[Freeipa-users] IPA+AD sync error
Rich Megginson
rmeggins at redhat.com
Wed Aug 18 14:28:03 UTC 2010
Shan Kumaraswamy wrote:
> Sorry, I was deleted the copyied cert file.... :(
If you want to get the CA cert out of the certdb and into ascii/pem format:
certutil -d /etc/dirsrv/slapd-instancename -L -n "Imported CA" -a >
msadca.crt
If you want to get the CA cert directly from MS CA:
on your AD box, open a web browser
go to http://<servername>/certsrv
There should be an option there to view or download the CA cert. You
want to download it in ascii/pem/base64 format (I think Windows uses the
term Base64 encoded cert for PEM). Then you'll have to copy that file
to your IPA box.
>
>
>
> On Wed, Aug 18, 2010 at 5:09 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Ok sure, I will do the test and can please let me know command
> to import AD CA in to dirsrv cert db?
>
> It is already in there? This is the certificate called "Imported
> CA" with Subject: "CN=test-WINDOWS-CA,DC=test,DC=ad" and Issuer:
> "CN=test-WINDOWS-CA,DC=test,DC=ad"
>
> Or are you asking because you don't know how it got in there in
> the first place, or forgot?
>
>
>
> On Wed, Aug 18, 2010 at 4:44 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> Can I know command to trust IPA genearated CA cert file?
>
> See below
>
> So I don't think that is the problem here. If that were the
> problem, I would expect a different error message. I think
> you're
> just going to have to use something like openssl s_client to
> examine the server cert used by AD.
>
>
> On Tue, Aug 17, 2010 at 7:26 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
>
> 46:90:cd:94:c6:53:d4:ae:44:a6:df:e2:6b:24:15:56
> Signature Algorithm: PKCS #1 SHA-1 With RSA
> Encryption
> Issuer: "CN=test-WINDOWS-CA,DC=test,DC=ad"
> Validity:
> Not Before: Tue Aug 17 01:39:07 2010
> Not After : Mon Aug 17 01:49:05 2015
> Subject: "CN=test-WINDOWS-CA,DC=test,DC=ad"
> Subject Public Key Info:
> Public Key Algorithm: PKCS #1 RSA
> Encryption
> RSA Public Key:
> Modulus:
>
> a9:6e:1a:54:c2:70:1c:d7:dc:06:b4:d3:09:0f:8d:25:
>
> e5:8f:9f:1f:f6:f9:ee:fb:9c:6b:9c:84:c3:01:f7:45:
>
> f1:8e:43:d3:ed:ad:01:e6:92:6c:52:f4:d7:03:03:19:
>
> 0a:93:84:18:42:92:2b:6b:74:3d:77:8c:31:b9:bf:75:
>
> 84:cb:a0:8c:a5:df:c2:5a:d6:cb:a3:78:a2:1a:6d:a6:
>
> e1:b4:81:ea:22:e7:83:bb:1f:0d:70:f8:44:29:24:96:
>
> f3:f0:01:12:49:7a:59:b8:f7:1a:84:e4:e4:a4:0d:60:
>
> 58:db:d9:9c:b4:51:7a:21:f2:a2:f9:ed:ee:92:6f:c0:
>
> 00:39:dc:26:9f:c5:0b:e3:e1:72:62:5d:9f:8e:4a:79:
>
> f3:95:56:a0:37:63:9a:d1:53:af:74:0b:c9:88:b7:43:
>
> ff:11:cb:91:02:4a:5c:8c:35:41:cb:39:4e:fb:8c:a4:
>
> 2d:a6:88:7b:dc:29:04:7a:f0:0a:89:25:24:76:b1:34:
>
> 57:1e:c2:3f:48:79:21:47:f0:f1:1a:70:15:d8:b5:9b:
>
> cb:bc:a2:3c:42:f6:da:91:a7:24:5b:fa:08:ec:41:8b:
>
> c5:82:7c:81:76:3c:ef:84:58:93:cd:92:36:5d:96:55:
>
> 40:72:21:5e:14:7c:fe:78:cf:35:69:97:4a:49:35:81
> Exponent: 65537 (0x10001)
> Signed Extensions:
> Name: Microsoft Enrollment Cert Type
> Extension
> Data: "CA"
>
> Name: Certificate Key Usage
> Critical: True
> Usages: Digital Signature
> Certificate Signing
> CRL Signing
>
> Name: Certificate Basic Constraints
> Critical: True
> Data: Is a CA with no maximum path
> length.
>
> Name: Certificate Subject Key ID
> Data:
>
> a9:7a:6e:7c:dd:dd:4f:9e:75:78:86:6a:ff:f1:b4:06:
> e6:fb:3a:6d
>
> Name: Microsoft CertServ CA version
> Data: 0 (0x0)
>
> Signature Algorithm: PKCS #1 SHA-1 With RSA
> Encryption
> Signature:
>
> 02:50:bd:c6:3a:80:85:9d:46:16:94:8c:e2:e8:2f:0d:
>
> 35:09:d7:af:e1:ce:c0:23:94:19:ef:a7:df:de:56:17:
>
> c8:9e:d5:a0:80:7e:31:46:1d:c0:c1:5a:e9:7d:fe:c3:
>
> bb:08:c0:6d:35:3a:f2:43:c2:b7:2f:44:2b:89:7f:f1:
>
> ad:e8:9e:51:fa:98:12:d9:2b:2d:08:00:80:c3:78:93:
>
> e7:bc:ee:17:ae:a3:07:81:6b:63:ac:bf:65:d5:e9:a8:
>
> e9:81:42:56:24:fc:2f:b8:d1:76:5b:72:c0:8f:62:66:
>
> cc:4d:5b:84:85:fb:63:06:6c:0a:54:a0:55:08:bf:11:
>
> 4b:30:ab:ba:49:19:39:ee:4f:57:3c:7b:0b:d3:8d:fe:
>
> 10:d8:18:63:ee:86:e9:cb:89:1e:ea:7e:0a:68:8c:f8:
>
> da:40:69:ca:2c:bc:5d:24:18:bc:2b:d7:ce:08:ca:d7:
>
> e8:aa:4b:d8:cb:ee:17:f3:4f:18:29:fc:48:59:ae:98:
>
> 18:37:f0:a7:cd:42:1f:5d:79:cd:a1:0f:30:41:7f:97:
>
> 81:43:68:8b:74:0c:d8:21:b6:eb:76:14:bf:44:14:13:
>
> dd:07:ee:ce:68:95:29:b1:14:f6:93:81:90:b5:e6:6a:
>
> 2b:38:6a:f0:4c:20:3f:fc:88:84:3f:43:5e:5f:6e:ed
> Fingerprint (MD5):
>
> 4B:AE:EB:7D:D0:B6:C8:D3:15:1B:08:ED:39:A0:68:6C
> Fingerprint (SHA1):
>
> 84:17:7E:EE:93:B2:A3:4F:D9:7B:72:C6:ED:D6:61:9E:0E:82:51:BC
>
> Certificate Trust Flags:
> SSL Flags:
> Valid CA
> Trusted CA
> Trusted Client CA
> Email Flags:
> Object Signing Flags:
> Valid CA
> Trusted CA
>
> This looks ok. So is it possible the AD server cert
> was not
> issued by this CA? I suppose you could use an SSL
> test program
> like /usr/bin/ssltap
> or openssl s_client like this:
> openssl s_client -connect windows.test.ad:636
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/> -CAfile
> /path/to/msadcacert.asc
>
> You can also add -verify 3 and -showcerts and -debug
> see "man s_client" for more information
>
>
>
>
> On Tue, Aug 17, 2010 at 7:04 PM, Shan Kumaraswamy
> <shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
> wrote:
>
> done, and it came the output also, can plz let me
> know the
> next step.
>
>
> On Tue, Aug 17, 2010 at 7:00 PM, Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> Please find the below out put of the
> command:
> [root at saprhds001 ~]# certutil -d
> /etc/dirsrv/slapd-XXXX-COM -L
> Certificate Nickname
> Trust Attributes
>
> SSL,S/MIME,JAR/XPI
> Imported CA
> CT,,C
> CA certificate
> CTu,u,Cu
>
> The CT means the CA is trusted for SSL client and server certs.
> certutil -H
> ...
> trustargs is of the form x,y,z
> where x is
> for SSL, y is for S/MIME,
> ...
> c valid CA
> T trusted CA to issue client certs
> (implies c)
> C trusted CA to issue server certs
> (implies c)
>
> Server-Cert
> u,u,u
>
> I'm assuming "Imported CA" is the MS AD
> CA. Do
> this:
> certutil -d /etc/dirsrv/slapd-XXXX-COM -L -n
> "Imported CA"
>
>
>
> On Tue, Aug 17, 2010 at 6:35 PM, Rich
> Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>
> wrote:
>
> Shan Kumaraswamy wrote:
>
> After this error, I have
> triyed your the
> following
> steps:
> /usr/lib64/mozldap/ldapsearch -h
> windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>> -D
>
> "CN=administrator,CN=users,DC=test,DC=ad" -w
> "xxxx"
> -s base -b
> "" "objectclass=*"
>
> Then I got output like this:
> version: 1
> dn:
> currentTime: 20100817220245.0Z
> subschemaSubentry:
>
> CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
> dsServiceName: CN=NTDS
>
> Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
>
> me,CN=Sites,CN=Configuration,DC=test,DC=ad
> namingContexts: DC=test,DC=ad
> namingContexts:
> CN=Configuration,DC=test,DC=ad
> namingContexts:
> CN=Schema,CN=Configuration,DC=test,DC=ad
> namingContexts:
> DC=DomainDnsZones,DC=test,DC=ad
> namingContexts:
> DC=ForestDnsZones,DC=test,DC=ad
> defaultNamingContext:
> DC=test,DC=ad
> schemaNamingContext:
> CN=Schema,CN=Configuration,DC=test,DC=ad
> configurationNamingContext:
> CN=Configuration,DC=test,DC=ad
> rootDomainNamingContext:
> DC=test,DC=ad
> supportedControl:
> 1.2.840.113556.1.4.319
> supportedControl:
> 1.2.840.113556.1.4.801
> supportedControl:
> 1.2.840.113556.1.4.473
> supportedControl:
> 1.2.840.113556.1.4.528
> supportedControl:
> 1.2.840.113556.1.4.417
> supportedControl:
> 1.2.840.113556.1.4.619
> supportedControl:
> 1.2.840.113556.1.4.841
> supportedControl:
> 1.2.840.113556.1.4.529
> supportedControl:
> 1.2.840.113556.1.4.805
> supportedControl:
> 1.2.840.113556.1.4.521
> supportedControl:
> 1.2.840.113556.1.4.970
> supportedControl:
> 1.2.840.113556.1.4.1338
> supportedControl:
> 1.2.840.113556.1.4.474
> supportedControl:
> 1.2.840.113556.1.4.1339
> supportedControl:
> 1.2.840.113556.1.4.1340
> supportedControl:
> 1.2.840.113556.1.4.1413
> supportedControl:
> 2.16.840.1.113730.3.4.9
> supportedControl:
> 2.16.840.1.113730.3.4.10
> supportedControl:
> 1.2.840.113556.1.4.1504
> supportedControl:
> 1.2.840.113556.1.4.1852
> supportedControl:
> 1.2.840.113556.1.4.802
> supportedControl:
> 1.2.840.113556.1.4.1907
> supportedControl:
> 1.2.840.113556.1.4.1948
> supportedControl:
> 1.2.840.113556.1.4.1974
> supportedControl:
> 1.2.840.113556.1.4.1341
> supportedControl:
> 1.2.840.113556.1.4.2026
> supportedControl:
> 1.2.840.113556.1.4.2064
> supportedControl:
> 1.2.840.113556.1.4.2065
> supportedLDAPVersion: 3
> supportedLDAPVersion: 2
> supportedLDAPPolicies:
> MaxPoolThreads
> supportedLDAPPolicies:
> MaxDatagramRecv
> supportedLDAPPolicies:
> MaxReceiveBuffer
> supportedLDAPPolicies:
> InitRecvTimeout
> supportedLDAPPolicies:
> MaxConnections
> supportedLDAPPolicies:
> MaxConnIdleTime
> supportedLDAPPolicies: MaxPageSize
> supportedLDAPPolicies:
> MaxQueryDuration
> supportedLDAPPolicies:
> MaxTempTableSize
> supportedLDAPPolicies:
> MaxResultSetSize
> supportedLDAPPolicies:
> MinResultSets
> supportedLDAPPolicies:
> MaxResultSetsPerConn
> supportedLDAPPolicies:
> MaxNotificationPerConn
> supportedLDAPPolicies: MaxValRange
> highestCommittedUSN: 73772
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms:
> GSS-SPNEGO
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms:
> DIGEST-MD5
> dnsHostName: Windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://Windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>>
> ldapServiceName:
> test.ad:windows$@TEST.AD <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/> <http://test.ad/>
> <http://TEST.AD
> <http://test.ad/> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/> <http://test.ad/>>
>
>
>
> serverName:
>
> CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=test,DC=ad
> supportedCapabilities:
> 1.2.840.113556.1.4.800
> supportedCapabilities:
> 1.2.840.113556.1.4.1670
> supportedCapabilities:
> 1.2.840.113556.1.4.1791
> supportedCapabilities:
> 1.2.840.113556.1.4.1935
> supportedCapabilities:
> 1.2.840.113556.1.4.2080
> isSynchronized: TRUE
> isGlobalCatalogReady: TRUE
> domainFunctionality: 4
> forestFunctionality: 4
> domainControllerFunctionality: 4
>
> Then I tried next step:
> /usr/lib64/mozldap/ldapsearch
> -ZZ -P
>
> /etc/dirsrv/slapd-XXXX-COM/cert8.db -h
> windows.test.ad
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>> -D
>
> "CN=administrator,CN=users,DC=test,DC=ad" -w
> "xxxxx" -s base
> -b "" "objectclass=*"
>
> ldap_simple_bind: Can't
> contact LDAP
> server
> TLS/SSL error -8179 (Peer's
> Certificate
> issuer is not
> recognized.)
> Please help me to fix this.....
>
> This usually means the SSL server's CA
> cert is not
> recognized.
> What does this say:
> certutil -d
> /etc/dirsrv/slapd-XXXX-COM -L
> ?
>
>
> On Tue, Aug 17, 2010 at 2:02
> PM, Shan
> Kumaraswamy
> <shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>>
>
> wrote:
>
> Hi Rich,
> After I did all the steps, I am
> getting
> this error:
> INFO:root:Added CA
> certificate
>
> /etc/dirsrv/slapd-XXXX-COM/adcert.cer to
> certificate
> database for
> tesipa001.test.com
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
>
> INFO:root:Restarted
> directory server
> tesipa001.test.com
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
>
> INFO:root:Could not validate
> connection to
> remote server
> windows.test.ad:636
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/> -
> continuing
>
> INFO:root:The error was:
> {'info':
> 'error:14090086:SSL
>
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify
> failed',
> 'desc': "Can't contact LDAP
> server"}
> The user for the Windows
> PassSync
> service is
>
> uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
> Windows PassSync entry
> exists, not
> resetting
> password
> INFO:root:Added new sync
> agreement,
> waiting for
> it to
> become ready
> . . .
> INFO:root:Replication Update in
> progress:
> FALSE:
> status: 81 -
> LDAP error: Can't contact
> LDAP server:
> start: 0:
> end: 0
> INFO:root:Agreement is
> ready, starting
> replication . . .
> Starting replication,
> please wait
> until
> this has
> completed.
> [saprhds001.bmibank.com
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>]
> reports:
>
> Update failed! Status: [81
> - LDAP
> error:
> Can't
> contact
> LDAP server]
> INFO:root:Added agreement for
> other host
> windows.test.ad
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
>
> Please help me to fix this
> issue.
> The syntex I used:
> ipa-replica-manage add
> --winsync
> --binddn
>
> CN=Administrator,CN=Users,DC=test,DC=com
> --bindpw "password"
> --cacert
> /etc/dirsrv/slapd-TEST-COM/adcert.cer
> windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/> -v
> --passsync
> "password"
>
> On Mon, Aug 16,
> 2010 at
> 6:06 PM,
> Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> While installing
> IPA its
> creates its
> won CA cert
> right?
> (cacert.p12),
>
> Right.
>
> and also I done the
> setep of
> export this
> CA file as
> dsca.crt.
>
> Right. You have to do
> that so
> that
> AD can
> be an SSL
> client to
> the IPA SSL server.
>
> Please let me know
> steps to
> generate the
> IPA CA and
> server
> cert?
>
> The other part is that
> you have to
> install
> the AD CA
> cert in
> IPA so that IPA can be
> the SSL
> client
> to the
> AD SSL server.
>
> On
> Mon, Aug
> 16, 2010
> at 5:41 PM, Rich Megginson
>
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>>
>
> wrote:
>
> Shan Kumaraswamy
> wrote:
>
>
> Hi,
>
> I have
> deployed FreeIPA
> 1.2.1 in
> RHEL 5.5 and I
> want to sync
> with Active
> Directory (windows
> 2008 R2). Can
> please
> anyone
> have
> step-by-step
> configuration
> doc and
> share to me?
> Previously I
> have
> done the
> same
> exercise,
> but now
> that is not
> working for
> me and I am
> facing lot of
> challenges to
> make this
> happen.
>
> Please find the
> steps what
> exactly I done so
> for:
>
> 1.
> Installed RHDS
> 8.1 and
> FreeIPA
> 1.2.1 and
> configured
> properly and
> tested its
> working fine
>
> 2. In AD
> side, installed
> Active Directory
> certificate
> Server as a
> Enterprise Root
>
> 3.
> Copy the
> “cacert.p12”
> file and
> imported under
> Certificates
> –Service (Active
> Directory Domain
> service) on
> Local Computer
> using MMC.
>
> 4.
> Installed
> PasSync.msi
> file and
> given all
> the required
> information
>
> 5. Run the
> command
> “certutil -d . -L
> -n "CA
> certificate"
> -a >
> dsca.crt” from
> IPA server
> and copied
> the .crt
> file in to
> AD server
> and ran
> this command
> from “cd
> "C:\Program
> Files\Red
> Hat
> Directory Password
> Synchronization"
>
> 6.
> certutil.exe -d . -N
>
> 7.
> certutil.exe -d .
> -A -n
> "DS CA cert" -t
> CT,, -a -i
>
> \path\to\dsca.crt
>
> 8.
> certutil.exe -d .
> -L -n
> "DS CA
> cert" and
> rebooted the
> AD server.
>
> After this
> steps,
> when try to
> create sync
> agreement
> from IPA
> server I am
> getting
> this
> error:
>
>
> ldap_simple_bind:
> Can't
> contact
> LDAP server
>
> SSL error
> -8179 (Peer's
> Certificate
> issuer
> is not
> recognized.)
>
> Please share the
> steps to
> configure AD Sync with
> IPA server.
>
>
>
> http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html
>
> But it looks as
> though
> there is a
> step missing.
> If you
> use MS AD
> CA to generate
> the AD cert,
> and use
> IPA to
> generate the
> IPA CA and
> server cert,
> then you
> have to
> import
> the MS AD
> CA cert
> into IPA.
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks &
> Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
More information about the Freeipa-users
mailing list