ldapserch), I am getting the
following output:
 _Command:_
/usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
/etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b ""
"objectclass=*"
 _Output:_
ldap_search: Can't contact LDAP server
   SSL error -8179 (Peer's Certificate issuer is not
recognized.)
_Command:_
LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
fqdn.of.ad.hostname -p 389 -Z -s base -b ""
 _Output:_
 [r...@saprhds001 ~]#
LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer
ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad

> -p 389 -Z -s base -b ""
ldap_create
ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389

>)

ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389

>

ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.8.27.22:389
 >

ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x1aa8c6f0 msgid 1
wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)
wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1
** ld 0x1aa8c6f0 Connections:
* host: sbpaddc003.corp.mydomain.ad

>  port: 389  (default)

 refcnt: 2  status: Connected
 last used: Tue Sep 21 10:23:41 2010
** ld 0x1aa8c6f0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
  outstanding referrals 0, parent count 0
** ld 0x1aa8c6f0 Response Queue:
  Empty
ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1
ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
ldap_int_select
read1msg: ld 0x1aa8c6f0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x1aa8c6f0 0 new referrals
read1msg:  mark request completed, ld 0x1aa8c6f0 msgid 1
request done: ld 0x1aa8c6f0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
   

Re: [Freeipa-users] IPA AD Sync error

[Shan Kumaraswamy]

Hi Rich,
Finall I impoted right CA in to IPA box, now I am getting this error while
executing sycn command:



INFO:root:
INFO:root:
INFO:root:
INFO:root:Starting dirsrv:
MYDOMAIN-COM... [  OK  ]
INFO:root:
INFO:root:Added CA certificate /etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to
certificate database for saprhds001.mydomain.com
INFO:root:Restarted directory server saprhds001.mydomain.com
INFO:root:Could not validate connection to remote server
sbpaddc003.mydomain.ad:636 - continuing
INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
"Can't contact LDAP server"}
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 0 Incremental
update started: start: 20100921163646Z: end: 20100921163646Z
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
INFO:root:Added agreement for other host sbpaddc003.corp.mydomain.ad



Please advice.

On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson  wrote:

> Shan Kumaraswamy wrote:
>
>> Hi Rich,
>> While executing your command (ldapserch), I am getting the following
>> output:
>>  _Command:_
>> /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
>> /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"
>>  _Output:_
>> ldap_search: Can't contact LDAP server
>>SSL error -8179 (Peer's Certificate issuer is not recognized.)
>> _Command:_
>> LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
>> fqdn.of.ad.hostname -p 389 -Z -s base -b ""
>>  _Output:_
>>  [r...@saprhds001 ~]#
>> LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer ldapsearch -d 1
>> -x -h sbpaddc003.corp.mydomain.ad  -p
>> 389 -Z -s base -b ""
>> ldap_create
>> ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389 > sbpaddc003.corp.mydomain.ad:389/>)
>>
>> ldap_extended_operation_s
>> ldap_extended_operation
>> ldap_send_initial_request
>> ldap_new_connection 1 1 0
>> ldap_int_open_connection
>> ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389 <
>> http://sbpaddc003.corp.mydomain.ad:389>
>>
>> ldap_new_socket: 3
>> ldap_prepare_socket: 3
>> ldap_connect_to_host: Trying 10.8.27.22:389 
>>
>> ldap_connect_timeout: fd: 3 tm: -1 async: 0
>> ldap_open_defconn: successful
>> ldap_send_server_request
>> ber_scanf fmt ({it) ber:
>> ber_scanf fmt ({) ber:
>> ber_flush: 31 bytes to sd 3
>> ldap_result ld 0x1aa8c6f0 msgid 1
>> wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)
>> wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1
>> ** ld 0x1aa8c6f0 Connections:
>> * host: sbpaddc003.corp.mydomain.ad 
>>  port: 389  (default)
>>
>>  refcnt: 2  status: Connected
>>  last used: Tue Sep 21 10:23:41 2010
>> ** ld 0x1aa8c6f0 Outstanding Requests:
>>  * msgid 1,  origid 1, status InProgress
>>   outstanding referrals 0, parent count 0
>> ** ld 0x1aa8c6f0 Response Queue:
>>   Empty
>> ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1
>> ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
>> ldap_int_select
>> read1msg: ld 0x1aa8c6f0 msgid 1 all 1
>> ber_get_next
>> ber_get_next: tag 0x30 len 40 contents:
>> read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result
>> ber_scanf fmt ({eaa) ber:
>> read1msg: ld 0x1aa8c6f0 0 new referrals
>> read1msg:  mark request completed, ld 0x1aa8c6f0 msgid 1
>> request done: ld 0x1aa8c6f0 msgid 1
>> res_errno: 0, res_error: <>, res_matched: <>
>> ldap_free_request (origid 1, msgid 1)
>> ldap_parse_extended_result
>> ber_scanf fmt ({eaa) ber:
>> ber_scanf fmt (a) ber:
>> ldap_parse_result
>> ber_scanf fmt ({iaa) ber:
>> ber_scanf fmt (x) ber:
>> ber_scanf fmt (}) ber:
>> ldap_msgfree
>> TLS trace: SSL_connect:before/connect initialization
>> TLS trace: SSL_connect:SSLv2/v3 write client hello A
>> TLS trace: SSL_connect:SSLv3 read server hello A
>> TLS certificate verification: depth: 0, err: 20, subject: /CN=
>> SBPADDC003.Corp.MYDOMAIN.AD  <
>> http://SBPADDC003.Corp.MYDOMAIN.AD >,
>> issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
>>
>> TLS certificate verification: Error, unable to get local issuer
>> certificate
>>
> Unable to get local issuer certificate?  Is the adcacert.asc file the
> actual CA cert in ascii/pem/base64 format from the AD CA?  Do you have more
> than one CA or subordinate CAs?  If so, you may need to have the entire CA
> cert chain in the file.
>
> If you are sure that adcacert.asc is from the AD CA, then try adding
> TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc file and try the above
> ldapsearch again.
>
> Let's see what th

Re: [Freeipa-users] IPA AD Sync error

[Rich Megginson]

Shan Kumaraswamy wrote:

Hi Rich,
While executing your command (ldapserch), I am getting the following 
output:
 
_Command:_
/usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P 
/etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"
 
_Output:_

ldap_search: Can't contact LDAP server
SSL error -8179 (Peer's Certificate issuer is not recognized.)
_Command:_
LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h 
fqdn.of.ad.hostname -p 389 -Z -s base -b ""
 
_Output:_
 
[r...@saprhds001 ~]# 
LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer 
ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad 
 -p 389 -Z -s base -b ""

ldap_create
ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389 
)

ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389 


ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.8.27.22:389 
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x1aa8c6f0 msgid 1
wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)
wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1
** ld 0x1aa8c6f0 Connections:
* host: sbpaddc003.corp.mydomain.ad 
  port: 389  (default)

  refcnt: 2  status: Connected
  last used: Tue Sep 21 10:23:41 2010
** ld 0x1aa8c6f0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x1aa8c6f0 Response Queue:
   Empty
ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1
ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
ldap_int_select
read1msg: ld 0x1aa8c6f0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x1aa8c6f0 0 new referrals
read1msg:  mark request completed, ld 0x1aa8c6f0 msgid 1
request done: ld 0x1aa8c6f0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: 
/CN=SBPADDC003.Corp.MYDOMAIN.AD , 
issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, unable to get local issuer 
certificate
Unable to get local issuer certificate?  Is the adcacert.asc file the 
actual CA cert in ascii/pem/base64 format from the AD CA?  Do you have 
more than one CA or subordinate CAs?  If so, you may need to have the 
entire CA cert chain in the file.


If you are sure that adcacert.asc is from the AD CA, then try adding 
TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc file and try the 
above ldapsearch again.


Let's see what the subject and issuer are in the CA cert:
openssl x509 -in /path/to/adcacert.asc -text
TLS certificate verification: depth: 0, err: 27, subject: 
/CN=SBPADDC003.Corp.MYDOMAIN.AD , 
issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA

TLS certificate verification: Error, certificate not trusted
TLS certificate verification: depth: 0, err: 21, subject: 
/CN=SBPADDC003.Corp.MYDOMAIN.AD , 
issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, unable to verify the first 
certificate

TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer certificate.
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush: 14 bytes to sd 3
ldap_result ld 0x1aa8c6f0 msgid 2
wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout)
wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1
** ld 0x1aa8c6f0 Connections:
* host: sbpaddc003.corp.mydomain.ad 
  port: 389  (default)

  refcnt: 2  status: Connected
  last used: Tue Sep 21 1

Re: [Freeipa-users] IPA AD Sync error

[Shan Kumaraswamy]

Hi Rich,
While executing your command (ldapserch), I am getting the following output:
**
*Command:*
/usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
/etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"
**
*Output:*
ldap_search: Can't contact LDAP server
SSL error -8179 (Peer's Certificate issuer is not recognized.)
*Command:*
LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
fqdn.of.ad.hostname -p 389 -Z -s base -b ""

*Output:*
**
[r...@saprhds001 ~]#
LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer ldapsearch -d 1
-x -h sbpaddc003.corp.mydomain.ad -p 389 -Z -s base -b ""
ldap_create
ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.8.27.22:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x1aa8c6f0 msgid 1
wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)
wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1
** ld 0x1aa8c6f0 Connections:
* host: sbpaddc003.corp.mydomain.ad  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Sep 21 10:23:41 2010
** ld 0x1aa8c6f0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x1aa8c6f0 Response Queue:
   Empty
ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1
ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
ldap_int_select
read1msg: ld 0x1aa8c6f0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x1aa8c6f0 0 new referrals
read1msg:  mark request completed, ld 0x1aa8c6f0 msgid 1
request done: ld 0x1aa8c6f0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: /CN=
SBPADDC003.Corp.MYDOMAIN.AD, issuer:
/DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS certificate verification: depth: 0, err: 27, subject: /CN=
SBPADDC003.Corp.MYDOMAIN.AD, issuer:
/DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, certificate not trusted
TLS certificate verification: depth: 0, err: 21, subject: /CN=
SBPADDC003.Corp.MYDOMAIN.AD, issuer:
/DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, unable to verify the first certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer certificate.
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush: 14 bytes to sd 3
ldap_result ld 0x1aa8c6f0 msgid 2
wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout)
wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1
** ld 0x1aa8c6f0 Connections:
* host: sbpaddc003.corp.mydomain.ad  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Sep 21 10:23:41 2010
** ld 0x1aa8c6f0 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x1aa8c6f0 Response Queue:
   Empty
ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1
ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
ldap_int_select
read1msg: ld 0x1aa8c6f0 msgid 2 all 1
ber_get_next
ldap_perror
ldap_result: Can't contact LDAP server (-1)

Please help to resolve this issue.




On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson  wrote:

> Shan Kumaraswamy wrote:
>
>> Rich,
>> I am again facing some issue with IPA+AD Sync and I tested all the levels:
>>  Windows PassSync entry exists, not resetting password
>> INFO:root:Added new sync agreement, waiting for it to become ready . . .
>> INFO:root:Replication Update in progress: FALSE: status: 81  - LDAP error:
>> Can't contact LDAP server: start: 0: end: 0
>> INFO:root:Agreement is

Re: [Freeipa-users] IPA AD Sync error

[Rich Megginson]

Shan Kumaraswamy wrote:

Rich,
I am again facing some issue with IPA+AD Sync and I tested all the levels:
 
 
Windows PassSync entry exists, not resetting password

INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 81  - LDAP 
error: Can't contact LDAP server: start: 0: end: 0

INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[saprhds001.bmibank.com ] reports: 
Update failed! Status: [81  - LDAP error: Can't contact LDAP server]

I have imported right CA to IPA box and the out put is:
 
Certificate Nickname Trust 
Attributes
 
SSL,S/MIME,JAR/XPI

CA certificate   CTu,u,Cu
Imported CA  CT,,C
Server-Cert  u,u,u
 
And also I done the openssl s_client option too, but no luck.

What exactly did you do? with openssl s_client?

Did you try
/usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P 
/etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"


LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h 
fqdn.of.ad.hostname -p 389 -Z -s base -b ""
Without cert when I try ldap search its gives out put. but with cert 
(AD CA) through error.
 
Please help me fix this issue.
 



--
Thanks & Regards
Shan Kumaraswamy



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA+AD sync error

[Rich Megginson]

Shan Kumaraswamy wrote:

Sorry, I was deleted the copyied cert file :(

If you want to get the CA cert out of the certdb and into ascii/pem format:
certutil -d /etc/dirsrv/slapd-instancename -L -n "Imported CA" -a > 
msadca.crt


If you want to get the CA cert directly from MS CA:
on your AD box, open a web browser
go to http:///certsrv
There should be an option there to view or download the CA cert.  You 
want to download it in ascii/pem/base64 format (I think Windows uses the 
term Base64 encoded cert for PEM).  Then you'll have to copy that file 
to your IPA box.



 
On Wed, Aug 18, 2010 at 5:09 PM, Rich Megginson > wrote:


Shan Kumaraswamy wrote:

Ok sure, I will do the test and can please let me know command
to import AD CA in to dirsrv cert db?

It is already in there?  This is the certificate called "Imported
CA" with Subject: "CN=test-WINDOWS-CA,DC=test,DC=ad" and Issuer:
"CN=test-WINDOWS-CA,DC=test,DC=ad"

Or are you asking because you don't know how it got in there in
the first place, or forgot?

 


 On Wed, Aug 18, 2010 at 4:44 PM, Rich Megginson
mailto:rmegg...@redhat.com>
>> wrote:

   Shan Kumaraswamy wrote:

   Rich,
   Can I know command to trust IPA genearated CA cert file?

   See below

   So I don't think that is the problem here.  If that were the
   problem, I would expect a different error message.  I think
you're
   just going to have to use something like openssl s_client to
   examine the server cert used by AD.

   
On Tue, Aug 17, 2010 at 7:26 PM, Rich Megginson

   mailto:rmegg...@redhat.com>
>
    

Re: [Freeipa-users] IPA+AD sync error

[Rich Megginson]

Shan Kumaraswamy wrote:
Ok sure, I will do the test and can please let me know command to 
import AD CA in to dirsrv cert db?
It is already in there?  This is the certificate called "Imported CA" 
with Subject: "CN=test-WINDOWS-CA,DC=test,DC=ad" and Issuer: 
"CN=test-WINDOWS-CA,DC=test,DC=ad"


Or are you asking because you don't know how it got in there in the 
first place, or forgot?
 



 
On Wed, Aug 18, 2010 at 4:44 PM, Rich Megginson > wrote:


Shan Kumaraswamy wrote:

Rich,
Can I know command to trust IPA genearated CA cert file?

See below

So I don't think that is the problem here.  If that were the
problem, I would expect a different error message.  I think you're
just going to have to use something like openssl s_client to
examine the server cert used by AD.

 


 On Tue, Aug 17, 2010 at 7:26 PM, Rich Megginson
mailto:rmegg...@redhat.com>
>> wrote:

   Shan Kumaraswamy wrote:


   Certificate:
  Data:
  Version: 3 (0x2)
  Serial Number:
  46:90:cd:94:c6:53:d4:ae:44:a6:df:e2:6b:24:15:56
  Signature Algorithm: PKCS #1 SHA-1 With RSA
Encryption
  Issuer: "CN=test-WINDOWS-CA,DC=test,DC=ad"
  Validity:
  Not Before: Tue Aug 17 01:39:07 2010
  Not After : Mon Aug 17 01:49:05 2015
  Subject: "CN=test-WINDOWS-CA,DC=test,DC=ad"
  Subject Public Key Info:
  Public Key Algorithm: PKCS #1 RSA Encryption
  RSA Public Key:
  Modulus:
   
 a9:6e:1a:54:c2:70:1c:d7:dc:06:b4:d3:09:0f:8d:25:
   
 e5:8f:9f:1f:f6:f9:ee:fb:9c:6b:9c:84:c3:01:f7:45:
   
 f1:8e:43:d3:ed:ad:01:e6:92:6c:52:f4:d7:03:03:19:
   
 0a:93:84:18:42:92:2b:6b:74:3d:77:8c:31:b9:bf:75:
   
 84:cb:a0:8c:a5:df:c2:5a:d6:cb:a3:78:a2:1a:6d:a6:
   
 e1:b4:81:ea:22:e7:83:bb:1f:0d:70:f8:44:29:24:96:
   
 f3:f0:01:12:49:7a:59:b8:f7:1a:84:e4:e4:a4:0d:60:
   
 58:db:d9:9c:b4:51:7a:21:f2:a2:f9:ed:ee:92:6f:c0:
   
 00:39:dc:26:9f:c5:0b:e3:e1:72:62:5d:9f:8e:4a:79:
   
 f3:95:56:a0:37:63:9a:d1:53:af:74:0b:c9:88:b7:43:
   
 ff:11:cb:91:02:4a:5c:8c:35:41:cb:39:4e:fb:8c:a4:
   
 2d:a6:88:7b:dc:29:04:7a:f0:0a:89:25:24:76:b1:34:
   
 57:1e:c2:3f:48:79:21:47:f0:f1:1a:70:15:d8:b5:9b:
   
 cb:bc:a2:3c:42:f6:da:91:a7:24:5b:fa:08:ec:41:8b:
   
 c5:82:7c:81:76:3c:ef:84:58:93:cd:92:36:5d:96:55:
 
40:72:21:5e:14:7c:fe:78:cf:35:69:97:4a:49:35:81

  Exponent: 65537 (0x10001)
  Signed Extensions:
  Name: Microsoft Enrollment Cert Type Extension
  Data: "CA"

  Name: Certificate Key Usage
  Critical: True
  Usages: Digital Signature
  Certificate Signing
  CRL Signing

  Name: Certificate Basic Constraints
  Critical: True
  Data: Is a CA with no maximum path length.

  Name: Certificate Subject Key ID
  Data:
 
a9:7a:6e:7c:dd:dd:4f:9e:75:78:86:6a:ff:f1:b4:06:

  e6:fb:3a:6d

  Name: Microsoft CertServ CA version
  Data: 0 (0x0)

  Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
  Signature:
  02:50:bd:c6:3a:80:85:9d:46:16:94:8c:e2:e8:2f:0d:
  35:09:d7:af:e1:ce:c0:23:94:19:ef:a7:df:de:56:17:
  c8:9e:d5:a0:80:7e:31:46:1d:c0:c1:5a:e9:7d:fe:c3:
  bb:08:c0:6d:35:3a:f2:43:c2:b7:2f:44:2b:89:7f:f1:
  ad:e8:9e:51:fa:98:12:d9:2b:2d:08:00:80:c3:78:93:
  e7:bc:ee:17:ae:a3:07:81:6b:63:ac:bf:65:d5:e9:a8:
  e9:81:42:56:24:fc:2f:b8:d1:76:5b:72:c0:8f:62:66:
  cc:4d:5b:84:85:fb:63:

Re: [Freeipa-users] IPA+AD sync error

[Rich Megginson]

Shan Kumaraswamy wrote:

Rich,
Can I know command to trust IPA genearated CA cert file?

See below

So I don't think that is the problem here.  If that were the problem, I 
would expect a different error message.  I think you're just going to 
have to use something like openssl s_client to examine the server cert 
used by AD.
 



 
On Tue, Aug 17, 2010 at 7:26 PM, Rich Megginson > wrote:


Shan Kumaraswamy wrote:


Certificate:
   Data:
   Version: 3 (0x2)
   Serial Number:
   46:90:cd:94:c6:53:d4:ae:44:a6:df:e2:6b:24:15:56
   Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
   Issuer: "CN=test-WINDOWS-CA,DC=test,DC=ad"
   Validity:
   Not Before: Tue Aug 17 01:39:07 2010
   Not After : Mon Aug 17 01:49:05 2015
   Subject: "CN=test-WINDOWS-CA,DC=test,DC=ad"
   Subject Public Key Info:
   Public Key Algorithm: PKCS #1 RSA Encryption
   RSA Public Key:
   Modulus:
 
 a9:6e:1a:54:c2:70:1c:d7:dc:06:b4:d3:09:0f:8d:25:
 
 e5:8f:9f:1f:f6:f9:ee:fb:9c:6b:9c:84:c3:01:f7:45:
 
 f1:8e:43:d3:ed:ad:01:e6:92:6c:52:f4:d7:03:03:19:
 
 0a:93:84:18:42:92:2b:6b:74:3d:77:8c:31:b9:bf:75:
 
 84:cb:a0:8c:a5:df:c2:5a:d6:cb:a3:78:a2:1a:6d:a6:
 
 e1:b4:81:ea:22:e7:83:bb:1f:0d:70:f8:44:29:24:96:
 
 f3:f0:01:12:49:7a:59:b8:f7:1a:84:e4:e4:a4:0d:60:
 
 58:db:d9:9c:b4:51:7a:21:f2:a2:f9:ed:ee:92:6f:c0:
 
 00:39:dc:26:9f:c5:0b:e3:e1:72:62:5d:9f:8e:4a:79:
 
 f3:95:56:a0:37:63:9a:d1:53:af:74:0b:c9:88:b7:43:
 
 ff:11:cb:91:02:4a:5c:8c:35:41:cb:39:4e:fb:8c:a4:
 
 2d:a6:88:7b:dc:29:04:7a:f0:0a:89:25:24:76:b1:34:
 
 57:1e:c2:3f:48:79:21:47:f0:f1:1a:70:15:d8:b5:9b:
 
 cb:bc:a2:3c:42:f6:da:91:a7:24:5b:fa:08:ec:41:8b:
 
 c5:82:7c:81:76:3c:ef:84:58:93:cd:92:36:5d:96:55:

   40:72:21:5e:14:7c:fe:78:cf:35:69:97:4a:49:35:81
   Exponent: 65537 (0x10001)
   Signed Extensions:
   Name: Microsoft Enrollment Cert Type Extension
   Data: "CA"

   Name: Certificate Key Usage
   Critical: True
   Usages: Digital Signature
   Certificate Signing
   CRL Signing

   Name: Certificate Basic Constraints
   Critical: True
   Data: Is a CA with no maximum path length.

   Name: Certificate Subject Key ID
   Data:
   a9:7a:6e:7c:dd:dd:4f:9e:75:78:86:6a:ff:f1:b4:06:
   e6:fb:3a:6d

   Name: Microsoft CertServ CA version
   Data: 0 (0x0)

   Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
   Signature:
   02:50:bd:c6:3a:80:85:9d:46:16:94:8c:e2:e8:2f:0d:
   35:09:d7:af:e1:ce:c0:23:94:19:ef:a7:df:de:56:17:
   c8:9e:d5:a0:80:7e:31:46:1d:c0:c1:5a:e9:7d:fe:c3:
   bb:08:c0:6d:35:3a:f2:43:c2:b7:2f:44:2b:89:7f:f1:
   ad:e8:9e:51:fa:98:12:d9:2b:2d:08:00:80:c3:78:93:
   e7:bc:ee:17:ae:a3:07:81:6b:63:ac:bf:65:d5:e9:a8:
   e9:81:42:56:24:fc:2f:b8:d1:76:5b:72:c0:8f:62:66:
   cc:4d:5b:84:85:fb:63:06:6c:0a:54:a0:55:08:bf:11:
   4b:30:ab:ba:49:19:39:ee:4f:57:3c:7b:0b:d3:8d:fe:
   10:d8:18:63:ee:86:e9:cb:89:1e:ea:7e:0a:68:8c:f8:
   da:40:69:ca:2c:bc:5d:24:18:bc:2b:d7:ce:08:ca:d7:
   e8:aa:4b:d8:cb:ee:17:f3:4f:18:29:fc:48:59:ae:98:
   18:37:f0:a7:cd:42:1f:5d:79:cd:a1:0f:30:41:7f:97:
   81:43:68:8b:74:0c:d8:21:b6:eb:76:14:bf:44:14:13:
   dd:07:ee:ce:68:95:29:b1:14:f6:93:81:90:b5:e6:6a:
   2b:38:6a:f0:4c:20:3f:fc:88:84:3f:43:5e:5f:6e:ed
   Fingerprint (MD5):
   4B:AE:EB:7D:D0:B6:C8:D3:15:1B:08:ED:39:A0:68:6C
   Fingerprint (SHA1):
   84:17:7E:EE:93:B2:A3:4F:D9:7B:72:C6:ED:D6:61:9E:0E:82:51:BC

   Certificate Trust Flags:
   SSL Flags:
   Valid CA
   Trusted CA
   Trusted Client CA
   Email Flags:
   Object Signing Flags:
   Valid CA
   Trusted CA

This looks ok.  So is it possible the AD server cert was not
issued by this CA?  I suppose you could use an SSL test program

Re: [Freeipa-users] IPA+AD sync error

[Rich Megginson]

Shan Kumaraswamy wrote:


Certificate:
Data:
Version: 3 (0x2)
Serial Number:
46:90:cd:94:c6:53:d4:ae:44:a6:df:e2:6b:24:15:56
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=test-WINDOWS-CA,DC=test,DC=ad"
Validity:
Not Before: Tue Aug 17 01:39:07 2010
Not After : Mon Aug 17 01:49:05 2015
Subject: "CN=test-WINDOWS-CA,DC=test,DC=ad"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
a9:6e:1a:54:c2:70:1c:d7:dc:06:b4:d3:09:0f:8d:25:
e5:8f:9f:1f:f6:f9:ee:fb:9c:6b:9c:84:c3:01:f7:45:
f1:8e:43:d3:ed:ad:01:e6:92:6c:52:f4:d7:03:03:19:
0a:93:84:18:42:92:2b:6b:74:3d:77:8c:31:b9:bf:75:
84:cb:a0:8c:a5:df:c2:5a:d6:cb:a3:78:a2:1a:6d:a6:
e1:b4:81:ea:22:e7:83:bb:1f:0d:70:f8:44:29:24:96:
f3:f0:01:12:49:7a:59:b8:f7:1a:84:e4:e4:a4:0d:60:
58:db:d9:9c:b4:51:7a:21:f2:a2:f9:ed:ee:92:6f:c0:
00:39:dc:26:9f:c5:0b:e3:e1:72:62:5d:9f:8e:4a:79:
f3:95:56:a0:37:63:9a:d1:53:af:74:0b:c9:88:b7:43:
ff:11:cb:91:02:4a:5c:8c:35:41:cb:39:4e:fb:8c:a4:
2d:a6:88:7b:dc:29:04:7a:f0:0a:89:25:24:76:b1:34:
57:1e:c2:3f:48:79:21:47:f0:f1:1a:70:15:d8:b5:9b:
cb:bc:a2:3c:42:f6:da:91:a7:24:5b:fa:08:ec:41:8b:
c5:82:7c:81:76:3c:ef:84:58:93:cd:92:36:5d:96:55:
40:72:21:5e:14:7c:fe:78:cf:35:69:97:4a:49:35:81
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Microsoft Enrollment Cert Type Extension
Data: "CA"

Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Certificate Signing
CRL Signing

Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.

Name: Certificate Subject Key ID
Data:
a9:7a:6e:7c:dd:dd:4f:9e:75:78:86:6a:ff:f1:b4:06:
e6:fb:3a:6d

Name: Microsoft CertServ CA version
Data: 0 (0x0)

Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
02:50:bd:c6:3a:80:85:9d:46:16:94:8c:e2:e8:2f:0d:
35:09:d7:af:e1:ce:c0:23:94:19:ef:a7:df:de:56:17:
c8:9e:d5:a0:80:7e:31:46:1d:c0:c1:5a:e9:7d:fe:c3:
bb:08:c0:6d:35:3a:f2:43:c2:b7:2f:44:2b:89:7f:f1:
ad:e8:9e:51:fa:98:12:d9:2b:2d:08:00:80:c3:78:93:
e7:bc:ee:17:ae:a3:07:81:6b:63:ac:bf:65:d5:e9:a8:
e9:81:42:56:24:fc:2f:b8:d1:76:5b:72:c0:8f:62:66:
cc:4d:5b:84:85:fb:63:06:6c:0a:54:a0:55:08:bf:11:
4b:30:ab:ba:49:19:39:ee:4f:57:3c:7b:0b:d3:8d:fe:
10:d8:18:63:ee:86:e9:cb:89:1e:ea:7e:0a:68:8c:f8:
da:40:69:ca:2c:bc:5d:24:18:bc:2b:d7:ce:08:ca:d7:
e8:aa:4b:d8:cb:ee:17:f3:4f:18:29:fc:48:59:ae:98:
18:37:f0:a7:cd:42:1f:5d:79:cd:a1:0f:30:41:7f:97:
81:43:68:8b:74:0c:d8:21:b6:eb:76:14:bf:44:14:13:
dd:07:ee:ce:68:95:29:b1:14:f6:93:81:90:b5:e6:6a:
2b:38:6a:f0:4c:20:3f:fc:88:84:3f:43:5e:5f:6e:ed
Fingerprint (MD5):
4B:AE:EB:7D:D0:B6:C8:D3:15:1B:08:ED:39:A0:68:6C
Fingerprint (SHA1):
84:17:7E:EE:93:B2:A3:4F:D9:7B:72:C6:ED:D6:61:9E:0E:82:51:BC

Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Object Signing Flags:
Valid CA
Trusted CA

This looks ok.  So is it possible the AD server cert was not issued by 
this CA?  I suppose you could use an SSL test program like /usr/bin/ssltap

or openssl s_client like this:
openssl s_client -connect windows.test.ad:636 -CAfile 
/path/to/msadcacert.asc

You can also add -verify 3 and -showcerts and -debug
see "man s_client" for more information




On Tue, Aug 17, 2010 at 7:04 PM, Shan Kumaraswamy 
mailto:shan.sys...@gmail.com>> wrote:


done, and it came the output also, can plz let me know the next step.


On Tue, Aug 17, 2010 at 7:00 PM, Rich Megginson
mailto:rmegg...@redhat.com>> wrote:

Shan Kumaraswamy wrote:

Rich,
Please find the below out put of the command:
 [r...@saprhds001 ~]# certutil -d
/etc/dirsrv/slapd--COM -L
Certificate Nickname  
  Trust Attributes
 
  SSL,S/MIME,JAR/XPI
Imported CA  
   CT,,C
CA certificate
  CTu,u,Cu
Server-Cert   

Re: [Freeipa-users] IPA+AD sync error

[Rich Megginson]

Shan Kumaraswamy wrote:

done, and it came the output also, can plz let me know the next step.

Can you post the output?


On Tue, Aug 17, 2010 at 7:00 PM, Rich Megginson > wrote:


Shan Kumaraswamy wrote:

Rich,
Please find the below out put of the command:
 [r...@saprhds001 ~]# certutil -d /etc/dirsrv/slapd--COM -L
Certificate Nickname
Trust Attributes
   
SSL,S/MIME,JAR/XPI

Imported CA  CT,,C
CA certificate  
CTu,u,Cu

Server-Cert  u,u,u

I'm assuming "Imported CA" is the MS AD CA.  Do this:
certutil -d /etc/dirsrv/slapd--COM -L -n "Imported CA"



On Tue, Aug 17, 2010 at 6:35 PM, Rich Megginson
mailto:rmegg...@redhat.com>
>> wrote:

   Shan Kumaraswamy wrote:

   After this error, I have triyed your the following steps:
/usr/lib64/mozldap/ldapsearch -h windows.test.ad

    

   > -D
   "CN=administrator,CN=users,DC=test,DC=ad" -w "" -s
base -b
   "" "objectclass=*"

Then I got output like this:
version: 1
   dn:
   currentTime: 20100817220245.0Z
   subschemaSubentry:
   CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
   dsServiceName: CN=NTDS
   Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=test,DC=ad
   namingContexts: DC=test,DC=ad
   namingContexts: CN=Configuration,DC=test,DC=ad
   namingContexts: CN=Schema,CN=Configuration,DC=test,DC=ad
   namingContexts: DC=DomainDnsZones,DC=test,DC=ad
   namingContexts: DC=ForestDnsZones,DC=test,DC=ad
   defaultNamingContext: DC=test,DC=ad
   schemaNamingContext:
CN=Schema,CN=Configuration,DC=test,DC=ad
   configurationNamingContext: CN=Configuration,DC=test,DC=ad
   rootDomainNamingContext: DC=test,DC=ad
   supportedControl: 1.2.840.113556.1.4.319
   supportedControl: 1.2.840.113556.1.4.801
   supportedControl: 1.2.840.113556.1.4.473
   supportedControl: 1.2.840.113556.1.4.528
   supportedControl: 1.2.840.113556.1.4.417
   supportedControl: 1.2.840.113556.1.4.619
   supportedControl: 1.2.840.113556.1.4.841
   supportedControl: 1.2.840.113556.1.4.529
   supportedControl: 1.2.840.113556.1.4.805
   supportedControl: 1.2.840.113556.1.4.521
   supportedControl: 1.2.840.113556.1.4.970
   supportedControl: 1.2.840.113556.1.4.1338
   supportedControl: 1.2.840.113556.1.4.474
   supportedControl: 1.2.840.113556.1.4.1339
   supportedControl: 1.2.840.113556.1.4.1340
   supportedControl: 1.2.840.113556.1.4.1413
   supportedControl: 2.16.840.1.113730.3.4.9
   supportedControl: 2.16.840.1.113730.3.4.10
   supportedControl: 1.2.840.113556.1.4.1504
   supportedControl: 1.2.840.113556.1.4.1852
   supportedControl: 1.2.840.113556.1.4.802
   supportedControl: 1.2.840.113556.1.4.1907
   supportedControl: 1.2.840.113556.1.4.1948
   supportedControl: 1.2.840.113556.1.4.1974
   supportedControl: 1.2.840.113556.1.4.1341
   supportedControl: 1.2.840.113556.1.4.2026
   supportedControl: 1.2.840.113556.1.4.2064
   supportedControl: 1.2.840.113556.1.4.2065
   supportedLDAPVersion: 3
   supportedLDAPVersion: 2
   supportedLDAPPolicies: MaxPoolThreads
   supportedLDAPPolicies: MaxDatagramRecv
   supportedLDAPPolicies: MaxReceiveBuffer
   supportedLDAPPolicies: InitRecvTimeout
   supportedLDAPPolicies: MaxConnections
   supportedLDAPPolicies: MaxConnIdleTime
   supportedLDAPPolicies: MaxPageSize
   supportedLDAPPolicies: MaxQueryDuration
   supportedLDAPPolicies: MaxTempTableSize
   supportedLDAPPolicies: MaxResultSetSize
   supportedLDAPPolicies: MinResultSets
   supportedLDAPPolicies: MaxResultSetsPerConn
   supportedLDAPPolicies: MaxNotificationPerConn
   supportedLDAPPolicies: MaxValRange
   high

Re: [Freeipa-users] IPA+AD sync error

[Rich Megginson]

Shan Kumaraswamy wrote:

Rich,
Please find the below out put of the command:
 
[r...@saprhds001 ~]# certutil -d /etc/dirsrv/slapd--COM -L
Certificate Nickname Trust 
Attributes
 
SSL,S/MIME,JAR/XPI

Imported CA  CT,,C
CA certificate   CTu,u,Cu
Server-Cert  u,u,u

I'm assuming "Imported CA" is the MS AD CA.  Do this:
certutil -d /etc/dirsrv/slapd--COM -L -n "Imported CA"



On Tue, Aug 17, 2010 at 6:35 PM, Rich Megginson > wrote:


Shan Kumaraswamy wrote:

After this error, I have triyed your the following steps:
 /usr/lib64/mozldap/ldapsearch -h windows.test.ad
 > -D
"CN=administrator,CN=users,DC=test,DC=ad" -w "" -s base -b
"" "objectclass=*"

 Then I got output like this:
 
version: 1

dn:
currentTime: 20100817220245.0Z
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
dsServiceName: CN=NTDS
Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
 me,CN=Sites,CN=Configuration,DC=test,DC=ad
namingContexts: DC=test,DC=ad
namingContexts: CN=Configuration,DC=test,DC=ad
namingContexts: CN=Schema,CN=Configuration,DC=test,DC=ad
namingContexts: DC=DomainDnsZones,DC=test,DC=ad
namingContexts: DC=ForestDnsZones,DC=test,DC=ad
defaultNamingContext: DC=test,DC=ad
schemaNamingContext: CN=Schema,CN=Configuration,DC=test,DC=ad
configurationNamingContext: CN=Configuration,DC=test,DC=ad
rootDomainNamingContext: DC=test,DC=ad
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
highestCommittedUSN: 73772
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: Windows.test.ad 
>
ldapServiceName: test.ad:windo...@test.ad 
>

serverName:
CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
 guration,DC=test,DC=ad
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 4
forestFunctionality: 4
  

Re: [Freeipa-users] IPA+AD sync error

[Rich Megginson]

Shan Kumaraswamy wrote:

After this error, I have triyed your the following steps:
 
 /usr/lib64/mozldap/ldapsearch -h windows.test.ad 
 -D "CN=administrator,CN=users,DC=test,DC=ad" 
-w "" -s base -b "" "objectclass=*"
 
Then I got output like this:
 


version: 1
dn:
currentTime: 20100817220245.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
dsServiceName: CN=NTDS 
Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na

 me,CN=Sites,CN=Configuration,DC=test,DC=ad
namingContexts: DC=test,DC=ad
namingContexts: CN=Configuration,DC=test,DC=ad
namingContexts: CN=Schema,CN=Configuration,DC=test,DC=ad
namingContexts: DC=DomainDnsZones,DC=test,DC=ad
namingContexts: DC=ForestDnsZones,DC=test,DC=ad
defaultNamingContext: DC=test,DC=ad
schemaNamingContext: CN=Schema,CN=Configuration,DC=test,DC=ad
configurationNamingContext: CN=Configuration,DC=test,DC=ad
rootDomainNamingContext: DC=test,DC=ad
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
highestCommittedUSN: 73772
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: Windows.test.ad 
ldapServiceName: test.ad:windo...@test.ad 
serverName: 
CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi

 guration,DC=test,DC=ad
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 4
forestFunctionality: 4
domainControllerFunctionality: 4

Then I tried next step:
 
/usr/lib64/mozldap/ldapsearch -ZZ -P 
/etc/dirsrv/slapd--COM/cert8.db -h windows.test.ad 
 -D "CN=administrator,CN=users,DC=test,DC=ad" 
-w "x" -s base -b "" "objectclass=*"

ldap_simple_bind: Can't contact LDAP server
TLS/SSL error -8179 (Peer's Certificate issuer is not recognized.)
 
Please help me to fix this.
This usually means the SSL server's CA cert is not recognized.  What 
does this say:

certutil -d /etc/dirsrv/slapd--COM -L
?


 
On Tue, Aug 17, 2010 at 2:02 PM, Shan Kumaraswamy 
mailto:shan.sys...@gmail.com>> wrote:


Hi Rich,
After I did all the steps, I am getting this error:
 
 
INFO:root:Added CA certificate

/etc/dirsrv/slapd--COM/adcert.cer to certificate database for
tesipa001.test.com 
INFO:root:Restarted directory server tesipa001.test.com

INFO:root:Could not validate connection to remote server
windows.test.ad:636  - continuing
INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed',
'desc': "Can't contact LDAP server"}
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready
. . .
INFO:root:Replication Update in progress: FALSE: st

Re: [Freeipa-users] IPA+AD sync error

[Shan Kumaraswamy]

Hi Rich,
After I did all the steps, I am getting this error:


INFO:root:Added CA certificate /etc/dirsrv/slapd--COM/adcert.cer to
certificate database for tesipa001.test.com
INFO:root:Restarted directory server tesipa001.test.com
INFO:root:Could not validate connection to remote server
windows.test.ad:636- continuing
INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
"Can't contact LDAP server"}
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 81  - LDAP error:
Can't contact LDAP server: start: 0: end: 0
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[saprhds001.bmibank.com] reports: Update failed! Status: [81  - LDAP error:
Can't contact LDAP server]
INFO:root:Added agreement for other host windows.test.ad

Please help me to fix this issue.

The syntex I used: ipa-replica-manage add --winsync --binddn
CN=Administrator,CN=Users,DC=test,DC=com --bindpw "password" --cacert
/etc/dirsrv/slapd-TEST-COM/adcert.cer windows.test.ad -v --passsync
"password"



On Mon, Aug 16, 2010 at 6:06 PM, Rich Megginson  wrote:

> Shan Kumaraswamy wrote:
>
>> Rich,
>>  While installing IPA its creates its won CA cert right? (cacert.p12),
>>
> Right.
>
> and also I done the setep of export this CA file as dsca.crt.
>>
> Right.  You have to do that so that AD can be an SSL client to the IPA SSL
> server.
>
> Please let me know steps to generate the IPA CA and server cert?
>>
> The other part is that you have to install the AD CA cert in IPA so that
> IPA can be the SSL client to the AD SSL server.
>
>
>>
>>  On Mon, Aug 16, 2010 at 5:41 PM, Rich Megginson > rmegg...@redhat.com>> wrote:
>>
>>Shan Kumaraswamy wrote:
>>
>>
>>Hi,
>>
>>I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I want to sync
>>with Active Directory (windows 2008 R2). Can please anyone
>>have step-by-step configuration doc and share to me?
>>Previously I have done the same exercise, but now that is not
>>working for me and I am facing lot of challenges to make this
>>happen.
>>
>>Please find the steps what exactly I done so for:
>>
>>1.   Installed RHDS 8.1 and FreeIPA 1.2.1 and configured
>>properly and tested its working fine
>>
>>2.   In AD side, installed Active Directory certificate
>>Server as a Enterprise Root
>>
>>3.   Copy the “cacert.p12” file and imported under
>>Certificates –Service (Active Directory Domain service) on
>>Local Computer using MMC.
>>
>>4.   Installed PasSync.msi file and given all the required
>>information
>>
>>5.   Run the command “certutil -d . -L -n "CA certificate"
>>-a > dsca.crt” from IPA server and copied the .crt file in to
>>AD server and ran this command from “cd "C:\Program Files\Red
>>Hat Directory Password Synchronization"
>>
>>6.   certutil.exe -d . -N
>>
>>7.   certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i
>>\path\to\dsca.crt
>>
>>8.   certutil.exe -d . -L -n "DS CA cert" and rebooted the
>>AD server.
>>
>>After this steps, when try to create sync agreement from IPA
>>server I am getting  this error:
>>
>> ldap_simple_bind: Can't contact LDAP server
>>
>>   SSL error -8179 (Peer's Certificate issuer is not
>>recognized.)
>>
>>Please share the steps to configure AD Sync with IPA server.
>>
>>
>> http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html
>>
>>But it looks as though there is a step missing.  If you use MS AD
>>CA to generate the AD cert, and use IPA to generate the IPA CA and
>>server cert, then you have to import the MS AD CA cert into IPA.
>>
>>
>>
>>-- Thanks & Regards
>>Shan Kumaraswamy
>>
>>
>>
>>
>>
>> --
>> Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>


-- 
Thanks & Regards
Shan Kumaraswamy
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA+AD sync error

[Rich Megginson]

Shan Kumaraswamy wrote:

Rich,
 
While installing IPA its creates its won CA cert right? (cacert.p12),

Right.

and also I done the setep of export this CA file as dsca.crt.
Right.  You have to do that so that AD can be an SSL client to the IPA 
SSL server.

Please let me know steps to generate the IPA CA and server cert?
The other part is that you have to install the AD CA cert in IPA so that 
IPA can be the SSL client to the AD SSL server.
 



 
On Mon, Aug 16, 2010 at 5:41 PM, Rich Megginson > wrote:


Shan Kumaraswamy wrote:


Hi,

I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I want to sync
with Active Directory (windows 2008 R2). Can please anyone
have step-by-step configuration doc and share to me?
Previously I have done the same exercise, but now that is not
working for me and I am facing lot of challenges to make this
happen.

Please find the steps what exactly I done so for:

1.   Installed RHDS 8.1 and FreeIPA 1.2.1 and configured
properly and tested its working fine

2.   In AD side, installed Active Directory certificate
Server as a Enterprise Root

3.   Copy the “cacert.p12” file and imported under
Certificates –Service (Active Directory Domain service) on
Local Computer using MMC.

4.   Installed PasSync.msi file and given all the required
information

5.   Run the command “certutil -d . -L -n "CA certificate"
-a > dsca.crt” from IPA server and copied the .crt file in to
AD server and ran this command from “cd "C:\Program Files\Red
Hat Directory Password Synchronization"

6.   certutil.exe -d . -N

7.   certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i
\path\to\dsca.crt

8.   certutil.exe -d . -L -n "DS CA cert" and rebooted the
AD server.

After this steps, when try to create sync agreement from IPA
server I am getting  this error:

 
ldap_simple_bind: Can't contact LDAP server


   SSL error -8179 (Peer's Certificate issuer is not
recognized.)

Please share the steps to configure AD Sync with IPA server.


http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html

But it looks as though there is a step missing.  If you use MS AD
CA to generate the AD cert, and use IPA to generate the IPA CA and
server cert, then you have to import the MS AD CA cert into IPA.


 
 

-- 
Thanks & Regards

Shan Kumaraswamy





--
Thanks & Regards
Shan Kumaraswamy



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA+AD sync error

[Shan Kumaraswamy]

Rich,

While installing IPA its creates its won CA cert right? (cacert.p12), and
also I done the setep of export this CA file as dsca.crt. Please let me
know steps to generate the IPA CA and server cert?




On Mon, Aug 16, 2010 at 5:41 PM, Rich Megginson  wrote:

>  Shan Kumaraswamy wrote:
>
>>
>> Hi,
>>
>> I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I want to sync with Active
>> Directory (windows 2008 R2). Can please anyone have step-by-step
>> configuration doc and share to me? Previously I have done the same exercise,
>> but now that is not working for me and I am facing lot of challenges to make
>> this happen.
>>
>> Please find the steps what exactly I done so for:
>>
>> 1.   Installed RHDS 8.1 and FreeIPA 1.2.1 and configured properly and
>> tested its working fine
>>
>> 2.   In AD side, installed Active Directory certificate Server as a
>> Enterprise Root
>>
>> 3.   Copy the “cacert.p12” file and imported under Certificates
>> –Service (Active Directory Domain service) on Local Computer using MMC.
>>
>> 4.   Installed PasSync.msi file and given all the required information
>>
>> 5.   Run the command “certutil -d . -L -n "CA certificate" -a >
>> dsca.crt” from IPA server and copied the .crt file in to AD server and ran
>> this command from “cd "C:\Program Files\Red Hat Directory Password
>> Synchronization"
>>
>> 6.   certutil.exe -d . -N
>>
>> 7.   certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i
>> \path\to\dsca.crt
>>
>> 8.   certutil.exe -d . -L -n "DS CA cert" and rebooted the AD server.
>>
>> After this steps, when try to create sync agreement from IPA server I am
>> getting  this error:
>>
>>
>> ldap_simple_bind: Can't contact LDAP server
>>
>>SSL error -8179 (Peer's Certificate issuer is not recognized.)
>>
>> Please share the steps to configure AD Sync with IPA server.
>>
>>
> http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html
>
> But it looks as though there is a step missing.  If you use MS AD CA to
> generate the AD cert, and use IPA to generate the IPA CA and server cert,
> then you have to import the MS AD CA cert into IPA.
>
>>
>>
>>
>>
>> --
>> Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>


-- 
Thanks & Regards
Shan Kumaraswamy
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA+AD sync error

[Rich Megginson]

Shan Kumaraswamy wrote:


Hi,

I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I want to sync with 
Active Directory (windows 2008 R2). Can please anyone have 
step-by-step configuration doc and share to me? Previously I have done 
the same exercise, but now that is not working for me and I am facing 
lot of challenges to make this happen.


Please find the steps what exactly I done so for:

1.   Installed RHDS 8.1 and FreeIPA 1.2.1 and configured properly 
and tested its working fine


2.   In AD side, installed Active Directory certificate Server as 
a Enterprise Root


3.   Copy the “cacert.p12” file and imported under Certificates 
–Service (Active Directory Domain service) on Local Computer using MMC.


4.   Installed PasSync.msi file and given all the required information

5.   Run the command “certutil -d . -L -n "CA certificate" -a > 
dsca.crt” from IPA server and copied the .crt file in to AD server and 
ran this command from “cd "C:\Program Files\Red Hat Directory Password 
Synchronization"


6.   certutil.exe -d . -N

7.   certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i 
\path\to\dsca.crt


8.   certutil.exe -d . -L -n "DS CA cert" and rebooted the AD server.

After this steps, when try to create sync agreement from IPA server I 
am getting  this error:


 


ldap_simple_bind: Can't contact LDAP server

SSL error -8179 (Peer's Certificate issuer is not recognized.)

Please share the steps to configure AD Sync with IPA server.


http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html

But it looks as though there is a step missing.  If you use MS AD CA to 
generate the AD cert, and use IPA to generate the IPA CA and server 
cert, then you have to import the MS AD CA cert into IPA.


 

 



--
Thanks & Regards
Shan Kumaraswamy



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA+AD sync error

[Kambiz Aghaiepour]

Do you have the correct version of the passsync.msi installed?  The
version I've installed that works with windows 2008 R2 installs the
service under:

 C:\Program Files\389 Directory Password Synchronization\

The download for version 1.1.4 is located here:

http://directory.fedoraproject.org/wiki/Download

Also, since you are using the Certificate Server, you probably need to
install the CA Cert from your AD server on the FreeIPA servers as well,
so that they will trust the SSL certs on your AD servers.

Kambiz

Shan Kumaraswamy wrote:
> Hi,
> 
> I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I want to sync with Active
> Directory (windows 2008 R2). Can please anyone have step-by-step
> configuration doc and share to me? Previously I have done the same exercise,
> but now that is not working for me and I am facing lot of challenges to make
> this happen.
> 
> Please find the steps what exactly I done so for:
> 
> 1.   Installed RHDS 8.1 and FreeIPA 1.2.1 and configured properly and
> tested its working fine
> 
> 2.   In AD side, installed Active Directory certificate Server as a
> Enterprise Root
> 
> 3.   Copy the “cacert.p12” file and imported under Certificates –Service
> (Active Directory Domain service) on Local Computer using MMC.
> 
> 4.   Installed PasSync.msi file and given all the required information
> 
> 5.   Run the command “certutil -d . -L -n "CA certificate" -a >
> dsca.crt” from IPA server and copied the .crt file in to AD server and ran
> this command from “cd "C:\Program Files\Red Hat Directory Password
> Synchronization"
> 
> 6.   certutil.exe -d . -N
> 
> 7.   certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i
> \path\to\dsca.crt
> 
> 8.   certutil.exe -d . -L -n "DS CA cert" and rebooted the AD server.
> 
> After this steps, when try to create sync agreement from IPA server I am
> getting  this error:
> 
> 
> 
> ldap_simple_bind: Can't contact LDAP server
> 
> SSL error -8179 (Peer's Certificate issuer is not recognized.)
> 
> Please share the steps to configure AD Sync with IPA server.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
"All tyranny needs to gain a foothold is for people of
good conscience to remain silent."  --Thomas Jefferson

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users