Marc Caubet wrote:
Hi,
we are trying to import user accounts from OpenLDAP+TLS service to IPA.
Current ipa packages are:
[root@ipa01 alias]# rpm -qa | grep ipa
ipa-server-3.0.0-25.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-1.9.2-82.4.el6_4.x86_64
libipa_hbac-python-1.9.2-82.4.el6_4.x86_64
ipa-admintools-3.0.0-25.el6.x86_64
ipa-server-selinux-3.0.0-25.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-3.0.0-25.el6.x86_64
ipa-client-3.0.0-25.el6.x86_64
And we have started the process by configuring the IPA server and
enabling migration as follows:
ipa-server-install
kinit admin
ipa config-mod --enable-migration=TRUE
But after this, we have problems when importing the LDAP information
from ldap1-test.pic.es <http://ldap1-test.pic.es> (which is the
OpenLDAP+TLS server):
[root@ipa01 alias]# ipa migrate-ds
--bind-dn='cn=authenticate,ou=System,dc=pic,dc=es'
--base-dn='dc=pic,dc=es' --user-container='ou=People,dc=pic,dc=es'
--group-container='ou=Group,dc=pic,dc=es' ldap://ldap1-test.pic.es:389
<http://ldap1-test.pic.es:389>
Password:
ipa: ERROR: Confidentiality required: confidentiality required
[root@ipa01 alias]# ipa migrate-ds
--bind-dn='cn=authenticate,ou=System,dc=pic,dc=es'
--base-dn='dc=pic,dc=es' --user-container='ou=People,dc=pic,dc=es'
--group-container='ou=Group,dc=pic,dc=es' ldaps://ldap1-test.pic.es
<http://ldap1-test.pic.es>
Password:
ipa: ERROR: cannot connect to u'ldaps://ldap1-test.pic.es
<http://ldap1-test.pic.es>': LDAP Server Down
Both, 389 and 636 ports, are running and working and available for
diferent clients.
I also tried by importing the TLS certificate to the httpd service and
restarting the services:
certutil -A -d /etc/httpd/alias -n 'TERENASSLCA' -t CT,C,C -a <
/etc/ssl/certs/TERENASSLCA.crt
service httpd restart
/etc/ssl/certs/TERENASSLCA.crt is the certificate used in all server
machines accessing to the LDAP service, so the one configured in the
OpenLDAP+TLS server.
Any idea what's wrong? How can I import OpenLDAP+TLS accounts to IPA?
Thanks a lot and best regards,
The ldap library is returning LDAP_SERVER_DOWN which is a basic
connectivity problem, though I suppose it could be masking an SSL
connection issue.
You might want to try:
LDAPTLS_CACERT=/etc/ssl/certs/TERENASSLCA.crt ldapsearch -x -H
ldaps://ldap1-test.pic.es -b ou=System,dc=pic,dc=es cn=authenticate
Another option would be to check the OpenLDAP logs to see it if is
rejecting a connection from the IPA server.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
