[Freeipa-users] AD Sync Error
Rich Megginson
rmeggins at redhat.com
Tue Mar 9 16:03:00 UTC 2010
Shan Kumaraswamy wrote:
> Rich again some errors:
>
>
> [root at sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h
> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com> -D
> "CN=administrator,CN=users,DC=bmitest,DC=com" -w "Str1ve2XL" -s base
> -b "" "objectclass=*"
> ldap_simple_bind: Strong authentication required
> ldap_simple_bind: additional info: 00002028: LdapErr: DSID-0C0901FC,
> comment: The server requires binds to turn on integrity checking if
> SSL\TLS are not already active on the connection, data 0, v1771
If this is your real password, as simo said, please change it immediately.
So at least you are talking to the AD server now. It is telling you
that it will not accept a bind using a clear text password over an
insecure connection - that is, try using SSL as we did previously:
/usr/lib64/mozldap/ldapsearch -ZZ -P
/etc/dirsrv/slapd-BMITEST-COM/cert8.db -h sbtaddc001.bmitest.com
<http://sbtaddc001.bmitest.com> -D
"CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s base -b
"" "objectclass=*"
>
>
>
> On Tue, Mar 9, 2010 at 6:38 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> Your mean the AD Administrator password or IPA admin password?
>
> AD
>
> I'm trying to find out why IPA cannot make a connection to AD. So
> the hostname should be the AD hostname, and the -D (binddn) should
> be the DN of the user that IPA uses to bind to AD, and the
> password should be the password for that user.
>
>
> On Tue, Mar 9, 2010 at 6:32 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> When I try to run this command I am getting this error:
> [root at sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h
> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>> -D
>
> "CN=administrator,CN=users,DC=bmitest,DC=com" -w
> "secretpw" -s
> base -b "" "objectclass=*"
>
> ldap_simple_bind: Invalid credentials
> ldap_simple_bind: additional info: 80090308: LdapErr:
> DSID-0C0903AA, comment: AcceptSecurityContext error,
> data 52e,
> v1771
>
> You are not providing the correct password.
>
>
>
> On Tue, Mar 9, 2010 at 6:16 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> wrote:
>
> Please keep replies on list
>
> Shan Kumaraswamy wrote:
>
> Rich,
> Does a reverse DNS lookup on the IP address
> return that
> hostname? -Yes
> Is Active Directory configured to use/listen to
> SSL? -Yes,
> Active Directory Cert Auth installed and
> exported the and
> verifityed.
>
> Does the cert db
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db
> contain the CA cert of the windows CA? -yes
> "Imported
> CA cert"
>
> certutil -L -d /etc/dirsrv/slapd-BMITEST-COM-
> Its listing
> installed cert
> I am trying to creating syn agreement from IPA
> server using
> following syntex:
> ipa-replica-manage add --winsync --binddn
>
> CN=Administrator,CN=Users,CN=Accounts,DC=bmitest,DC=com
> --bindpw secretpw --cacert
> /etc/dirsrv/slapd-BMITEST-COM/dsca.cer
> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>> -v
>
> Please corret me where I am doing worng?
>
> ldap_simple_bind: Can't contact LDAP server
> SSL error -5961 (TCP connection reset by peer.)
>
> This usually indicates some low level error. Let's
> try this:
> /usr/lib64/mozldap/ldapsearch -h
> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/> -D
>
> "CN=administrator,CN=users,DC=bmitest,DC=com" -w
> "secretpw" -s
> base -b "" "objectclass=*"
>
> Does that work?
>
>
> On Mon, Mar 8, 2010 at 6:30 PM, Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Hi Rich,
>
> Sorry for the delay replay, after I
> executed your
> command I am
> getting the following error from my directory
> server.
> Please
> help me to resolve this error.
>
> [root at sbttipa001 ~]#
> /usr/lib64/mozldap/ldapsearch -h
> sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>> -p 636
> -Z -P
>
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
>
> CN=administrator,CN=users,DC=bmitest,DC=com -w
> "secretpw" -s
> base -b "" "objectclass=*"
>
> ldap_simple_bind: Can't contact LDAP server
> SSL error -5961 (TCP connection
> reset by
> peer.)
>
> Is sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>>
>
> the real, registered DNS address for the Active
> Directory
> server?
> On both the linux machine and the windows
> machine?
> Does a reverse DNS lookup on the IP address
> return that
> hostname?
> Is Active Directory configured to use/listen
> to SSL?
> Does the cert db
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain
> the CA cert of the windows CA?
> certutil -L -d /etc/dirsrv/slapd-BMITEST-COM
>
> On Wed, Feb 24,
> 2010 at 6:20 PM, Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Dear All,
> I am facing the AD Sync issue with
> FreeIPA to Active
> Directory, and as per the
> redhat-ds doc I
> have
> done all the
> settings from AD front. please
> help me to
> resolve this
> issue.
> And find the below error message:
> [root at sbttipa001 ~]#
> ipa-replica-manage add
> --winsync
> --binddn
> CN=ipaadmin,CN=users,DC=bmitest,DC=com
> --bindpw
> secretpw --ca cert
> /etc/dirsrv/slapd-BMITEST-COM/adsync.cer
> sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com/>> -v
> --passsync
> bmi.123
>
> Directory Manager password:
> INFO:root:Shutting down dirsrv:
> BMITEST-COM...
> [ OK ]
> INFO:root:
> INFO:root:
> INFO:root:
> INFO:root:Starting dirsrv:
> BMITEST-COM...
> [ OK ]
> INFO:root:
> INFO:root:Added CA certificate
>
> /etc/dirsrv/slapd-BMITEST-COM/adsync.cer to
> certificate
> database for
> sbttipa001.bmitest.com <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>>
>
> INFO:root:Restarted directory server
> sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>>
>
> INFO:root:Could not validate
> connection to
> remote server
> sbtaddc001.bmitest.com:636
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
>
> <http://sbtaddc001.bmitest.com:636
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
>
> <http://sbtaddc001.bmitest.com:636/>> -
> continuing
>
> INFO:root:The error was: {'info':
> 'error:14090086:SSL
>
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify
> failed', 'desc ': "Can't contact LDAP
> server"}
> The user for the Windows PassSync
> service is
>
> uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com
> Windows PassSync entry exists, not
> resetting
> password
> INFO:root:Added new sync agreement,
> waiting for
> it to
> become
> ready . . .
> INFO:root:Replication Update in
> progress:
> FALSE:
> status: 49 -
> LDAP error: Invalid credentials:
> start:
> 0: end: 0
> INFO:root:Agreement is ready, starting
> replication . . .
> Starting replication, please wait
> until
> this has
> completed.
> [sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
>
> <http://sbttipa001.bmitest.com/>>]
> reports:
> Update failed!
> Status: [49 - LDAP error: Invalid
> credentials]
> INFO:root:Added agreement for
> other host
> sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>>
>
>
> Error 49 usually means the password is not
> correct. You
> can use
> mozldap ldapsearch to test the connection
> like this:
>
> /usr/lib/mozldap/ldapsearch -h dchost
> -p 636
> -Z -P
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
> CN=ipaadmin,CN=users,DC=bmitest,DC=com -w
> "secretpw" -s
> base -b ""
> "objectclass=*"
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>>>
>
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
More information about the Freeipa-users
mailing list