<div dir="ltr"><div>Rich,</div>
<div>Your mean the AD Administrator password or IPA admin password?<br><br></div>
<div class="gmail_quote">On Tue, Mar 9, 2010 at 6:32 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Shan Kumaraswamy wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div class="im">When I try to run this command I am getting this error:<br></div> [root@sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h <a href="http://sbtaddc001.bmitest.com/" target="_blank">sbtaddc001.bmitest.com</a> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com</a>> -D "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s base -b "" "objectclass=*"
<div class="im"><br>ldap_simple_bind: Invalid credentials<br>ldap_simple_bind: additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1771<br></div></blockquote>You are not providing the correct password.<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div class="im"><br><br> On Tue, Mar 9, 2010 at 6:16 PM, Rich Megginson <<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>> wrote:<br>
<br> Please keep replies on list<br><br> Shan Kumaraswamy wrote:<br><br> Rich,<br> Does a reverse DNS lookup on the IP address return that<br> hostname? -Yes<br> Is Active Directory configured to use/listen to SSL? -Yes,<br>
Active Directory Cert Auth installed and exported the and<br> verifityed.<br><br> Does the cert db /etc/dirsrv/slapd-BMITEST-COM/cert8.db<br> contain the CA cert of the windows CA? -yes "Imported CA cert"<br>
<br> certutil -L -d /etc/dirsrv/slapd-BMITEST-COM- Its listing<br> installed cert<br> I am trying to creating syn agreement from IPA server using<br> following syntex:<br> ipa-replica-manage add --winsync --binddn<br>
CN=Administrator,CN=Users,CN=Accounts,DC=bmitest,DC=com<br> --bindpw secretpw --cacert<br> /etc/dirsrv/slapd-BMITEST-COM/dsca.cer <a href="http://sbtaddc001.bmitest.com/" target="_blank">sbtaddc001.bmitest.com</a><br>
</div> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>>
<div class="im"><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com</a><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>>> -v<br>
<br></div>
<div class="im"> Please corret me where I am doing worng?<br><br> ldap_simple_bind: Can't contact LDAP server<br> SSL error -5961 (TCP connection reset by peer.)<br><br> This usually indicates some low level error. Let's try this:<br>
/usr/lib64/mozldap/ldapsearch -h <a href="http://sbtaddc001.bmitest.com/" target="_blank">sbtaddc001.bmitest.com</a><br></div> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>> -D
<div class="im"><br> "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s<br> base -b "" "objectclass=*"<br><br> Does that work?<br><br> <br><br> On Mon, Mar 8, 2010 at 6:30 PM, Rich Megginson<br>
<<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>><br></div>
<div class="im"> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>>> wrote:<br>
<br> Shan Kumaraswamy wrote:<br><br></div>
<div>
<div></div>
<div class="h5"> Hi Rich,<br><br> Sorry for the delay replay, after I executed your<br> command I am<br> getting the following error from my directory server.<br> Please<br>
help me to resolve this error.<br><br> [root@sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h<br> <a href="http://sbtaddc001.bmitest.com/" target="_blank">sbtaddc001.bmitest.com</a> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com</a><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>>> -p 636 -Z -P<br>
<br> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D<br> CN=administrator,CN=users,DC=bmitest,DC=com -w<br> "secretpw" -s<br> base -b "" "objectclass=*"<br>
<br> ldap_simple_bind: Can't contact LDAP server<br> SSL error -5961 (TCP connection reset by peer.)<br><br> Is <a href="http://sbtaddc001.bmitest.com/" target="_blank">sbtaddc001.bmitest.com</a> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com</a><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>>><br><br> the real, registered DNS address for the Active Directory<br> server?<br> On both the linux machine and the windows machine?<br>
Does a reverse DNS lookup on the IP address return that<br> hostname?<br> Is Active Directory configured to use/listen to SSL?<br> Does the cert db /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain<br>
the CA cert of the windows CA?<br> certutil -L -d /etc/dirsrv/slapd-BMITEST-COM<br><br> <br> On Wed, Feb 24, 2010 at 6:20 PM, Rich Megginson<br> <<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>><br>
<mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>><br> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a><br>
<mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a><br> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>>>> wrote:<br>
<br> Shan Kumaraswamy wrote:<br><br> Dear All,<br> I am facing the AD Sync issue with FreeIPA to Active<br> Directory, and as per the redhat-ds doc I have<br>
done all the<br> settings from AD front. please help me to<br> resolve this<br> issue.<br> And find the below error message:<br> [root@sbttipa001 ~]# ipa-replica-manage add<br>
--winsync<br> --binddn CN=ipaadmin,CN=users,DC=bmitest,DC=com<br> --bindpw<br> secretpw --ca cert<br> /etc/dirsrv/slapd-BMITEST-COM/adsync.cer<br> <a href="http://sbtaddc001.bmitest.com/" target="_blank">sbtaddc001.bmitest.com</a><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com</a><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>>> -v --passsync<br>
bmi.123<br><br> Directory Manager password:<br> INFO:root:Shutting down dirsrv:<br> BMITEST-COM... [ OK ]<br>
INFO:root:<br> INFO:root:<br> INFO:root:<br> INFO:root:Starting dirsrv:<br> BMITEST-COM... [ OK ]<br>
INFO:root:<br> INFO:root:Added CA certificate<br> /etc/dirsrv/slapd-BMITEST-COM/adsync.cer to<br> certificate<br> database for <a href="http://sbttipa001.bmitest.com/" target="_blank">sbttipa001.bmitest.com</a><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com</a><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>>><br><br> INFO:root:Restarted directory server<br> <a href="http://sbttipa001.bmitest.com/" target="_blank">sbttipa001.bmitest.com</a> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com</a><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>>><br>
<br> INFO:root:Could not validate connection to<br> remote server<br> <a href="http://sbtaddc001.bmitest.com:636/" target="_blank">sbtaddc001.bmitest.com:636</a><br> <<a href="http://sbtaddc001.bmitest.com:636/" target="_blank">http://sbtaddc001.bmitest.com:636/</a>><br>
<<a href="http://sbtaddc001.bmitest.com:636/" target="_blank">http://sbtaddc001.bmitest.com:636/</a>><br> <<a href="http://sbtaddc001.bmitest.com:636/" target="_blank">http://sbtaddc001.bmitest.com:636/</a>><br>
<br> <<a href="http://sbtaddc001.bmitest.com:636/" target="_blank">http://sbtaddc001.bmitest.com:636</a><br> <<a href="http://sbtaddc001.bmitest.com:636/" target="_blank">http://sbtaddc001.bmitest.com:636/</a>><br>
<<a href="http://sbtaddc001.bmitest.com:636/" target="_blank">http://sbtaddc001.bmitest.com:636/</a>><br> <<a href="http://sbtaddc001.bmitest.com:636/" target="_blank">http://sbtaddc001.bmitest.com:636/</a>>> - continuing<br>
<br> INFO:root:The error was: {'info':<br> 'error:14090086:SSL<br> routines:SSL3_GET_SERVER_CERTIFICATE:certificate<br> verify<br> failed', 'desc ': "Can't contact LDAP server"}<br>
The user for the Windows PassSync service is<br> uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com<br> Windows PassSync entry exists, not resetting<br> password<br>
INFO:root:Added new sync agreement, waiting for<br> it to<br> become<br> ready . . .<br> INFO:root:Replication Update in progress: FALSE:<br>
status: 49 -<br> LDAP error: Invalid credentials: start: 0: end: 0<br> INFO:root:Agreement is ready, starting<br> replication . . .<br> Starting replication, please wait until this has<br>
completed.<br> [<a href="http://sbttipa001.bmitest.com/" target="_blank">sbttipa001.bmitest.com</a><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com</a><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>>>] reports:<br>
Update failed!<br> Status: [49 - LDAP error: Invalid credentials]<br> INFO:root:Added agreement for other host<br> <a href="http://sbtaddc001.bmitest.com/" target="_blank">sbtaddc001.bmitest.com</a><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com</a><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>>><br>
<br><br> Error 49 usually means the password is not correct. You<br> can use<br> mozldap ldapsearch to test the connection like this:<br><br> /usr/lib/mozldap/ldapsearch -h dchost -p 636 -Z -P<br>
/etc/dirsrv/slapd-BMITEST-COM/cert8.db -D<br> CN=ipaadmin,CN=users,DC=bmitest,DC=com -w "secretpw" -s<br> base -b ""<br> "objectclass=*"<br>
<br> -- Thanks & Regards<br> Shan Kumaraswamy<br><br> ------------------------------------------------------------------------<br>
<br> _______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>><br> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>>><br><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br><br><br><br><br> -- Thanks & Regards<br> Shan Kumaraswamy<br><br><br><br><br><br> -- Thanks & Regards<br> Shan Kumaraswamy<br><br><br><br><br><br>-- <br>Thanks & Regards<br>
Shan Kumaraswamy<br><br></div></div></blockquote><br></blockquote></div><br><br clear="all"><br>-- <br>Thanks & Regards<br>Shan Kumaraswamy<br><br></div>