[Freeipa-users] IPA AD Sync error
Shan Kumaraswamy
shan.sysadm at gmail.com
Tue Sep 21 16:43:12 UTC 2010
Hi Rich,
Finall I impoted right CA in to IPA box, now I am getting this error while
executing sycn command:
INFO:root:
INFO:root:
INFO:root:
INFO:root:Starting dirsrv:
MYDOMAIN-COM... [ OK ]
INFO:root:
INFO:root:Added CA certificate /etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to
certificate database for saprhds001.mydomain.com
INFO:root:Restarted directory server saprhds001.mydomain.com
INFO:root:Could not validate connection to remote server
sbpaddc003.mydomain.ad:636 - continuing
INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
"Can't contact LDAP server"}
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 0 Incremental
update started: start: 20100921163646Z: end: 20100921163646Z
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
INFO:root:Added agreement for other host sbpaddc003.corp.mydomain.ad
Please advice.
On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson <rmeggins at redhat.com> wrote:
> Shan Kumaraswamy wrote:
>
>> Hi Rich,
>> While executing your command (ldapserch), I am getting the following
>> output:
>> _Command:_
>> /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
>> /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"
>> _Output:_
>> ldap_search: Can't contact LDAP server
>> SSL error -8179 (Peer's Certificate issuer is not recognized.)
>> _Command:_
>> LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
>> fqdn.of.ad.hostname -p 389 -Z -s base -b ""
>> _Output:_
>> [root at saprhds001 ~]#
>> LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer ldapsearch -d 1
>> -x -h sbpaddc003.corp.mydomain.ad <http://sbpaddc003.corp.mydomain.ad> -p
>> 389 -Z -s base -b ""
>> ldap_create
>> ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389 <ldap://
>> sbpaddc003.corp.mydomain.ad:389/>)
>>
>> ldap_extended_operation_s
>> ldap_extended_operation
>> ldap_send_initial_request
>> ldap_new_connection 1 1 0
>> ldap_int_open_connection
>> ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389 <
>> http://sbpaddc003.corp.mydomain.ad:389>
>>
>> ldap_new_socket: 3
>> ldap_prepare_socket: 3
>> ldap_connect_to_host: Trying 10.8.27.22:389 <http://10.8.27.22:389>
>>
>> ldap_connect_timeout: fd: 3 tm: -1 async: 0
>> ldap_open_defconn: successful
>> ldap_send_server_request
>> ber_scanf fmt ({it) ber:
>> ber_scanf fmt ({) ber:
>> ber_flush: 31 bytes to sd 3
>> ldap_result ld 0x1aa8c6f0 msgid 1
>> wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)
>> wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1
>> ** ld 0x1aa8c6f0 Connections:
>> * host: sbpaddc003.corp.mydomain.ad <http://sbpaddc003.corp.mydomain.ad>
>> port: 389 (default)
>>
>> refcnt: 2 status: Connected
>> last used: Tue Sep 21 10:23:41 2010
>> ** ld 0x1aa8c6f0 Outstanding Requests:
>> * msgid 1, origid 1, status InProgress
>> outstanding referrals 0, parent count 0
>> ** ld 0x1aa8c6f0 Response Queue:
>> Empty
>> ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1
>> ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
>> ldap_int_select
>> read1msg: ld 0x1aa8c6f0 msgid 1 all 1
>> ber_get_next
>> ber_get_next: tag 0x30 len 40 contents:
>> read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result
>> ber_scanf fmt ({eaa) ber:
>> read1msg: ld 0x1aa8c6f0 0 new referrals
>> read1msg: mark request completed, ld 0x1aa8c6f0 msgid 1
>> request done: ld 0x1aa8c6f0 msgid 1
>> res_errno: 0, res_error: <>, res_matched: <>
>> ldap_free_request (origid 1, msgid 1)
>> ldap_parse_extended_result
>> ber_scanf fmt ({eaa) ber:
>> ber_scanf fmt (a) ber:
>> ldap_parse_result
>> ber_scanf fmt ({iaa) ber:
>> ber_scanf fmt (x) ber:
>> ber_scanf fmt (}) ber:
>> ldap_msgfree
>> TLS trace: SSL_connect:before/connect initialization
>> TLS trace: SSL_connect:SSLv2/v3 write client hello A
>> TLS trace: SSL_connect:SSLv3 read server hello A
>> TLS certificate verification: depth: 0, err: 20, subject: /CN=
>> SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/> <
>> http://SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/>>,
>> issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
>>
>> TLS certificate verification: Error, unable to get local issuer
>> certificate
>>
> Unable to get local issuer certificate? Is the adcacert.asc file the
> actual CA cert in ascii/pem/base64 format from the AD CA? Do you have more
> than one CA or subordinate CAs? If so, you may need to have the entire CA
> cert chain in the file.
>
> If you are sure that adcacert.asc is from the AD CA, then try adding
> TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc file and try the above
> ldapsearch again.
>
> Let's see what the subject and issuer are in the CA cert:
> openssl x509 -in /path/to/adcacert.asc -text
>
>> TLS certificate verification: depth: 0, err: 27, subject: /CN=
>> SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/> <
>> http://SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/>>,
>> issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
>>
>> TLS certificate verification: Error, certificate not trusted
>> TLS certificate verification: depth: 0, err: 21, subject: /CN=
>> SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/> <
>> http://SBPADDC003.Corp.MYDOMAIN.AD <http://sbpaddc003.corp.mydomain.ad/>>,
>> issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
>>
>> TLS certificate verification: Error, unable to verify the first
>> certificate
>> TLS trace: SSL_connect:SSLv3 read server certificate A
>> TLS trace: SSL_connect:SSLv3 read server certificate request A
>> TLS trace: SSL_connect:SSLv3 read server done A
>> TLS trace: SSL_connect:SSLv3 write client certificate A
>> TLS trace: SSL_connect:SSLv3 write client key exchange A
>> TLS trace: SSL_connect:SSLv3 write change cipher spec A
>> TLS trace: SSL_connect:SSLv3 write finished A
>> TLS trace: SSL_connect:SSLv3 flush data
>> TLS trace: SSL_connect:SSLv3 read finished A
>> TLS trace: SSL3 alert write:warning:bad certificate
>> TLS: unable to get peer certificate.
>> ldap_bind
>> ldap_simple_bind
>> ldap_sasl_bind
>> ldap_send_initial_request
>> ldap_send_server_request
>> ber_scanf fmt ({it) ber:
>> ber_scanf fmt ({i) ber:
>> ber_flush: 14 bytes to sd 3
>> ldap_result ld 0x1aa8c6f0 msgid 2
>> wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout)
>> wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1
>> ** ld 0x1aa8c6f0 Connections:
>> * host: sbpaddc003.corp.mydomain.ad <http://sbpaddc003.corp.mydomain.ad>
>> port: 389 (default)
>>
>> refcnt: 2 status: Connected
>> last used: Tue Sep 21 10:23:41 2010
>> ** ld 0x1aa8c6f0 Outstanding Requests:
>> * msgid 2, origid 2, status InProgress
>> outstanding referrals 0, parent count 0
>> ** ld 0x1aa8c6f0 Response Queue:
>> Empty
>> ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1
>> ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
>> ldap_int_select
>> read1msg: ld 0x1aa8c6f0 msgid 2 all 1
>> ber_get_next
>> ldap_perror
>> ldap_result: Can't contact LDAP server (-1)
>> Please help to resolve this issue.
>>
>
>
>>
>>
>> On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson <rmeggins at redhat.com<mailto:
>> rmeggins at redhat.com>> wrote:
>>
>> Shan Kumaraswamy wrote:
>>
>> Rich,
>> I am again facing some issue with IPA+AD Sync and I tested all
>> the levels:
>> Windows PassSync entry exists, not resetting password
>> INFO:root:Added new sync agreement, waiting for it to become
>> ready . . .
>> INFO:root:Replication Update in progress: FALSE: status: 81 -
>> LDAP error: Can't contact LDAP server: start: 0: end: 0
>> INFO:root:Agreement is ready, starting replication . . .
>> Starting replication, please wait until this has completed.
>> [saprhds001.bmibank.com <http://saprhds001.bmibank.com/>
>> <http://saprhds001.bmibank.com
>>
>> <http://saprhds001.bmibank.com/>>] reports: Update failed!
>> Status: [81 - LDAP error: Can't contact LDAP server]
>>
>> I have imported right CA to IPA box and the out put is:
>> Certificate Nickname
>> Trust Attributes
>>
>> SSL,S/MIME,JAR/XPI
>> CA certificate
>> CTu,u,Cu
>> Imported CA CT,,C
>> Server-Cert u,u,u
>> And also I done the openssl s_client option too, but no luck.
>>
>> What exactly did you do? with openssl s_client?
>>
>> Did you try
>> /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
>> /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"
>>
>> LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
>> fqdn.of.ad.hostname -p 389 -Z -s base -b ""
>>
>> Without cert when I try ldap search its gives out put. but
>> with cert (AD CA) through error.
>> Please help me fix this issue.
>>
>> -- Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>>
>>
>>
>> --
>> Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>
--
Thanks & Regards
Shan Kumaraswamy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100921/8203e429/attachment.htm>
More information about the Freeipa-users
mailing list