[Freeipa-users] AD Sync Error
Shan Kumaraswamy
shan.sysadm at gmail.com
Tue Mar 9 15:42:46 UTC 2010
Rich again some errors:
[root at sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h
sbtaddc001.bmitest.com-D "CN=administrator,CN=users,DC=bmitest,DC=com"
-w "Str1ve2XL" -s base -b
"" "objectclass=*"
ldap_simple_bind: Strong authentication required
ldap_simple_bind: additional info: 00002028: LdapErr: DSID-0C0901FC,
comment: The server requires binds to turn on integrity checking if SSL\TLS
are not already active on the connection, data 0, v1771
On Tue, Mar 9, 2010 at 6:38 PM, Rich Megginson <rmeggins at redhat.com> wrote:
> Shan Kumaraswamy wrote:
>
>> Rich,
>> Your mean the AD Administrator password or IPA admin password?
>>
> AD
>
> I'm trying to find out why IPA cannot make a connection to AD. So the
> hostname should be the AD hostname, and the -D (binddn) should be the DN of
> the user that IPA uses to bind to AD, and the password should be the
> password for that user.
>
>>
>> On Tue, Mar 9, 2010 at 6:32 PM, Rich Megginson <rmeggins at redhat.com<mailto:
>> rmeggins at redhat.com>> wrote:
>>
>> Shan Kumaraswamy wrote:
>>
>> When I try to run this command I am getting this error:
>> [root at sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h
>> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com
>> <http://sbtaddc001.bmitest.com/>> -D
>>
>> "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s
>> base -b "" "objectclass=*"
>>
>> ldap_simple_bind: Invalid credentials
>> ldap_simple_bind: additional info: 80090308: LdapErr:
>> DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e,
>> v1771
>>
>> You are not providing the correct password.
>>
>>
>>
>> On Tue, Mar 9, 2010 at 6:16 PM, Rich Megginson
>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
>> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote:
>>
>> Please keep replies on list
>>
>> Shan Kumaraswamy wrote:
>>
>> Rich,
>> Does a reverse DNS lookup on the IP address return that
>> hostname? -Yes
>> Is Active Directory configured to use/listen to SSL? -Yes,
>> Active Directory Cert Auth installed and exported the and
>> verifityed.
>>
>> Does the cert db /etc/dirsrv/slapd-BMITEST-COM/cert8.db
>> contain the CA cert of the windows CA? -yes "Imported
>> CA cert"
>>
>> certutil -L -d /etc/dirsrv/slapd-BMITEST-COM- Its listing
>> installed cert
>> I am trying to creating syn agreement from IPA server using
>> following syntex:
>> ipa-replica-manage add --winsync --binddn
>> CN=Administrator,CN=Users,CN=Accounts,DC=bmitest,DC=com
>> --bindpw secretpw --cacert
>> /etc/dirsrv/slapd-BMITEST-COM/dsca.cer
>> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>>
>> <http://sbtaddc001.bmitest.com
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>> -v
>>
>> Please corret me where I am doing worng?
>>
>> ldap_simple_bind: Can't contact LDAP server
>> SSL error -5961 (TCP connection reset by peer.)
>>
>> This usually indicates some low level error. Let's try this:
>> /usr/lib64/mozldap/ldapsearch -h sbtaddc001.bmitest.com
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/> -D
>>
>> "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s
>> base -b "" "objectclass=*"
>>
>> Does that work?
>>
>>
>> On Mon, Mar 8, 2010 at 6:30 PM, Rich Megginson
>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
>> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
>> <mailto:rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>>>> wrote:
>>
>> Shan Kumaraswamy wrote:
>>
>> Hi Rich,
>>
>> Sorry for the delay replay, after I executed your
>> command I am
>> getting the following error from my directory
>> server.
>> Please
>> help me to resolve this error.
>>
>> [root at sbttipa001 ~]#
>> /usr/lib64/mozldap/ldapsearch -h
>> sbtaddc001.bmitest.com
>> <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>> -p 636 -Z -P
>>
>> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
>> CN=administrator,CN=users,DC=bmitest,DC=com -w
>> "secretpw" -s
>> base -b "" "objectclass=*"
>>
>> ldap_simple_bind: Can't contact LDAP server
>> SSL error -5961 (TCP connection reset by
>> peer.)
>>
>> Is sbtaddc001.bmitest.com
>> <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>>
>>
>> the real, registered DNS address for the Active
>> Directory
>> server?
>> On both the linux machine and the windows machine?
>> Does a reverse DNS lookup on the IP address return that
>> hostname?
>> Is Active Directory configured to use/listen to SSL?
>> Does the cert db
>> /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain
>> the CA cert of the windows CA?
>> certutil -L -d /etc/dirsrv/slapd-BMITEST-COM
>>
>> On Wed, Feb 24, 2010 at 6:20
>> PM, Rich Megginson
>> <rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>>
>> <mailto:rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>>>
>> <mailto:rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>
>> <mailto:rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>
>> <mailto:rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>>>>> wrote:
>>
>> Shan Kumaraswamy wrote:
>>
>> Dear All,
>> I am facing the AD Sync issue with
>> FreeIPA to Active
>> Directory, and as per the redhat-ds doc I
>> have
>> done all the
>> settings from AD front. please help me to
>> resolve this
>> issue.
>> And find the below error message:
>> [root at sbttipa001 ~]# ipa-replica-manage add
>> --winsync
>> --binddn
>> CN=ipaadmin,CN=users,DC=bmitest,DC=com
>> --bindpw
>> secretpw --ca cert
>> /etc/dirsrv/slapd-BMITEST-COM/adsync.cer
>> sbtaddc001.bmitest.com
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>>
>> <http://sbtaddc001.bmitest.com/>> -v
>> --passsync
>> bmi.123
>>
>> Directory Manager password:
>> INFO:root:Shutting down dirsrv:
>> BMITEST-COM...
>> [ OK ]
>> INFO:root:
>> INFO:root:
>> INFO:root:
>> INFO:root:Starting dirsrv:
>> BMITEST-COM...
>> [ OK ]
>> INFO:root:
>> INFO:root:Added CA certificate
>> /etc/dirsrv/slapd-BMITEST-COM/adsync.cer to
>> certificate
>> database for sbttipa001.bmitest.com
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>>
>>
>> INFO:root:Restarted directory server
>> sbttipa001.bmitest.com
>> <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>>
>>
>> INFO:root:Could not validate connection to
>> remote server
>> sbtaddc001.bmitest.com:636
>> <http://sbtaddc001.bmitest.com:636/>
>> <http://sbtaddc001.bmitest.com:636/>
>> <http://sbtaddc001.bmitest.com:636/>
>> <http://sbtaddc001.bmitest.com:636/>
>>
>> <http://sbtaddc001.bmitest.com:636
>> <http://sbtaddc001.bmitest.com:636/>
>> <http://sbtaddc001.bmitest.com:636/>
>> <http://sbtaddc001.bmitest.com:636/>
>> <http://sbtaddc001.bmitest.com:636/>> -
>> continuing
>>
>> INFO:root:The error was: {'info':
>> 'error:14090086:SSL
>>
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify
>> failed', 'desc ': "Can't contact LDAP
>> server"}
>> The user for the Windows PassSync service is
>>
>> uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com
>> Windows PassSync entry exists, not resetting
>> password
>> INFO:root:Added new sync agreement,
>> waiting for
>> it to
>> become
>> ready . . .
>> INFO:root:Replication Update in progress:
>> FALSE:
>> status: 49 -
>> LDAP error: Invalid credentials: start:
>> 0: end: 0
>> INFO:root:Agreement is ready, starting
>> replication . . .
>> Starting replication, please wait until
>> this has
>> completed.
>> [sbttipa001.bmitest.com
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>
>> <http://sbttipa001.bmitest.com/>
>>
>> <http://sbttipa001.bmitest.com/>>] reports:
>> Update failed!
>> Status: [49 - LDAP error: Invalid
>> credentials]
>> INFO:root:Added agreement for other host
>> sbtaddc001.bmitest.com
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>
>> <http://sbtaddc001.bmitest.com/>>
>>
>>
>> Error 49 usually means the password is not
>> correct. You
>> can use
>> mozldap ldapsearch to test the connection
>> like this:
>>
>> /usr/lib/mozldap/ldapsearch -h dchost -p 636
>> -Z -P
>> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
>> CN=ipaadmin,CN=users,DC=bmitest,DC=com -w
>> "secretpw" -s
>> base -b ""
>> "objectclass=*"
>>
>> -- Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>>>
>>
>>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>>
>>
>> -- Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>>
>>
>>
>> -- Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>>
>>
>>
>> -- Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>>
>>
>>
>> --
>> Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>
--
Thanks & Regards
Shan Kumaraswamy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100309/2d3872d6/attachment.htm>
More information about the Freeipa-users
mailing list