[Freeipa-users] IPA+AD sync error
Rich Megginson
rmeggins at redhat.com
Tue Aug 17 16:00:14 UTC 2010
Shan Kumaraswamy wrote:
> Rich,
> Please find the below out put of the command:
>
> [root at saprhds001 ~]# certutil -d /etc/dirsrv/slapd-XXXX-COM -L
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
> Imported CA CT,,C
> CA certificate CTu,u,Cu
> Server-Cert u,u,u
I'm assuming "Imported CA" is the MS AD CA. Do this:
certutil -d /etc/dirsrv/slapd-XXXX-COM -L -n "Imported CA"
>
>
> On Tue, Aug 17, 2010 at 6:35 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Shan Kumaraswamy wrote:
>
> After this error, I have triyed your the following steps:
> /usr/lib64/mozldap/ldapsearch -h windows.test.ad
> <http://windows.test.ad/> <http://windows.test.ad
> <http://windows.test.ad/>> -D
> "CN=administrator,CN=users,DC=test,DC=ad" -w "xxxx" -s base -b
> "" "objectclass=*"
>
> Then I got output like this:
>
> version: 1
> dn:
> currentTime: 20100817220245.0Z
> subschemaSubentry:
> CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
> dsServiceName: CN=NTDS
> Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
> me,CN=Sites,CN=Configuration,DC=test,DC=ad
> namingContexts: DC=test,DC=ad
> namingContexts: CN=Configuration,DC=test,DC=ad
> namingContexts: CN=Schema,CN=Configuration,DC=test,DC=ad
> namingContexts: DC=DomainDnsZones,DC=test,DC=ad
> namingContexts: DC=ForestDnsZones,DC=test,DC=ad
> defaultNamingContext: DC=test,DC=ad
> schemaNamingContext: CN=Schema,CN=Configuration,DC=test,DC=ad
> configurationNamingContext: CN=Configuration,DC=test,DC=ad
> rootDomainNamingContext: DC=test,DC=ad
> supportedControl: 1.2.840.113556.1.4.319
> supportedControl: 1.2.840.113556.1.4.801
> supportedControl: 1.2.840.113556.1.4.473
> supportedControl: 1.2.840.113556.1.4.528
> supportedControl: 1.2.840.113556.1.4.417
> supportedControl: 1.2.840.113556.1.4.619
> supportedControl: 1.2.840.113556.1.4.841
> supportedControl: 1.2.840.113556.1.4.529
> supportedControl: 1.2.840.113556.1.4.805
> supportedControl: 1.2.840.113556.1.4.521
> supportedControl: 1.2.840.113556.1.4.970
> supportedControl: 1.2.840.113556.1.4.1338
> supportedControl: 1.2.840.113556.1.4.474
> supportedControl: 1.2.840.113556.1.4.1339
> supportedControl: 1.2.840.113556.1.4.1340
> supportedControl: 1.2.840.113556.1.4.1413
> supportedControl: 2.16.840.1.113730.3.4.9
> supportedControl: 2.16.840.1.113730.3.4.10
> supportedControl: 1.2.840.113556.1.4.1504
> supportedControl: 1.2.840.113556.1.4.1852
> supportedControl: 1.2.840.113556.1.4.802
> supportedControl: 1.2.840.113556.1.4.1907
> supportedControl: 1.2.840.113556.1.4.1948
> supportedControl: 1.2.840.113556.1.4.1974
> supportedControl: 1.2.840.113556.1.4.1341
> supportedControl: 1.2.840.113556.1.4.2026
> supportedControl: 1.2.840.113556.1.4.2064
> supportedControl: 1.2.840.113556.1.4.2065
> supportedLDAPVersion: 3
> supportedLDAPVersion: 2
> supportedLDAPPolicies: MaxPoolThreads
> supportedLDAPPolicies: MaxDatagramRecv
> supportedLDAPPolicies: MaxReceiveBuffer
> supportedLDAPPolicies: InitRecvTimeout
> supportedLDAPPolicies: MaxConnections
> supportedLDAPPolicies: MaxConnIdleTime
> supportedLDAPPolicies: MaxPageSize
> supportedLDAPPolicies: MaxQueryDuration
> supportedLDAPPolicies: MaxTempTableSize
> supportedLDAPPolicies: MaxResultSetSize
> supportedLDAPPolicies: MinResultSets
> supportedLDAPPolicies: MaxResultSetsPerConn
> supportedLDAPPolicies: MaxNotificationPerConn
> supportedLDAPPolicies: MaxValRange
> highestCommittedUSN: 73772
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: DIGEST-MD5
> dnsHostName: Windows.test.ad <http://windows.test.ad/>
> <http://Windows.test.ad <http://windows.test.ad/>>
> ldapServiceName: test.ad:windows$@TEST.AD <http://test.ad/>
> <http://TEST.AD <http://test.ad/>>
>
> serverName:
> CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=test,DC=ad
> supportedCapabilities: 1.2.840.113556.1.4.800
> supportedCapabilities: 1.2.840.113556.1.4.1670
> supportedCapabilities: 1.2.840.113556.1.4.1791
> supportedCapabilities: 1.2.840.113556.1.4.1935
> supportedCapabilities: 1.2.840.113556.1.4.2080
> isSynchronized: TRUE
> isGlobalCatalogReady: TRUE
> domainFunctionality: 4
> forestFunctionality: 4
> domainControllerFunctionality: 4
>
> Then I tried next step:
> /usr/lib64/mozldap/ldapsearch -ZZ -P
> /etc/dirsrv/slapd-XXXX-COM/cert8.db -h windows.test.ad
> <http://windows.test.ad/> <http://windows.test.ad
> <http://windows.test.ad/>> -D
> "CN=administrator,CN=users,DC=test,DC=ad" -w "xxxxx" -s base
> -b "" "objectclass=*"
>
> ldap_simple_bind: Can't contact LDAP server
> TLS/SSL error -8179 (Peer's Certificate issuer is not
> recognized.)
> Please help me to fix this.....
>
> This usually means the SSL server's CA cert is not recognized.
> What does this say:
> certutil -d /etc/dirsrv/slapd-XXXX-COM -L
> ?
>
>
> On Tue, Aug 17, 2010 at 2:02 PM, Shan Kumaraswamy
> <shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>>>
> wrote:
>
> Hi Rich,
> After I did all the steps, I am getting this error:
> INFO:root:Added CA certificate
> /etc/dirsrv/slapd-XXXX-COM/adcert.cer to certificate
> database for
> tesipa001.test.com <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
>
> INFO:root:Restarted directory server tesipa001.test.com
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
>
> INFO:root:Could not validate connection to remote server
> windows.test.ad:636 <http://windows.test.ad:636/>
> <http://windows.test.ad:636/> - continuing
>
> INFO:root:The error was: {'info': 'error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed',
> 'desc': "Can't contact LDAP server"}
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
> Windows PassSync entry exists, not resetting password
> INFO:root:Added new sync agreement, waiting for it to
> become ready
> . . .
> INFO:root:Replication Update in progress: FALSE: status: 81 -
> LDAP error: Can't contact LDAP server: start: 0: end: 0
> INFO:root:Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> [saprhds001.bmibank.com <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>] reports:
>
> Update failed! Status: [81 - LDAP error: Can't contact
> LDAP server]
> INFO:root:Added agreement for other host windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
>
> Please help me to fix this issue.
> The syntex I used: ipa-replica-manage add --winsync
> --binddn
> CN=Administrator,CN=Users,DC=test,DC=com --bindpw "password"
> --cacert /etc/dirsrv/slapd-TEST-COM/adcert.cer
> windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad/> -v --passsync "password"
>
>
> On Mon, Aug 16, 2010 at 6:06 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> While installing IPA its creates its won CA cert
> right?
> (cacert.p12),
>
> Right.
>
> and also I done the setep of export this CA file as
> dsca.crt.
>
> Right. You have to do that so that AD can be an SSL
> client to
> the IPA SSL server.
>
> Please let me know steps to generate the IPA CA and
> server
> cert?
>
> The other part is that you have to install the AD CA
> cert in
> IPA so that IPA can be the SSL client to the AD SSL server.
>
>
> On Mon, Aug 16, 2010 at 5:41 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>
>
> wrote:
>
> Shan Kumaraswamy wrote:
>
>
> Hi,
>
> I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I
> want to sync
> with Active Directory (windows 2008 R2). Can
> please
> anyone
> have step-by-step configuration doc and
> share to me?
> Previously I have done the same exercise,
> but now
> that is not
> working for me and I am facing lot of
> challenges to
> make this
> happen.
>
> Please find the steps what exactly I done so
> for:
>
> 1. Installed RHDS 8.1 and FreeIPA
> 1.2.1 and
> configured
> properly and tested its working fine
>
> 2. In AD side, installed Active Directory
> certificate
> Server as a Enterprise Root
>
> 3. Copy the “cacert.p12” file and
> imported under
> Certificates –Service (Active Directory Domain
> service) on
> Local Computer using MMC.
>
> 4. Installed PasSync.msi file and
> given all
> the required
> information
>
> 5. Run the command “certutil -d . -L
> -n "CA
> certificate"
> -a > dsca.crt” from IPA server and copied
> the .crt
> file in to
> AD server and ran this command from “cd
> "C:\Program
> Files\Red
> Hat Directory Password Synchronization"
>
> 6. certutil.exe -d . -N
>
> 7. certutil.exe -d . -A -n "DS CA cert" -t
> CT,, -a -i
> \path\to\dsca.crt
>
> 8. certutil.exe -d . -L -n "DS CA
> cert" and
> rebooted the
> AD server.
>
> After this steps, when try to create sync
> agreement
> from IPA
> server I am getting this error:
>
> ldap_simple_bind: Can't contact
> LDAP server
>
> SSL error -8179 (Peer's Certificate
> issuer
> is not
> recognized.)
>
> Please share the steps to configure AD Sync with
> IPA server.
>
>
> http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html
>
> But it looks as though there is a step missing.
> If you
> use MS AD
> CA to generate the AD cert, and use IPA to
> generate the
> IPA CA and
> server cert, then you have to import the MS AD
> CA cert
> into IPA.
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
More information about the Freeipa-users
mailing list