[Freeipa-users] IPA+AD sync error
Rich Megginson
rmeggins at redhat.com
Tue Aug 24 14:16:47 UTC 2010
Shan Kumaraswamy wrote:
>
> Hi Rich,
>
> After export and import CA cert at both AD and IPA box, finally I am
> getting this error while creating "winsync" agreement:
>
>
> [root at saprhds001 ~]# ipa-replica-manage add --winsync --binddn
> "CN=Administrator,CN=Users,DC=test,DC=ad" --bindpw "xxx" --cacert
> /etc/dirsrv/slapd-XXXX-COM/adca.cer windows.test.ad
> <http://windows.test.ad> -v --passsync "xxxxx"
> Directory Manager password:
> INFO:root:Shutting down dirsrv:
> BMIBANK-COM... [ OK ]
> INFO:root:
> INFO:root:
> INFO:root:
> INFO:root:Starting dirsrv:
> BMIBANK-COM... [ OK ]
> INFO:root:
> INFO:root:Added CA certificate /etc/dirsrv/slapd-XXXXX-COM/adca.cer to
> certificate database for saprhds001.xxxx.com <http://saprhds001.xxxx.com>
> INFO:root:Restarted directory server saprhds001.xxxx.com
> <http://saprhds001.xxxx.com>
> INFO:root:Could not validate connection to remote server
> windows.test.ad:636 <http://windows.test.ad:636> - continuing
> INFO:root:The error was: A database error occurred
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=xxxx,dc=com
> Windows PassSync entry exists, not resetting password
> INFO:root:Added new sync agreement, waiting for it to become ready . . .
> INFO:root:Replication Update in progress: FALSE: status: 0 Incremental
> update started: start: 20100824120022Z: end: 20100824120022Z
> INFO:root:Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> Update succeeded
> INFO:root:Added agreement for other host windows.test.ad
> <http://windows.test.ad>
>
>
> Please advice to fix this issue.
What issue? The problem about "Could not validate connection" is normal
- just ignore that.
>
>
>
>
>
> On Wed, Aug 18, 2010 at 7:53 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> When I try to open redhat-idm-console using directory server,
> I am getting this error:
> The certificate this server present is either untrusted or
> unkown. The server only communicate through a secure
> connection involving a certivicate. Do you wihs to accept this
> certificate anyway?
> As per this message even I say yes to proceed, but fail to
> open. Please advice.
>
> The use of the console is not supported with IPA.
>
> The console keeps its cert database in ~/.redhat-idm-console -
> unless you have previously installed the CA cert there, the
> console will prompt you if you want to trust the server.
>
> I'm not sure why the console will not open, except that the
> console does not generally work with IPA. You can use
> redhat-idm-console -D 9 -f console.log to get detailed trace
> information from the console.
>
>
> On Wed, Aug 18, 2010 at 5:28 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Sorry, I was deleted the copyied cert file.... :(
>
> If you want to get the CA cert out of the certdb and into
> ascii/pem format:
> certutil -d /etc/dirsrv/slapd-instancename -L -n "Imported
> CA" -a
> > msadca.crt
>
> If you want to get the CA cert directly from MS CA:
> on your AD box, open a web browser
> go to http://<servername>/certsrv
> There should be an option there to view or download the CA
> cert.
> You want to download it in ascii/pem/base64 format (I think
> Windows uses the term Base64 encoded cert for PEM). Then
> you'll
> have to copy that file to your IPA box.
>
>
>
> On Wed, Aug 18, 2010 at 5:09 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Ok sure, I will do the test and can please let
> me know
> command
> to import AD CA in to dirsrv cert db?
>
> It is already in there? This is the certificate called
> "Imported
> CA" with Subject: "CN=test-WINDOWS-CA,DC=test,DC=ad" and
> Issuer:
> "CN=test-WINDOWS-CA,DC=test,DC=ad"
>
> Or are you asking because you don't know how it got
> in there in
> the first place, or forgot?
>
> On Wed, Aug 18, 2010 at 4:44 PM,
> Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> Can I know command to trust IPA genearated CA
> cert file?
>
> See below
>
> So I don't think that is the problem here.
> If that
> were the
> problem, I would expect a different error
> message.
> I think
> you're
> just going to have to use something like openssl
> s_client to
> examine the server cert used by AD.
>
> On Tue, Aug 17, 2010 at
> 7:26 PM,
> Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
>
> 46:90:cd:94:c6:53:d4:ae:44:a6:df:e2:6b:24:15:56
> Signature Algorithm: PKCS
> #1 SHA-1
> With RSA
> Encryption
> Issuer:
> "CN=test-WINDOWS-CA,DC=test,DC=ad"
> Validity:
> Not Before: Tue Aug 17
> 01:39:07 2010
> Not After : Mon Aug 17
> 01:49:05 2015
> Subject:
> "CN=test-WINDOWS-CA,DC=test,DC=ad"
> Subject Public Key Info:
> Public Key Algorithm:
> PKCS #1 RSA
> Encryption
> RSA Public Key:
> Modulus:
>
> a9:6e:1a:54:c2:70:1c:d7:dc:06:b4:d3:09:0f:8d:25:
>
> e5:8f:9f:1f:f6:f9:ee:fb:9c:6b:9c:84:c3:01:f7:45:
>
> f1:8e:43:d3:ed:ad:01:e6:92:6c:52:f4:d7:03:03:19:
>
> 0a:93:84:18:42:92:2b:6b:74:3d:77:8c:31:b9:bf:75:
>
> 84:cb:a0:8c:a5:df:c2:5a:d6:cb:a3:78:a2:1a:6d:a6:
>
> e1:b4:81:ea:22:e7:83:bb:1f:0d:70:f8:44:29:24:96:
>
> f3:f0:01:12:49:7a:59:b8:f7:1a:84:e4:e4:a4:0d:60:
>
> 58:db:d9:9c:b4:51:7a:21:f2:a2:f9:ed:ee:92:6f:c0:
>
> 00:39:dc:26:9f:c5:0b:e3:e1:72:62:5d:9f:8e:4a:79:
>
> f3:95:56:a0:37:63:9a:d1:53:af:74:0b:c9:88:b7:43:
>
> ff:11:cb:91:02:4a:5c:8c:35:41:cb:39:4e:fb:8c:a4:
>
> 2d:a6:88:7b:dc:29:04:7a:f0:0a:89:25:24:76:b1:34:
>
> 57:1e:c2:3f:48:79:21:47:f0:f1:1a:70:15:d8:b5:9b:
>
> cb:bc:a2:3c:42:f6:da:91:a7:24:5b:fa:08:ec:41:8b:
>
> c5:82:7c:81:76:3c:ef:84:58:93:cd:92:36:5d:96:55:
>
> 40:72:21:5e:14:7c:fe:78:cf:35:69:97:4a:49:35:81
> Exponent: 65537
> (0x10001)
> Signed Extensions:
> Name: Microsoft Enrollment
> Cert Type
> Extension
> Data: "CA"
>
> Name: Certificate Key Usage
> Critical: True
> Usages: Digital Signature
> Certificate Signing
> CRL Signing
>
> Name: Certificate Basic
> Constraints
> Critical: True
> Data: Is a CA with no
> maximum path
> length.
>
> Name: Certificate
> Subject Key ID
> Data:
>
> a9:7a:6e:7c:dd:dd:4f:9e:75:78:86:6a:ff:f1:b4:06:
> e6:fb:3a:6d
>
> Name: Microsoft CertServ CA
> version
> Data: 0 (0x0)
>
> Signature Algorithm: PKCS #1 SHA-1
> With RSA
> Encryption
> Signature:
>
> 02:50:bd:c6:3a:80:85:9d:46:16:94:8c:e2:e8:2f:0d:
>
> 35:09:d7:af:e1:ce:c0:23:94:19:ef:a7:df:de:56:17:
>
> c8:9e:d5:a0:80:7e:31:46:1d:c0:c1:5a:e9:7d:fe:c3:
>
> bb:08:c0:6d:35:3a:f2:43:c2:b7:2f:44:2b:89:7f:f1:
>
> ad:e8:9e:51:fa:98:12:d9:2b:2d:08:00:80:c3:78:93:
>
> e7:bc:ee:17:ae:a3:07:81:6b:63:ac:bf:65:d5:e9:a8:
>
> e9:81:42:56:24:fc:2f:b8:d1:76:5b:72:c0:8f:62:66:
>
> cc:4d:5b:84:85:fb:63:06:6c:0a:54:a0:55:08:bf:11:
>
> 4b:30:ab:ba:49:19:39:ee:4f:57:3c:7b:0b:d3:8d:fe:
>
> 10:d8:18:63:ee:86:e9:cb:89:1e:ea:7e:0a:68:8c:f8:
>
> da:40:69:ca:2c:bc:5d:24:18:bc:2b:d7:ce:08:ca:d7:
>
> e8:aa:4b:d8:cb:ee:17:f3:4f:18:29:fc:48:59:ae:98:
>
> 18:37:f0:a7:cd:42:1f:5d:79:cd:a1:0f:30:41:7f:97:
>
> 81:43:68:8b:74:0c:d8:21:b6:eb:76:14:bf:44:14:13:
>
> dd:07:ee:ce:68:95:29:b1:14:f6:93:81:90:b5:e6:6a:
>
> 2b:38:6a:f0:4c:20:3f:fc:88:84:3f:43:5e:5f:6e:ed
> Fingerprint (MD5):
>
> 4B:AE:EB:7D:D0:B6:C8:D3:15:1B:08:ED:39:A0:68:6C
> Fingerprint (SHA1):
>
> 84:17:7E:EE:93:B2:A3:4F:D9:7B:72:C6:ED:D6:61:9E:0E:82:51:BC
>
> Certificate Trust Flags:
> SSL Flags:
> Valid CA
> Trusted CA
> Trusted Client CA
> Email Flags:
> Object Signing Flags:
> Valid CA
> Trusted CA
>
> This looks ok. So is it possible the AD
> server cert
> was not
> issued by this CA? I suppose you
> could use
> an SSL
> test program
> like /usr/bin/ssltap
> or openssl s_client like this:
> openssl s_client -connect
> windows.test.ad:636 <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/> -CAfile
> /path/to/msadcacert.asc
>
> You can also add -verify 3 and
> -showcerts and
> -debug
> see "man s_client" for more information
>
>
>
>
> On Tue, Aug 17, 2010 at 7:04 PM, Shan
> Kumaraswamy
> <shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>>
> wrote:
>
> done, and it came the output
> also, can
> plz let me
> know the
> next step.
>
>
> On Tue, Aug 17, 2010 at 7:00
> PM, Rich
> Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> Please find the below
> out put
> of the
> command:
> [root at saprhds001 ~]#
> certutil -d
>
> /etc/dirsrv/slapd-XXXX-COM -L
> Certificate Nickname
>
> Trust Attributes
>
>
> SSL,S/MIME,JAR/XPI
> Imported CA
>
> CT,,C
> CA certificate
>
> CTu,u,Cu
>
> The CT means the CA is trusted for SSL client and
> server certs.
> certutil -H
> ...
> trustargs is of the
> form x,y,z
> where x is
> for SSL, y is for S/MIME,
> ...
> c valid CA
> T trusted CA to
> issue
> client certs
> (implies c)
> C trusted CA to
> issue
> server certs
> (implies c)
>
> Server-Cert
>
> u,u,u
>
> I'm assuming "Imported CA"
> is the
> MS AD
> CA. Do
> this:
> certutil -d
> /etc/dirsrv/slapd-XXXX-COM -L -n
> "Imported CA"
>
>
>
> On Tue, Aug 17, 2010 at
> 6:35
> PM, Rich
> Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>>
> wrote:
>
> Shan Kumaraswamy wrote:
>
> After this
> error, I have
> triyed your the
> following
> steps:
>
> /usr/lib64/mozldap/ldapsearch -h
> windows.test.ad
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>
> <http://windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
>
> <http://windows.test.ad/>> -D
>
> "CN=administrator,CN=users,DC=test,DC=ad" -w
> "xxxx"
> -s base -b
> "" "objectclass=*"
>
> Then I got
> output like
> this:
> version: 1
> dn:
> currentTime:
> 20100817220245.0Z
> subschemaSubentry:
>
> CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
> dsServiceName:
> CN=NTDS
>
>
> Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
>
> me,CN=Sites,CN=Configuration,DC=test,DC=ad
> namingContexts:
> DC=test,DC=ad
> namingContexts:
> CN=Configuration,DC=test,DC=ad
> namingContexts:
>
> CN=Schema,CN=Configuration,DC=test,DC=ad
> namingContexts:
> DC=DomainDnsZones,DC=test,DC=ad
> namingContexts:
> DC=ForestDnsZones,DC=test,DC=ad
>
> defaultNamingContext:
> DC=test,DC=ad
> schemaNamingContext:
>
> CN=Schema,CN=Configuration,DC=test,DC=ad
>
> configurationNamingContext:
>
> CN=Configuration,DC=test,DC=ad
>
> rootDomainNamingContext:
> DC=test,DC=ad
> supportedControl:
> 1.2.840.113556.1.4.319
> supportedControl:
> 1.2.840.113556.1.4.801
> supportedControl:
> 1.2.840.113556.1.4.473
> supportedControl:
> 1.2.840.113556.1.4.528
> supportedControl:
> 1.2.840.113556.1.4.417
> supportedControl:
> 1.2.840.113556.1.4.619
> supportedControl:
> 1.2.840.113556.1.4.841
> supportedControl:
> 1.2.840.113556.1.4.529
> supportedControl:
> 1.2.840.113556.1.4.805
> supportedControl:
> 1.2.840.113556.1.4.521
> supportedControl:
> 1.2.840.113556.1.4.970
> supportedControl:
> 1.2.840.113556.1.4.1338
> supportedControl:
> 1.2.840.113556.1.4.474
> supportedControl:
> 1.2.840.113556.1.4.1339
> supportedControl:
> 1.2.840.113556.1.4.1340
> supportedControl:
> 1.2.840.113556.1.4.1413
> supportedControl:
> 2.16.840.1.113730.3.4.9
> supportedControl:
> 2.16.840.1.113730.3.4.10
> supportedControl:
> 1.2.840.113556.1.4.1504
> supportedControl:
> 1.2.840.113556.1.4.1852
> supportedControl:
> 1.2.840.113556.1.4.802
> supportedControl:
> 1.2.840.113556.1.4.1907
> supportedControl:
> 1.2.840.113556.1.4.1948
> supportedControl:
> 1.2.840.113556.1.4.1974
> supportedControl:
> 1.2.840.113556.1.4.1341
> supportedControl:
> 1.2.840.113556.1.4.2026
> supportedControl:
> 1.2.840.113556.1.4.2064
> supportedControl:
> 1.2.840.113556.1.4.2065
>
> supportedLDAPVersion: 3
>
> supportedLDAPVersion: 2
>
> supportedLDAPPolicies:
> MaxPoolThreads
>
> supportedLDAPPolicies:
> MaxDatagramRecv
>
> supportedLDAPPolicies:
> MaxReceiveBuffer
>
> supportedLDAPPolicies:
> InitRecvTimeout
>
> supportedLDAPPolicies:
> MaxConnections
>
> supportedLDAPPolicies:
> MaxConnIdleTime
>
> supportedLDAPPolicies:
> MaxPageSize
>
> supportedLDAPPolicies:
> MaxQueryDuration
>
> supportedLDAPPolicies:
> MaxTempTableSize
>
> supportedLDAPPolicies:
> MaxResultSetSize
>
> supportedLDAPPolicies:
> MinResultSets
>
> supportedLDAPPolicies:
> MaxResultSetsPerConn
>
> supportedLDAPPolicies:
> MaxNotificationPerConn
>
> supportedLDAPPolicies:
> MaxValRange
>
> highestCommittedUSN: 73772
>
> supportedSASLMechanisms: GSSAPI
>
> supportedSASLMechanisms:
> GSS-SPNEGO
>
> supportedSASLMechanisms: EXTERNAL
>
> supportedSASLMechanisms:
> DIGEST-MD5
> dnsHostName:
> Windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
>
> <http://Windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>>
> ldapServiceName:
> test.ad:windows$@TEST.AD
> <http://test.ad/> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
> <http://TEST.AD
> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/> <http://test.ad/>>
>
>
>
> serverName:
>
>
> CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
>
> guration,DC=test,DC=ad
>
> supportedCapabilities:
> 1.2.840.113556.1.4.800
>
> supportedCapabilities:
> 1.2.840.113556.1.4.1670
>
> supportedCapabilities:
> 1.2.840.113556.1.4.1791
>
> supportedCapabilities:
> 1.2.840.113556.1.4.1935
>
> supportedCapabilities:
> 1.2.840.113556.1.4.2080
> isSynchronized: TRUE
>
> isGlobalCatalogReady: TRUE
>
> domainFunctionality: 4
>
> forestFunctionality: 4
>
> domainControllerFunctionality: 4
>
> Then I tried
> next step:
>
> /usr/lib64/mozldap/ldapsearch
> -ZZ -P
>
> /etc/dirsrv/slapd-XXXX-COM/cert8.db -h
> windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>
> <http://windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
>
> <http://windows.test.ad/>> -D
>
> "CN=administrator,CN=users,DC=test,DC=ad" -w
> "xxxxx" -s base
> -b ""
> "objectclass=*"
>
>
> ldap_simple_bind: Can't
> contact LDAP
> server
> TLS/SSL error
> -8179 (Peer's
> Certificate
> issuer is not
> recognized.)
> Please help me
> to fix
> this.....
>
> This usually means
> the SSL
> server's CA
> cert is not
> recognized.
> What does this say:
> certutil -d
> /etc/dirsrv/slapd-XXXX-COM -L
> ?
>
>
> On Tue, Aug 17,
> 2010
> at 2:02
> PM, Shan
> Kumaraswamy
>
> <shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>>>>
>
> wrote:
>
> Hi Rich,
> After I did
> all the
> steps, I am
> getting
> this error:
>
> INFO:root:Added CA
> certificate
>
> /etc/dirsrv/slapd-XXXX-COM/adcert.cer to
> certificate
> database for
>
> tesipa001.test.com <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
>
> <http://tesipa001.test.com/>
>
> <http://tesipa001.test.com/>
>
>
> INFO:root:Restarted
> directory server
> tesipa001.test.com
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
>
> <http://tesipa001.test.com/>
>
> <http://tesipa001.test.com/>
>
>
> INFO:root:Could not
> validate
> connection to
> remote server
>
> windows.test.ad:636 <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
>
> <http://windows.test.ad:636/> -
> continuing
>
> INFO:root:The
> error was:
> {'info':
> 'error:14090086:SSL
>
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify
> failed',
> 'desc': "Can't
> contact LDAP
> server"}
> The user for
> the Windows
> PassSync
> service is
>
>
> uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
> Windows
> PassSync entry
> exists, not
> resetting
> password
>
> INFO:root:Added new sync
> agreement,
> waiting for
> it to
> become ready
> . . .
>
> INFO:root:Replication Update in
> progress:
> FALSE:
> status: 81 -
> LDAP error: Can't
> contact
> LDAP server:
> start: 0:
> end: 0
>
> INFO:root:Agreement is
> ready, starting
> replication . . .
> Starting
> replication,
> please wait
> until
> this has
> completed.
>
> [saprhds001.bmibank.com <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
>
> <http://saprhds001.bmibank.com/>
>
> <http://saprhds001.bmibank.com/>
>
> <http://saprhds001.bmibank.com/>]
> reports:
>
> Update failed!
> Status: [81
> - LDAP
> error:
> Can't
> contact
> LDAP server]
> INFO:root:Added
> agreement for
> other host
> windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>
>
>
> Please help me to
> fix this
> issue.
> The
> syntex I used:
> ipa-replica-manage add
> --winsync
> --binddn
>
> CN=Administrator,CN=Users,DC=test,DC=com
> --bindpw "password"
> --cacert
> /etc/dirsrv/slapd-TEST-COM/adcert.cer
> windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/> -v
> --passsync
> "password"
>
>
> On
> Mon, Aug 16,
> 2010 at
> 6:06 PM,
> Rich Megginson
>
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>>> wrote:
>
> Shan
> Kumaraswamy
> wrote:
>
> Rich,
> While
> installing
> IPA its
> creates its
> won CA cert
> right?
>
> (cacert.p12),
>
> Right.
>
> and
> also I
> done the
> setep of
> export this
> CA file as
> dsca.crt.
>
> Right.
> You have
> to do
> that so
> that
> AD can
> be an SSL
> client to
> the IPA
> SSL server.
>
>
> Please let
> me know
> steps to
> generate the
> IPA CA and
> server
> cert?
>
> The other
> part
> is that
> you have to
> install
> the AD CA
> cert in
> IPA so
> that IPA
> can be
> the SSL
> client
> to the
> AD SSL server.
>
>
> On
> Mon, Aug
> 16, 2010
> at 5:41 PM, Rich Megginson
>
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>>
>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>>>>
>
> wrote:
>
> Shan
> Kumaraswamy
> wrote:
>
>
>
> Hi,
>
>
> I have
> deployed FreeIPA
> 1.2.1 in
> RHEL 5.5 and I
> want
> to sync
>
> with
> Active
> Directory (windows
> 2008 R2). Can
> please
> anyone
>
> have
> step-by-step
> configuration
> doc and
> share to me?
>
> Previously I
> have
> done the
> same
> exercise,
> but now
> that
> is not
>
> working for
> me and I am
> facing lot of
> challenges to
> make this
>
> happen.
>
>
> Please find the
> steps what
> exactly I done so
> for:
>
>
> 1. Installed RHDS
> 8.1 and
> FreeIPA
> 1.2.1 and
>
> configured
>
> properly and
> tested its
> working fine
>
>
> 2. In AD
> side, installed
> Active Directory
>
> certificate
>
> Server as a
> Enterprise Root
>
>
> 3. Copy the
> “cacert.p12”
> file and
> imported under
>
> Certificates
> –Service (Active
> Directory Domain
>
> service) on
>
> Local
> Computer
> using MMC.
>
>
> 4. Installed
> PasSync.msi
> file and
> given all
> the
> required
>
> information
>
>
> 5. Run the
> command
> “certutil -d . -L
> -n "CA
>
> certificate"
>
> -a >
> dsca.crt” from
> IPA server
> and copied
> the .crt
> file
> in to
>
> AD server
> and ran
> this command
> from “cd
> "C:\Program
> Files\Red
>
> Hat
> Directory Password
> Synchronization"
>
>
> 6. certutil.exe -d . -N
>
>
> 7. certutil.exe -d .
> -A -n
> "DS CA cert" -t
> CT,,
> -a -i
>
> \path\to\dsca.crt
>
>
> 8. certutil.exe -d .
> -L -n
> "DS CA
> cert" and
>
> rebooted the
> AD
> server.
>
>
> After
> this
> steps,
> when try to
> create sync
> agreement
> from IPA
>
> server I am
> getting
> this
> error:
>
>
> ldap_simple_bind:
> Can't
> contact
> LDAP server
>
>
> SSL error
> -8179 (Peer's
> Certificate
> issuer
> is not
>
> recognized.)
>
>
> Please share the
> steps to
> configure AD Sync with
> IPA
> server.
>
>
>
>
> http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html
>
> But it
> looks as
> though
> there is a
> step missing.
> If you
> use MS AD
> CA to
> generate
> the AD cert,
> and use
> IPA to
> generate the
> IPA
> CA and
>
> server cert,
> then you
> have to
> import
> the MS AD
> CA cert
> into IPA.
>
>
>
> --
> Thanks & Regards
>
> Shan
> Kumaraswamy
>
>
>
>
>
> --
> Thanks &
> Regards
> Shan
> Kumaraswamy
>
>
>
>
>
> -- Thanks
> & Regards
> Shan Kumaraswamy
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks &
> Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
More information about the Freeipa-users
mailing list