[Freeipa-users] AD Sync Error
Rich Megginson
rmeggins at redhat.com
Tue Mar 9 15:38:44 UTC 2010
Shan Kumaraswamy wrote:
> Rich,
> Your mean the AD Administrator password or IPA admin password?
AD
I'm trying to find out why IPA cannot make a connection to AD. So the
hostname should be the AD hostname, and the -D (binddn) should be the DN
of the user that IPA uses to bind to AD, and the password should be the
password for that user.
>
> On Tue, Mar 9, 2010 at 6:32 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Shan Kumaraswamy wrote:
>
> When I try to run this command I am getting this error:
> [root at sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h
> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>> -D
> "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s
> base -b "" "objectclass=*"
>
> ldap_simple_bind: Invalid credentials
> ldap_simple_bind: additional info: 80090308: LdapErr:
> DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e,
> v1771
>
> You are not providing the correct password.
>
>
>
> On Tue, Mar 9, 2010 at 6:16 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote:
>
> Please keep replies on list
>
> Shan Kumaraswamy wrote:
>
> Rich,
> Does a reverse DNS lookup on the IP address return that
> hostname? -Yes
> Is Active Directory configured to use/listen to SSL? -Yes,
> Active Directory Cert Auth installed and exported the and
> verifityed.
>
> Does the cert db /etc/dirsrv/slapd-BMITEST-COM/cert8.db
> contain the CA cert of the windows CA? -yes "Imported
> CA cert"
>
> certutil -L -d /etc/dirsrv/slapd-BMITEST-COM- Its listing
> installed cert
> I am trying to creating syn agreement from IPA server using
> following syntex:
> ipa-replica-manage add --winsync --binddn
> CN=Administrator,CN=Users,CN=Accounts,DC=bmitest,DC=com
> --bindpw secretpw --cacert
> /etc/dirsrv/slapd-BMITEST-COM/dsca.cer
> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>> -v
>
> Please corret me where I am doing worng?
>
> ldap_simple_bind: Can't contact LDAP server
> SSL error -5961 (TCP connection reset by peer.)
>
> This usually indicates some low level error. Let's try this:
> /usr/lib64/mozldap/ldapsearch -h sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/> -D
>
> "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s
> base -b "" "objectclass=*"
>
> Does that work?
>
>
>
> On Mon, Mar 8, 2010 at 6:30 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Hi Rich,
>
> Sorry for the delay replay, after I executed your
> command I am
> getting the following error from my directory
> server.
> Please
> help me to resolve this error.
>
> [root at sbttipa001 ~]#
> /usr/lib64/mozldap/ldapsearch -h
> sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>> -p 636 -Z -P
>
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
> CN=administrator,CN=users,DC=bmitest,DC=com -w
> "secretpw" -s
> base -b "" "objectclass=*"
>
> ldap_simple_bind: Can't contact LDAP server
> SSL error -5961 (TCP connection reset by
> peer.)
>
> Is sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>>
>
> the real, registered DNS address for the Active
> Directory
> server?
> On both the linux machine and the windows machine?
> Does a reverse DNS lookup on the IP address return that
> hostname?
> Is Active Directory configured to use/listen to SSL?
> Does the cert db
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain
> the CA cert of the windows CA?
> certutil -L -d /etc/dirsrv/slapd-BMITEST-COM
>
>
> On Wed, Feb 24, 2010 at 6:20 PM, Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Dear All,
> I am facing the AD Sync issue with
> FreeIPA to Active
> Directory, and as per the redhat-ds doc I
> have
> done all the
> settings from AD front. please help me to
> resolve this
> issue.
> And find the below error message:
> [root at sbttipa001 ~]# ipa-replica-manage add
> --winsync
> --binddn
> CN=ipaadmin,CN=users,DC=bmitest,DC=com
> --bindpw
> secretpw --ca cert
> /etc/dirsrv/slapd-BMITEST-COM/adsync.cer
> sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com/>> -v
> --passsync
> bmi.123
>
> Directory Manager password:
> INFO:root:Shutting down dirsrv:
> BMITEST-COM...
> [ OK ]
> INFO:root:
> INFO:root:
> INFO:root:
> INFO:root:Starting dirsrv:
> BMITEST-COM...
> [ OK ]
> INFO:root:
> INFO:root:Added CA certificate
> /etc/dirsrv/slapd-BMITEST-COM/adsync.cer to
> certificate
> database for sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>>
>
> INFO:root:Restarted directory server
> sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>>
>
> INFO:root:Could not validate connection to
> remote server
> sbtaddc001.bmitest.com:636
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
>
> <http://sbtaddc001.bmitest.com:636
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>> -
> continuing
>
> INFO:root:The error was: {'info':
> 'error:14090086:SSL
>
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify
> failed', 'desc ': "Can't contact LDAP
> server"}
> The user for the Windows PassSync service is
>
> uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com
> Windows PassSync entry exists, not resetting
> password
> INFO:root:Added new sync agreement,
> waiting for
> it to
> become
> ready . . .
> INFO:root:Replication Update in progress:
> FALSE:
> status: 49 -
> LDAP error: Invalid credentials: start:
> 0: end: 0
> INFO:root:Agreement is ready, starting
> replication . . .
> Starting replication, please wait until
> this has
> completed.
> [sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
>
> <http://sbttipa001.bmitest.com/>>] reports:
> Update failed!
> Status: [49 - LDAP error: Invalid
> credentials]
> INFO:root:Added agreement for other host
> sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>>
>
>
> Error 49 usually means the password is not
> correct. You
> can use
> mozldap ldapsearch to test the connection
> like this:
>
> /usr/lib/mozldap/ldapsearch -h dchost -p 636
> -Z -P
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
> CN=ipaadmin,CN=users,DC=bmitest,DC=com -w
> "secretpw" -s
> base -b ""
> "objectclass=*"
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>>
>
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
More information about the Freeipa-users
mailing list