[Freeipa-users] IPA+AD sync error
Rich Megginson
rmeggins at redhat.com
Wed Aug 25 16:46:35 UTC 2010
Shan Kumaraswamy wrote:
> I can't find any AD users from IPA box
Note that IPA winsync will only send new users from AD to IPA - it will
not add new IPA users to AD.
Try enabling the replication log level -
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
>
> On Tue, Aug 24, 2010 at 5:16 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Shan Kumaraswamy wrote:
>
>
> Hi Rich,
>
> After export and import CA cert at both AD and IPA box,
> finally I am getting this error while creating "winsync"
> agreement:
>
> [root at saprhds001 ~]# ipa-replica-manage add --winsync
> --binddn "CN=Administrator,CN=Users,DC=test,DC=ad" --bindpw
> "xxx" --cacert /etc/dirsrv/slapd-XXXX-COM/adca.cer
> windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad <http://windows.test.ad/>> -v
> --passsync "xxxxx"
> Directory Manager password:
> INFO:root:Shutting down dirsrv:
> BMIBANK-COM... [ OK ]
> INFO:root:
> INFO:root:
> INFO:root:
> INFO:root:Starting dirsrv:
> BMIBANK-COM... [ OK ]
> INFO:root:
> INFO:root:Added CA certificate
> /etc/dirsrv/slapd-XXXXX-COM/adca.cer to certificate database
> for saprhds001.xxxx.com <http://saprhds001.xxxx.com/>
> <http://saprhds001.xxxx.com <http://saprhds001.xxxx.com/>>
> INFO:root:Restarted directory server saprhds001.xxxx.com
> <http://saprhds001.xxxx.com/> <http://saprhds001.xxxx.com
> <http://saprhds001.xxxx.com/>>
> INFO:root:Could not validate connection to remote server
> windows.test.ad:636 <http://windows.test.ad:636/>
> <http://windows.test.ad:636 <http://windows.test.ad:636/>> -
> continuing
> INFO:root:The error was: A database error occurred
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=xxxx,dc=com
> Windows PassSync entry exists, not resetting password
> INFO:root:Added new sync agreement, waiting for it to become
> ready . . .
> INFO:root:Replication Update in progress: FALSE: status: 0
> Incremental update started: start: 20100824120022Z: end:
> 20100824120022Z
> INFO:root:Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> Update succeeded
> INFO:root:Added agreement for other host windows.test.ad
> <http://windows.test.ad/> <http://windows.test.ad
> <http://windows.test.ad/>>
> Please advice to fix this issue.
>
> What issue? The problem about "Could not validate connection" is
> normal - just ignore that.
>
>
>
> On Wed, Aug 18, 2010 at 7:53 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> When I try to open redhat-idm-console using directory
> server,
> I am getting this error:
> The certificate this server present is either untrusted or
> unkown. The server only communicate through a secure
> connection involving a certivicate. Do you wihs to
> accept this
> certificate anyway?
> As per this message even I say yes to proceed, but
> fail to
> open. Please advice.
>
> The use of the console is not supported with IPA.
>
> The console keeps its cert database in ~/.redhat-idm-console -
> unless you have previously installed the CA cert there, the
> console will prompt you if you want to trust the server.
>
> I'm not sure why the console will not open, except that the
> console does not generally work with IPA. You can use
> redhat-idm-console -D 9 -f console.log to get detailed trace
> information from the console.
>
>
> On Wed, Aug 18, 2010 at 5:28 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Sorry, I was deleted the copyied cert file.... :(
>
> If you want to get the CA cert out of the certdb and
> into
> ascii/pem format:
> certutil -d /etc/dirsrv/slapd-instancename -L -n
> "Imported
> CA" -a
> > msadca.crt
>
> If you want to get the CA cert directly from MS CA:
> on your AD box, open a web browser
> go to http://<servername>/certsrv
> There should be an option there to view or download
> the CA
> cert.
> You want to download it in ascii/pem/base64 format
> (I think
> Windows uses the term Base64 encoded cert for PEM).
> Then
> you'll
> have to copy that file to your IPA box.
>
>
>
> On Wed, Aug 18, 2010 at 5:09 PM, Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Ok sure, I will do the test and can
> please let
> me know
> command
> to import AD CA in to dirsrv cert db?
>
> It is already in there? This is the
> certificate called
> "Imported
> CA" with Subject:
> "CN=test-WINDOWS-CA,DC=test,DC=ad" and
> Issuer:
> "CN=test-WINDOWS-CA,DC=test,DC=ad"
>
> Or are you asking because you don't know how
> it got
> in there in
> the first place, or forgot?
>
> On Wed, Aug 18, 2010 at
> 4:44 PM,
> Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> Can I know command to trust IPA
> genearated CA
> cert file?
>
> See below
>
> So I don't think that is the problem here.
> If that
> were the
> problem, I would expect a different error
> message.
> I think
> you're
> just going to have to use something
> like openssl
> s_client to
> examine the server cert used by AD.
>
> On Tue, Aug 17,
> 2010 at
> 7:26 PM,
> Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
>
> 46:90:cd:94:c6:53:d4:ae:44:a6:df:e2:6b:24:15:56
> Signature Algorithm:
> PKCS
> #1 SHA-1
> With RSA
> Encryption
> Issuer:
> "CN=test-WINDOWS-CA,DC=test,DC=ad"
> Validity:
> Not Before: Tue
> Aug 17
> 01:39:07 2010
> Not After : Mon
> Aug 17
> 01:49:05 2015
> Subject:
> "CN=test-WINDOWS-CA,DC=test,DC=ad"
> Subject Public Key Info:
> Public Key
> Algorithm:
> PKCS #1 RSA
> Encryption
> RSA Public Key:
> Modulus:
>
>
> a9:6e:1a:54:c2:70:1c:d7:dc:06:b4:d3:09:0f:8d:25:
>
>
> e5:8f:9f:1f:f6:f9:ee:fb:9c:6b:9c:84:c3:01:f7:45:
>
>
> f1:8e:43:d3:ed:ad:01:e6:92:6c:52:f4:d7:03:03:19:
>
>
> 0a:93:84:18:42:92:2b:6b:74:3d:77:8c:31:b9:bf:75:
>
>
> 84:cb:a0:8c:a5:df:c2:5a:d6:cb:a3:78:a2:1a:6d:a6:
>
>
> e1:b4:81:ea:22:e7:83:bb:1f:0d:70:f8:44:29:24:96:
>
>
> f3:f0:01:12:49:7a:59:b8:f7:1a:84:e4:e4:a4:0d:60:
>
>
> 58:db:d9:9c:b4:51:7a:21:f2:a2:f9:ed:ee:92:6f:c0:
>
>
> 00:39:dc:26:9f:c5:0b:e3:e1:72:62:5d:9f:8e:4a:79:
>
>
> f3:95:56:a0:37:63:9a:d1:53:af:74:0b:c9:88:b7:43:
>
>
> ff:11:cb:91:02:4a:5c:8c:35:41:cb:39:4e:fb:8c:a4:
>
>
> 2d:a6:88:7b:dc:29:04:7a:f0:0a:89:25:24:76:b1:34:
>
>
> 57:1e:c2:3f:48:79:21:47:f0:f1:1a:70:15:d8:b5:9b:
>
>
> cb:bc:a2:3c:42:f6:da:91:a7:24:5b:fa:08:ec:41:8b:
>
>
> c5:82:7c:81:76:3c:ef:84:58:93:cd:92:36:5d:96:55:
>
>
> 40:72:21:5e:14:7c:fe:78:cf:35:69:97:4a:49:35:81
> Exponent: 65537
> (0x10001)
> Signed Extensions:
> Name: Microsoft
> Enrollment
> Cert Type
> Extension
> Data: "CA"
>
> Name:
> Certificate Key Usage
> Critical: True
> Usages: Digital
> Signature
>
> Certificate Signing
> CRL Signing
>
> Name:
> Certificate Basic
> Constraints
> Critical: True
> Data: Is a CA
> with no
> maximum path
> length.
>
> Name: Certificate
> Subject Key ID
> Data:
>
> a9:7a:6e:7c:dd:dd:4f:9e:75:78:86:6a:ff:f1:b4:06:
> e6:fb:3a:6d
>
> Name: Microsoft
> CertServ CA
> version
> Data: 0 (0x0)
>
> Signature Algorithm:
> PKCS #1 SHA-1
> With RSA
> Encryption
> Signature:
>
> 02:50:bd:c6:3a:80:85:9d:46:16:94:8c:e2:e8:2f:0d:
>
> 35:09:d7:af:e1:ce:c0:23:94:19:ef:a7:df:de:56:17:
>
> c8:9e:d5:a0:80:7e:31:46:1d:c0:c1:5a:e9:7d:fe:c3:
>
> bb:08:c0:6d:35:3a:f2:43:c2:b7:2f:44:2b:89:7f:f1:
>
> ad:e8:9e:51:fa:98:12:d9:2b:2d:08:00:80:c3:78:93:
>
> e7:bc:ee:17:ae:a3:07:81:6b:63:ac:bf:65:d5:e9:a8:
>
> e9:81:42:56:24:fc:2f:b8:d1:76:5b:72:c0:8f:62:66:
>
> cc:4d:5b:84:85:fb:63:06:6c:0a:54:a0:55:08:bf:11:
>
> 4b:30:ab:ba:49:19:39:ee:4f:57:3c:7b:0b:d3:8d:fe:
>
> 10:d8:18:63:ee:86:e9:cb:89:1e:ea:7e:0a:68:8c:f8:
>
> da:40:69:ca:2c:bc:5d:24:18:bc:2b:d7:ce:08:ca:d7:
>
> e8:aa:4b:d8:cb:ee:17:f3:4f:18:29:fc:48:59:ae:98:
>
> 18:37:f0:a7:cd:42:1f:5d:79:cd:a1:0f:30:41:7f:97:
>
> 81:43:68:8b:74:0c:d8:21:b6:eb:76:14:bf:44:14:13:
>
> dd:07:ee:ce:68:95:29:b1:14:f6:93:81:90:b5:e6:6a:
>
> 2b:38:6a:f0:4c:20:3f:fc:88:84:3f:43:5e:5f:6e:ed
> Fingerprint (MD5):
>
> 4B:AE:EB:7D:D0:B6:C8:D3:15:1B:08:ED:39:A0:68:6C
> Fingerprint (SHA1):
>
>
> 84:17:7E:EE:93:B2:A3:4F:D9:7B:72:C6:ED:D6:61:9E:0E:82:51:BC
>
> Certificate Trust Flags:
> SSL Flags:
> Valid CA
> Trusted CA
> Trusted Client CA
> Email Flags:
> Object Signing Flags:
> Valid CA
> Trusted CA
>
> This looks ok. So is it
> possible the AD
> server cert
> was not
> issued by this CA? I suppose you
> could use
> an SSL
> test program
> like /usr/bin/ssltap
> or openssl s_client like this:
> openssl s_client -connect
> windows.test.ad:636 <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> -CAfile
> /path/to/msadcacert.asc
>
> You can also add -verify 3 and
> -showcerts and
> -debug
> see "man s_client" for more
> information
>
>
>
>
> On Tue, Aug 17, 2010 at
> 7:04 PM, Shan
> Kumaraswamy
> <shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>>>
> wrote:
>
> done, and it came the output
> also, can
> plz let me
> know the
> next step.
>
>
> On Tue, Aug 17, 2010 at 7:00
> PM, Rich
> Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> Please find the
> below
> out put
> of the
> command:
>
> [root at saprhds001 ~]#
> certutil -d
>
> /etc/dirsrv/slapd-XXXX-COM -L
> Certificate
> Nickname
> Trust Attributes
>
>
> SSL,S/MIME,JAR/XPI
> Imported CA
>
> CT,,C
> CA certificate
>
> CTu,u,Cu
>
> The CT means the CA is trusted for SSL
> client and
> server certs.
> certutil -H
> ...
> trustargs is
> of the
> form x,y,z
> where x is
> for SSL, y is for S/MIME,
> ...
> c valid CA
> T trusted
> CA to
> issue
> client certs
> (implies c)
> C trusted
> CA to
> issue
> server certs
> (implies c)
>
> Server-Cert
>
> u,u,u
>
> I'm assuming
> "Imported CA"
> is the
> MS AD
> CA. Do
> this:
> certutil -d
> /etc/dirsrv/slapd-XXXX-COM -L -n
> "Imported CA"
>
>
>
> On Tue, Aug 17,
> 2010 at
> 6:35
> PM, Rich
> Megginson
>
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>>>
> wrote:
>
> Shan
> Kumaraswamy wrote:
>
> After this
> error, I have
> triyed your the
> following
> steps:
>
> /usr/lib64/mozldap/ldapsearch -h
> windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>
> <http://windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>
>
>
> <http://windows.test.ad/>> -D
>
> "CN=administrator,CN=users,DC=test,DC=ad" -w
> "xxxx"
> -s base -b
> ""
> "objectclass=*"
>
> Then I got
> output like
> this:
>
> version: 1
> dn:
> currentTime:
> 20100817220245.0Z
>
> subschemaSubentry:
>
>
> CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
>
> dsServiceName:
> CN=NTDS
>
>
> Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
>
> me,CN=Sites,CN=Configuration,DC=test,DC=ad
>
> namingContexts:
> DC=test,DC=ad
>
> namingContexts:
> CN=Configuration,DC=test,DC=ad
>
> namingContexts:
>
> CN=Schema,CN=Configuration,DC=test,DC=ad
>
> namingContexts:
> DC=DomainDnsZones,DC=test,DC=ad
>
> namingContexts:
> DC=ForestDnsZones,DC=test,DC=ad
>
> defaultNamingContext:
> DC=test,DC=ad
>
> schemaNamingContext:
>
> CN=Schema,CN=Configuration,DC=test,DC=ad
>
> configurationNamingContext:
>
> CN=Configuration,DC=test,DC=ad
>
> rootDomainNamingContext:
> DC=test,DC=ad
>
> supportedControl:
> 1.2.840.113556.1.4.319
>
> supportedControl:
> 1.2.840.113556.1.4.801
>
> supportedControl:
> 1.2.840.113556.1.4.473
>
> supportedControl:
> 1.2.840.113556.1.4.528
>
> supportedControl:
> 1.2.840.113556.1.4.417
>
> supportedControl:
> 1.2.840.113556.1.4.619
>
> supportedControl:
> 1.2.840.113556.1.4.841
>
> supportedControl:
> 1.2.840.113556.1.4.529
>
> supportedControl:
> 1.2.840.113556.1.4.805
>
> supportedControl:
> 1.2.840.113556.1.4.521
>
> supportedControl:
> 1.2.840.113556.1.4.970
>
> supportedControl:
> 1.2.840.113556.1.4.1338
>
> supportedControl:
> 1.2.840.113556.1.4.474
>
> supportedControl:
> 1.2.840.113556.1.4.1339
>
> supportedControl:
> 1.2.840.113556.1.4.1340
>
> supportedControl:
> 1.2.840.113556.1.4.1413
>
> supportedControl:
> 2.16.840.1.113730.3.4.9
>
> supportedControl:
> 2.16.840.1.113730.3.4.10
>
> supportedControl:
> 1.2.840.113556.1.4.1504
>
> supportedControl:
> 1.2.840.113556.1.4.1852
>
> supportedControl:
> 1.2.840.113556.1.4.802
>
> supportedControl:
> 1.2.840.113556.1.4.1907
>
> supportedControl:
> 1.2.840.113556.1.4.1948
>
> supportedControl:
> 1.2.840.113556.1.4.1974
>
> supportedControl:
> 1.2.840.113556.1.4.1341
>
> supportedControl:
> 1.2.840.113556.1.4.2026
>
> supportedControl:
> 1.2.840.113556.1.4.2064
>
> supportedControl:
> 1.2.840.113556.1.4.2065
>
> supportedLDAPVersion: 3
>
> supportedLDAPVersion: 2
>
> supportedLDAPPolicies:
> MaxPoolThreads
>
> supportedLDAPPolicies:
> MaxDatagramRecv
>
> supportedLDAPPolicies:
> MaxReceiveBuffer
>
> supportedLDAPPolicies:
> InitRecvTimeout
>
> supportedLDAPPolicies:
> MaxConnections
>
> supportedLDAPPolicies:
> MaxConnIdleTime
>
> supportedLDAPPolicies:
> MaxPageSize
>
> supportedLDAPPolicies:
> MaxQueryDuration
>
> supportedLDAPPolicies:
> MaxTempTableSize
>
> supportedLDAPPolicies:
> MaxResultSetSize
>
> supportedLDAPPolicies:
> MinResultSets
>
> supportedLDAPPolicies:
> MaxResultSetsPerConn
>
> supportedLDAPPolicies:
> MaxNotificationPerConn
>
> supportedLDAPPolicies:
> MaxValRange
>
> highestCommittedUSN: 73772
>
> supportedSASLMechanisms: GSSAPI
>
> supportedSASLMechanisms:
> GSS-SPNEGO
>
> supportedSASLMechanisms: EXTERNAL
>
> supportedSASLMechanisms:
> DIGEST-MD5
> dnsHostName:
> Windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
>
> <http://Windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>>
>
> ldapServiceName:
> test.ad:windows$@TEST.AD
> <http://test.ad/>
> <http://test.ad/> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
>
> <http://TEST.AD <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>>
>
>
>
> serverName:
>
>
> CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
>
> guration,DC=test,DC=ad
>
> supportedCapabilities:
> 1.2.840.113556.1.4.800
>
> supportedCapabilities:
> 1.2.840.113556.1.4.1670
>
> supportedCapabilities:
> 1.2.840.113556.1.4.1791
>
> supportedCapabilities:
> 1.2.840.113556.1.4.1935
>
> supportedCapabilities:
> 1.2.840.113556.1.4.2080
>
> isSynchronized: TRUE
>
> isGlobalCatalogReady: TRUE
>
> domainFunctionality: 4
>
> forestFunctionality: 4
>
> domainControllerFunctionality: 4
>
> Then I tried
> next step:
>
> /usr/lib64/mozldap/ldapsearch
> -ZZ -P
>
> /etc/dirsrv/slapd-XXXX-COM/cert8.db -h
> windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>
> <http://windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>
>
>
> <http://windows.test.ad/>> -D
>
> "CN=administrator,CN=users,DC=test,DC=ad" -w
> "xxxxx" -s base
> -b ""
> "objectclass=*"
>
>
> ldap_simple_bind: Can't
> contact LDAP
> server
>
> TLS/SSL error
> -8179 (Peer's
> Certificate
> issuer is not
> recognized.)
> Please
> help me
> to fix
> this.....
>
> This usually
> means
> the SSL
> server's CA
> cert is not
> recognized.
> What does
> this say:
> certutil -d
> /etc/dirsrv/slapd-XXXX-COM -L
> ?
>
>
> On Tue,
> Aug 17,
> 2010
> at 2:02
> PM, Shan
> Kumaraswamy
>
> <shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>>>
>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
>
>
More information about the Freeipa-users
mailing list