[Freeipa-users] AD Sync Error
Rich Megginson
rmeggins at redhat.com
Tue Mar 9 16:58:23 UTC 2010
Shan Kumaraswamy wrote:
> Yes I can able to get the output using the port, but without password.
>
> /usr/lib64/mozldap/ldapsearch -Z -P
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -h sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com> -p 636 -D
> "CN=administrator,CN=users,DC=bmitest,DC=com" -s base -b ""
> "objectclass=*"
Ok. Now try doing a search of your user subtree:
/usr/lib64/mozldap/ldapsearch -Z -P
/etc/dirsrv/slapd-BMITEST-COM/cert8.db -h sbtaddc001.bmitest.com -p 636
-D "CN=administrator,CN=users,DC=bmitest,DC=com" -b
"CN=users,DC=bmitest,DC=com" "objectclass=*" dn
You will likely have to provide a password for this
>
>
>
>
> On Tue, Mar 9, 2010 at 7:38 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Yes I can get the output when I ran this step:
> Command: /usr/lib64/mozldap/ldapsearch -ZZ -P
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -h
> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>> -D
> "CN=administrator,CN=users,DC=bmitest,DC=com" -s base -b ""
> "objectclass=*"
>
> Output:
> version: 1
> dn:
> currentTime: 20100309160730.0Z
> subschemaSubentry:
> CN=Aggregate,CN=Schema,CN=Configuration,DC=BMITEST,DC=COM
> dsServiceName: CN=NTDS
> Settings,CN=SBTADDC001,CN=Servers,CN=Bahrain-Site,CN=Si
> tes,CN=Configuration,DC=BMITEST,DC=COM
> namingContexts: DC=BMITEST,DC=COM
> namingContexts: CN=Configuration,DC=BMITEST,DC=COM
> namingContexts: CN=Schema,CN=Configuration,DC=BMITEST,DC=COM
> namingContexts: DC=DomainDnsZones,DC=BMITEST,DC=COM
> namingContexts: DC=ForestDnsZones,DC=BMITEST,DC=COM
> defaultNamingContext: DC=BMITEST,DC=COM
> schemaNamingContext: CN=Schema,CN=Configuration,DC=BMITEST,DC=COM
> configurationNamingContext: CN=Configuration,DC=BMITEST,DC=COM
> rootDomainNamingContext: DC=BMITEST,DC=COM
> supportedControl: 1.2.840.113556.1.4.319
> supportedControl: 1.2.840.113556.1.4.801
> supportedControl: 1.2.840.113556.1.4.473
> supportedControl: 1.2.840.113556.1.4.528
> supportedControl: 1.2.840.113556.1.4.417
> supportedControl: 1.2.840.113556.1.4.619
> supportedControl: 1.2.840.113556.1.4.841
> supportedControl: 1.2.840.113556.1.4.529
> supportedControl: 1.2.840.113556.1.4.805
> supportedControl: 1.2.840.113556.1.4.521
> supportedControl: 1.2.840.113556.1.4.970
> supportedControl: 1.2.840.113556.1.4.1338
> supportedControl: 1.2.840.113556.1.4.474
> supportedControl: 1.2.840.113556.1.4.1339
> supportedControl: 1.2.840.113556.1.4.1340
> supportedControl: 1.2.840.113556.1.4.1413
> supportedControl: 2.16.840.1.113730.3.4.9
> supportedControl: 2.16.840.1.113730.3.4.10
> supportedControl: 1.2.840.113556.1.4.1504
> supportedControl: 1.2.840.113556.1.4.1852
> supportedControl: 1.2.840.113556.1.4.802
> supportedControl: 1.2.840.113556.1.4.1907
> supportedControl: 1.2.840.113556.1.4.1948
> supportedControl: 1.2.840.113556.1.4.1974
> supportedControl: 1.2.840.113556.1.4.1341
> supportedControl: 1.2.840.113556.1.4.2026
> supportedLDAPVersion: 3
> supportedLDAPVersion: 2
> supportedLDAPPolicies: MaxPoolThreads
> supportedLDAPPolicies: MaxDatagramRecv
> supportedLDAPPolicies: MaxReceiveBuffer
> supportedLDAPPolicies: InitRecvTimeout
> supportedLDAPPolicies: MaxConnections
> supportedLDAPPolicies: MaxConnIdleTime
> supportedLDAPPolicies: MaxPageSize
> supportedLDAPPolicies: MaxQueryDuration
> supportedLDAPPolicies: MaxTempTableSize
> supportedLDAPPolicies: MaxResultSetSize
> supportedLDAPPolicies: MaxNotificationPerConn
> supportedLDAPPolicies: MaxValRange
> highestCommittedUSN: 905371
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: DIGEST-MD5
> dnsHostName: SBTADDC001.BMITEST.COM
> <http://sbtaddc001.bmitest.com/>
> <http://SBTADDC001.BMITEST.COM <http://sbtaddc001.bmitest.com/>>
>
> Please let me know the syntex of IPA Ad sync
>
> Ok. Now try it with the ldaps port (-p 636)
> /usr/lib64/mozldap/ldapsearch -Z -P
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -h sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>> -p 636 -D
> "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s
> base -b "" "objectclass=*"
>
>
>
> On Tue, Mar 9, 2010 at 7:03 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich again some errors:
> [root at sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h
> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>> -D
> "CN=administrator,CN=users,DC=bmitest,DC=com" -w
> "Str1ve2XL"
> -s base -b "" "objectclass=*"
>
> ldap_simple_bind: Strong authentication required
> ldap_simple_bind: additional info: 00002028: LdapErr:
> DSID-0C0901FC, comment: The server requires binds to
> turn on
> integrity checking if SSL\TLS are not already active on the
> connection, data 0, v1771
>
> If this is your real password, as simo said, please change it
> immediately.
>
> So at least you are talking to the AD server now. It is
> telling
> you that it will not accept a bind using a clear text password
> over an insecure connection - that is, try using SSL as we did
> previously:
>
> /usr/lib64/mozldap/ldapsearch -ZZ -P
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -h
> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com/>> -D
> "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s
> base -b "" "objectclass=*"
>
> On Tue, Mar 9, 2010 at 6:38 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> Your mean the AD Administrator password or IPA admin
> password?
>
> AD
>
> I'm trying to find out why IPA cannot make a
> connection to
> AD. So
> the hostname should be the AD hostname, and the -D
> (binddn)
> should
> be the DN of the user that IPA uses to bind to AD,
> and the
> password should be the password for that user.
>
>
> On Tue, Mar 9, 2010 at 6:32 PM, Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> When I try to run this command I am
> getting this
> error:
> [root at sbttipa001 ~]#
> /usr/lib64/mozldap/ldapsearch -h
> sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>> -D
>
>
> "CN=administrator,CN=users,DC=bmitest,DC=com" -w
> "secretpw" -s
> base -b "" "objectclass=*"
>
> ldap_simple_bind: Invalid credentials
> ldap_simple_bind: additional info: 80090308:
> LdapErr:
> DSID-0C0903AA, comment:
> AcceptSecurityContext error,
> data 52e,
> v1771
>
> You are not providing the correct password.
>
>
>
> On Tue, Mar 9, 2010 at 6:16 PM, Rich
> Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>> wrote:
>
> Please keep replies on list
>
> Shan Kumaraswamy wrote:
>
> Rich,
> Does a reverse DNS lookup on the
> IP address
> return that
> hostname? -Yes
> Is Active Directory configured to
> use/listen to
> SSL? -Yes,
> Active Directory Cert Auth
> installed and
> exported the and
> verifityed.
>
> Does the cert db
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db
> contain the CA cert of the windows
> CA? -yes
> "Imported
> CA cert"
>
> certutil -L -d
> /etc/dirsrv/slapd-BMITEST-COM-
> Its listing
> installed cert
> I am trying to creating syn agreement
> from IPA
> server using
> following syntex:
> ipa-replica-manage add --winsync
> --binddn
>
> CN=Administrator,CN=Users,CN=Accounts,DC=bmitest,DC=com
> --bindpw secretpw --cacert
> /etc/dirsrv/slapd-BMITEST-COM/dsca.cer
> sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>> -v
>
> Please corret me where I am doing
> worng?
>
> ldap_simple_bind: Can't contact LDAP
> server
> SSL error -5961 (TCP connection
> reset by
> peer.)
>
> This usually indicates some low level
> error.
> Let's
> try this:
> /usr/lib64/mozldap/ldapsearch -h
> sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/> -D
>
>
> "CN=administrator,CN=users,DC=bmitest,DC=com" -w
> "secretpw" -s
> base -b "" "objectclass=*"
>
> Does that work?
>
> On Mon, Mar
> 8, 2010
> at 6:30 PM, Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Hi Rich,
>
> Sorry for the delay replay,
> after I
> executed your
> command I am
> getting the following error
> from
> my directory
> server.
> Please
> help me to resolve this error.
>
> [root at sbttipa001 ~]#
> /usr/lib64/mozldap/ldapsearch -h
> sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com/>>
> -p 636
> -Z -P
>
>
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
>
> CN=administrator,CN=users,DC=bmitest,DC=com -w
> "secretpw" -s
> base -b "" "objectclass=*"
>
> ldap_simple_bind: Can't contact
> LDAP server
> SSL error -5961 (TCP
> connection
> reset by
> peer.)
>
> Is sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>>
>
> the real, registered DNS
> address for
> the Active
> Directory
> server?
> On both the linux machine and
> the windows
> machine?
> Does a reverse DNS lookup on the IP
> address
> return that
> hostname?
> Is Active Directory configured to
> use/listen
> to SSL?
> Does the cert db
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db
> contain
> the CA cert of the windows CA?
> certutil -L -d
> /etc/dirsrv/slapd-BMITEST-COM
>
> On
> Wed, Feb 24,
> 2010 at 6:20 PM, Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Dear All,
> I am facing the AD Sync
> issue with
> FreeIPA to Active
> Directory, and as
> per the
> redhat-ds doc I
> have
> done all the
> settings from AD
> front. please
> help me to
> resolve this
> issue.
> And find the below error
> message:
> [root at sbttipa001 ~]#
> ipa-replica-manage add
> --winsync
> --binddn
> CN=ipaadmin,CN=users,DC=bmitest,DC=com
> --bindpw
> secretpw --ca cert
>
> /etc/dirsrv/slapd-BMITEST-COM/adsync.cer
>
> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com/>
>
>
> <http://sbtaddc001.bmitest.com/>> -v
> --passsync
> bmi.123
>
> Directory Manager
> password:
> INFO:root:Shutting
> down dirsrv:
> BMITEST-COM...
>
> [ OK ]
> INFO:root:
> INFO:root:
> INFO:root:
> INFO:root:Starting
> dirsrv:
> BMITEST-COM...
>
> [ OK ]
> INFO:root:
> INFO:root:Added CA
> certificate
>
> /etc/dirsrv/slapd-BMITEST-COM/adsync.cer to
> certificate
> database for
> sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
>
> <http://sbttipa001.bmitest.com/>
>
> <http://sbttipa001.bmitest.com/>
>
> <http://sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
>
> <http://sbttipa001.bmitest.com/>
>
> <http://sbttipa001.bmitest.com/>>
>
> INFO:root:Restarted
> directory server
> sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
>
> <http://sbttipa001.bmitest.com/>
>
> <http://sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
>
> <http://sbttipa001.bmitest.com/>
>
> <http://sbttipa001.bmitest.com/>>
>
> INFO:root:Could not
> validate
> connection to
> remote server
>
> sbtaddc001.bmitest.com:636 <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
>
> <http://sbtaddc001.bmitest.com:636/>
>
> <http://sbtaddc001.bmitest.com:636/>
>
>
> <http://sbtaddc001.bmitest.com:636
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
> <http://sbtaddc001.bmitest.com:636/>
>
> <http://sbtaddc001.bmitest.com:636/>
>
> <http://sbtaddc001.bmitest.com:636/>> -
> continuing
>
> INFO:root:The error was:
> {'info':
> 'error:14090086:SSL
>
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify
> failed', 'desc ': "Can't
> contact LDAP
> server"}
> The user for the Windows
> PassSync
> service is
>
> uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com
> Windows PassSync entry
> exists, not
> resetting
> password
> INFO:root:Added new sync
> agreement,
> waiting for
> it to
> become
> ready . . .
>
> INFO:root:Replication Update in
> progress:
> FALSE:
> status: 49 -
> LDAP error: Invalid
> credentials:
> start:
> 0: end: 0
> INFO:root:Agreement is
> ready, starting
> replication . . .
> Starting replication,
> please wait
> until
> this has
> completed.
>
> [sbttipa001.bmitest.com <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
>
> <http://sbttipa001.bmitest.com
> <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
> <http://sbttipa001.bmitest.com/>
>
> <http://sbttipa001.bmitest.com/>
>
>
> <http://sbttipa001.bmitest.com/>>]
> reports:
> Update failed!
> Status: [49 - LDAP
> error:
> Invalid
> credentials]
> INFO:root:Added
> agreement for
> other host
>
> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com
> <http://sbtaddc001.bmitest.com/> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com/>
>
> <http://sbtaddc001.bmitest.com/>>
>
>
> Error 49 usually means the
> password is not
> correct. You
> can use
> mozldap ldapsearch to
> test the
> connection
> like this:
>
>
> /usr/lib/mozldap/ldapsearch -h
> dchost
> -p 636
> -Z -P
>
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
>
> CN=ipaadmin,CN=users,DC=bmitest,DC=com -w
> "secretpw" -s
> base -b ""
> "objectclass=*"
>
> --
> Thanks
> & Regards
> Shan Kumaraswamy
>
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> Freeipa-users
> mailing list
>
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>>>
>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>>>>
>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>>>
>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>>>>>
>
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
More information about the Freeipa-users
mailing list