[Fedora-directory-users] Re: SYNC without password ...
Rich Megginson
rmeggins at redhat.com
Mon Oct 20 20:57:01 UTC 2008
Vipul Ramani wrote:
> i think we are head to solutions ...
>
> do i need to re-install certificate in passync again ??? after we
> install new CSR with FQDN ... ???
No, at least, not yet. The ldapsearch output below looks correct. In
your sync agreement, did you use labdc01.tf-lab.test2.com or just
labdc01? You have to use the FQDN.
Is /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db a symlink to
/etc/dirsrv/slapd-linux2/cert8.db? What is the relationship between
slapd-linux2cert8.db and cert8.db?
>
>
> root at linux2 slapd-linux2]# /usr/lib/mozldap/ldapsearch -v -h
> labdc01.tf-lab.test2.com <http://labdc01.tf-lab.test2.com> -p 636 -Z
> -P /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db -3 -s base -b ""
> "objectclass=*"
> ldapsearch: started Mon Oct 20 06:18:20 2008
>
> ldap_init( labdc01.tf-lab.test2.com <http://labdc01.tf-lab.test2.com>,
> 636 )
> ldaptool_getcertpath -- /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db
> ldaptool_getkeypath -- /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db
> ldaptool_getmodpath -- (null)
> ldaptool_getdonglefilename -- (null)
> filter pattern: objectclass=*
> returning: ALL
> filter is: (objectclass=*)
> version: 1
> dn:
> currentTime: 20081020202134.0Z
> subschemaSubentry:
> CN=Aggregate,CN=Schema,CN=Configuration,DC=tf-lab,DC=tribal
> fusion,DC=com
> dsServiceName: CN=NTDS
> Settings,CN=LABDC01,CN=Servers,CN=Default-First-Site-Na
> me,CN=Sites,CN=Configuration,DC=tf-lab,DC=test2,DC=com
> namingContexts: DC=tf-lab,DC=test2,DC=com
> namingContexts: CN=Configuration,DC=tf-lab,DC=test2,DC=com
> namingContexts: CN=Schema,CN=Configuration,DC=tf-lab,DC=test2,DC=com
> namingContexts: DC=DomainDnsZones,DC=tf-lab,DC=test2,DC=com
> namingContexts: DC=ForestDnsZones,DC=tf-lab,DC=test2,DC=com
> defaultNamingContext: DC=tf-lab,DC=test2,DC=com
> schemaNamingContext: CN=Schema,CN=Configuration,DC=tf-lab,DC=test2,DC=c
> om
> configurationNamingContext: CN=Configuration,DC=tf-lab,DC=test2,DC=com
> rootDomainNamingContext: DC=tf-lab,DC=test2,DC=com
> supportedControl: 1.2.840.113556.1.4.319
> supportedControl: 1.2.840.113556.1.4.801
> supportedControl: 1.2.840.113556.1.4.473
> supportedControl: 1.2.840.113556.1.4.528
> supportedControl: 1.2.840.113556.1.4.417
> supportedControl: 1.2.840.113556.1.4.619
> supportedControl: 1.2.840.113556.1.4.841
> supportedControl: 1.2.840.113556.1.4.529
> supportedControl: 1.2.840.113556.1.4.805
> supportedControl: 1.2.840.113556.1.4.521
> supportedControl: 1.2.840.113556.1.4.1948
> supportedLDAPVersion: 3
> supportedLDAPVersion: 2
> supportedLDAPPolicies: MaxPoolThreads
> supportedLDAPPolicies: MaxDatagramRecv
> supportedLDAPPolicies: MaxReceiveBuffer
> supportedLDAPPolicies: InitRecvTimeout
> supportedLDAPPolicies: MaxConnections
> supportedLDAPPolicies: MaxConnIdleTime
> supportedLDAPPolicies: MaxPageSize
> supportedLDAPPolicies: MaxQueryDuration
> supportedLDAPPolicies: MaxTempTableSize
> supportedLDAPPolicies: MaxResultSetSize
> supportedLDAPPolicies: MaxNotificationPerConn
> supportedLDAPPolicies: MaxValRange
> highestCommittedUSN: 90680
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: DIGEST-MD5
> dnsHostName: labdc01.tf-lab.test2.com <http://labdc01.tf-lab.test2.com>
> ldapServiceName: tf-lab.test2.com:labdc01$@TF-LAB.TEST2.COM
> <http://TF-LAB.TEST2.COM>
> serverName:
> CN=LABDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tf-lab,DC=test2,DC=com
> supportedCapabilities: 1.2.840.113556.1.4.800
> supportedCapabilities: 1.2.840.113556.1.4.1670
> supportedCapabilities: 1.2.840.113556.1.4.1791
> isSynchronized: TRUE
> isGlobalCatalogReady: TRUE
> domainFunctionality: 0
> forestFunctionality: 0
> domainControllerFunctionality: 2
>
>
> root at linux2 slapd-linux2]# grep err /var/log/dirsrv/slapd-linux2/errors
> [root at linux2 slapd-linux2]#
>
>
>
>
>
>
>
> On Mon, Oct 20, 2008 at 12:07 PM, Vipul Ramani <vipulramani at gmail.com
> <mailto:vipulramani at gmail.com>> wrote:
>
>
>
> CA is self-signed generated certificate . by Linux2 it self.
>
>
> [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "CA"
>
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1000 (0x3e8)
> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> Issuer: "CN=CAcert"
> Validity:
> Not Before: Fri Oct 17 15:11:18 2008
> Not After : Wed Oct 17 15:11:18 2018
> Subject: "CN=CAcert"
> Subject Public Key Info:
> Public Key Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> c8:40:4b:86:0b:70:3d:5d:6a:f6:f4:a5:86:e9:1c:98:
> d0:dd:19:31:e3:b8:18:3b:0a:c8:9f:83:33:98:cd:98:
> 54:83:9d:73:97:69:04:26:b8:75:4a:95:7e:ed:92:62:
> 51:2c:70:8a:a6:f2:a6:8b:b5:c6:53:d3:f8:cc:01:c9:
> e8:78:55:1f:69:e3:c4:5c:5e:e8:a6:bf:dc:53:ac:a6:
> ce:75:14:98:2f:a7:c0:da:ae:be:5d:91:e6:f2:96:84:
> 02:a0:ec:df:e4:de:91:25:2d:65:d8:bd:79:3d:07:ea:
> 8c:9f:9e:5b:ee:04:a3:18:2e:98:c6:ab:15:a1:d5:d9
> Exponent: 65537 (0x10001)
> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> Signature:
> 55:bd:f2:f7:37:e5:60:e0:87:20:a7:d7:69:b2:eb:79:
> e6:98:7e:72:f1:b1:dc:11:08:94:fd:c3:56:a8:14:37:
> 2b:1b:cd:bc:05:3d:54:45:73:7f:b2:dc:f8:f1:f4:44:
> 61:25:54:c6:e2:c2:68:1f:d7:cc:d3:37:16:37:98:b8:
> 37:c3:7e:49:48:12:58:17:26:fe:87:bc:d4:ef:ee:6b:
> 5d:35:1f:1f:72:a5:5e:6b:b7:94:e6:c3:63:7c:2a:24:
> 4c:43:39:cd:74:7b:56:08:15:f9:85:3f:ed:c9:ba:01:
> 88:d0:90:84:1d:e6:0e:84:7f:83:8e:bf:9e:9a:b2:a3
> Fingerprint (MD5):
> 2C:77:B6:61:BA:3D:F0:E2:8E:EB:BA:4D:74:A4:E4:0C
> Fingerprint (SHA1):
> 06:FE:B9:62:26:E7:56:1E:2B:84:C0:5E:AC:DC:F7:1A:AE:A8:58:0E
>
> Certificate Trust Flags:
> SSL Flags:
> Valid CA
> Trusted CA
> User
> Trusted Client CA
> Email Flags:
> User
> Object Signing Flags:
> User
>
> [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "linux2"
>
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 14:fc:4e:02:00:00:00:00:00:16
> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> Issuer: "CN=labdc01,DC=tf-lab,DC=test2,DC=com"
> Validity:
> Not Before: Fri Oct 17 23:35:13 2008
> Not After : Sun Oct 17 23:35:13 2010
> Subject:
> "CN=linux2,OU=Ops,O=Exponential,L=Emeryville,ST=California,C
> =US"
> Subject Public Key Info:
> Public Key Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> da:db:9b:d8:c2:aa:42:4e:85:69:b2:0a:19:46:87:2d:
> 67:e6:4b:9b:4d:97:96:6a:e3:bf:90:c2:ab:a7:0d:17:
> --removed-some-part---
> 24:72:dc:18:5c:7e:1a:16:b3:bd:38:1b:0a:0f:a6:48:
> ae:4e:ef:5a:eb:cd:12:6f:5e:16:8f:6c:ce:ff:fa:71
> Exponent: 65537 (0x10001)
> Signed Extensions:
> Name: Certificate Subject Key ID
> Data:
> 75:e0:f9:0d:9f:77:24:61:38:87:17:87:43:ee:25:5d:
> c0:b2:4f:d3
>
> Name: Certificate Authority Key Identifier
> Key ID:
> 83:c2:a6:03:eb:b2:a8:ea:40:d0:63:42:01:68:8f:a8:
> 11:9e:ec:f9
>
> Name: CRL Distribution Points
> URI:
> "ldap:///CN=labdc01,CN=labdc01,CN=CDP,CN=Public%20Key%20Serv
> ices,CN=Services,CN=Configuration,DC=tf-lab,DC=test2,D
>
> C=com?certificateRevocationList?base?objectClass=cRLDistribut
> ionPoint"
> URI: "http://labdc01.tf-lab.test2.com/CertEnroll/labdc01.c
> rl"
>
> Name: Authority Information Access
> Method: PKIX CA issuers access method
> Location:
> URI:
> "ldap:///CN=labdc01,CN=AIA,CN=Public%20Key%20Services,CN
> =Services,CN=Configuration,DC=tf-lab,DC=test2,DC=c
>
> om?cACertificate?base?objectClass=certificationAuthority"
> Method: PKIX CA issuers access method
> Location:
> URI:
> "*http://labdc01.tf-lab.test2.com*/CertEnroll/labdc
> 01.tf-lab.test2.com_labdc01.crt"
>
> Name: Microsoft Enrollment Cert Type Extension
> Data: "WebServer"
>
> Name: Certificate Basic Constraints
> Critical: True
> Data: Is not a CA.
>
> Name: Certificate Key Usage
> Usages: Digital Signature
> Key Encipherment
>
> Name: Extended Key Usage
> TLS Web Server Authentication Certificate
>
> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> Signature:
> 0b:f7:2f:25:e5:99:aa:27:59:5d:76:96:5a:64:0b:a7:
> 91:7d:48:49:fd:a8:46:db:cc:39:7b:97:34:94:3c:0c:
> 7c:fe:4d:f7:99:5e:da:a6:7d:53:5c:36:ba:ed:a7:05:
> 60:04:2a:76:6e:02:75:a0:1c:59:bd:ad:82:db:fc:61:
> --removed some--part--
> 6d:11:23:4c:77:60:18:ec:fd:47:63:72:d3:00:ee:04:
> c2:01:3a:d8:dc:f1:4b:55:c5:7a:39:09:83:9b:09:bd:
> 65:64:4c:6f:8d:19:86:94:95:76:1b:07:08:ad:03:70
> Fingerprint (MD5):
> BD:3D:31:6C:27:A8:82:1A:11:81:5B:F6:56:D7:FA:E3
> Fingerprint (SHA1):
> 89:45:EE:8E:7D:B7:01:EB:72:80:F2:86:91:B8:02:D4:60:3A:19:FA
>
> Certificate Trust Flags:
> SSL Flags:
> Valid CA
> Trusted CA
> User
> Trusted Client CA
> Email Flags:
> User
> Object Signing Flags:
> User
>
>
>
>
> *| /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P
> /etc/dirsrv/slapd-linux2 -3 -s base -b "" "objectclass=*" *
>
> *When i do this i am getting cordump ... :(( *
>
>
>
>
>
>
> --
> Regards
>
> Vipul Ramani
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20081020/70819618/attachment.bin>
More information about the Fedora-directory-users
mailing list