[Freeipa-users] IPA AD Sync error
Rich Megginson
rmeggins at redhat.com
Tue Sep 21 17:20:04 UTC 2010
Shan Kumaraswamy wrote:
> Hi Rich,
> Finall I impoted right CA in to IPA box, now I am getting this error
> while executing sycn command:
>
>
>
> INFO:root:
> INFO:root:
> INFO:root:
> INFO:root:Starting dirsrv:
> MYDOMAIN-COM... [ OK ]
> INFO:root:
> INFO:root:Added CA certificate
> /etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to certificate database for
> saprhds001.mydomain.com <http://saprhds001.mydomain.com>
> INFO:root:Restarted directory server saprhds001.mydomain.com
> <http://saprhds001.mydomain.com>
> INFO:root:Could not validate connection to remote server
> sbpaddc003.mydomain.ad:636 <http://sbpaddc003.mydomain.ad:636> -
> continuing
> INFO:root:The error was: {'info': 'error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed',
> 'desc': "Can't contact LDAP server"}
This is normal, due to a limitation in the way python-ldap loads CA
certs. You can ignore this.
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
> Windows PassSync entry exists, not resetting password
> INFO:root:Added new sync agreement, waiting for it to become ready . . .
> INFO:root:Replication Update in progress: FALSE: status: 0 Incremental
> update started: start: 20100921163646Z: end: 20100921163646Z
> INFO:root:Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> Update succeeded
> INFO:root:Added agreement for other host sbpaddc003.corp.mydomain.ad
> <http://sbpaddc003.corp.mydomain.ad>
>
Looks like it is working - so far, so good.
>
>
> Please advice.
>
> On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Hi Rich,
> While executing your command (ldapserch), I am getting the
> following output:
> _Command:_
> /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
> /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b ""
> "objectclass=*"
> _Output:_
> ldap_search: Can't contact LDAP server
> SSL error -8179 (Peer's Certificate issuer is not
> recognized.)
> _Command:_
> LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
> fqdn.of.ad.hostname -p 389 -Z -s base -b ""
> _Output:_
> [root at saprhds001 ~]#
> LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer
> ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad
> <http://sbpaddc003.corp.mydomain.ad/>
> <http://sbpaddc003.corp.mydomain.ad
> <http://sbpaddc003.corp.mydomain.ad/>> -p 389 -Z -s base -b ""
> ldap_create
> ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389
> <http://sbpaddc003.corp.mydomain.ad:389/>
> <ldap://sbpaddc003.corp.mydomain.ad:389/
> <http://sbpaddc003.corp.mydomain.ad:389/>>)
>
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389
> <http://sbpaddc003.corp.mydomain.ad:389/>
> <http://sbpaddc003.corp.mydomain.ad:389
> <http://sbpaddc003.corp.mydomain.ad:389/>>
>
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.8.27.22:389
> <http://10.8.27.22:389/> <http://10.8.27.22:389
> <http://10.8.27.22:389/>>
>
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush: 31 bytes to sd 3
> ldap_result ld 0x1aa8c6f0 msgid 1
> wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)
> wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1
> ** ld 0x1aa8c6f0 Connections:
> * host: sbpaddc003.corp.mydomain.ad
> <http://sbpaddc003.corp.mydomain.ad/>
> <http://sbpaddc003.corp.mydomain.ad
> <http://sbpaddc003.corp.mydomain.ad/>> port: 389 (default)
>
> refcnt: 2 status: Connected
> last used: Tue Sep 21 10:23:41 2010
> ** ld 0x1aa8c6f0 Outstanding Requests:
> * msgid 1, origid 1, status InProgress
> outstanding referrals 0, parent count 0
> ** ld 0x1aa8c6f0 Response Queue:
> Empty
> ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1
> ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
> ldap_int_select
> read1msg: ld 0x1aa8c6f0 msgid 1 all 1
> ber_get_next
> ber_get_next: tag 0x30 len 40 contents:
> read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result
> ber_scanf fmt ({eaa) ber:
> read1msg: ld 0x1aa8c6f0 0 new referrals
> read1msg: mark request completed, ld 0x1aa8c6f0 msgid 1
> request done: ld 0x1aa8c6f0 msgid 1
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_parse_extended_result
> ber_scanf fmt ({eaa) ber:
> ber_scanf fmt (a) ber:
> ldap_parse_result
> ber_scanf fmt ({iaa) ber:
> ber_scanf fmt (x) ber:
> ber_scanf fmt (}) ber:
> ldap_msgfree
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 0, err: 20, subject:
> /CN=SBPADDC003.Corp.MYDOMAIN.AD
> <http://sbpaddc003.corp.mydomain.ad/>
> <http://SBPADDC003.Corp.MYDOMAIN.AD
> <http://sbpaddc003.corp.mydomain.ad/>>, issuer:
> /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
>
> TLS certificate verification: Error, unable to get local
> issuer certificate
>
> Unable to get local issuer certificate? Is the adcacert.asc file
> the actual CA cert in ascii/pem/base64 format from the AD CA? Do
> you have more than one CA or subordinate CAs? If so, you may need
> to have the entire CA cert chain in the file.
>
> If you are sure that adcacert.asc is from the AD CA, then try
> adding TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc file and
> try the above ldapsearch again.
>
> Let's see what the subject and issuer are in the CA cert:
> openssl x509 -in /path/to/adcacert.asc -text
>
> TLS certificate verification: depth: 0, err: 27, subject:
> /CN=SBPADDC003.Corp.MYDOMAIN.AD
> <http://sbpaddc003.corp.mydomain.ad/>
> <http://SBPADDC003.Corp.MYDOMAIN.AD
> <http://sbpaddc003.corp.mydomain.ad/>>, issuer:
> /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
>
> TLS certificate verification: Error, certificate not trusted
> TLS certificate verification: depth: 0, err: 21, subject:
> /CN=SBPADDC003.Corp.MYDOMAIN.AD
> <http://sbpaddc003.corp.mydomain.ad/>
> <http://SBPADDC003.Corp.MYDOMAIN.AD
> <http://sbpaddc003.corp.mydomain.ad/>>, issuer:
> /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
>
> TLS certificate verification: Error, unable to verify the
> first certificate
> TLS trace: SSL_connect:SSLv3 read server certificate A
> TLS trace: SSL_connect:SSLv3 read server certificate request A
> TLS trace: SSL_connect:SSLv3 read server done A
> TLS trace: SSL_connect:SSLv3 write client certificate A
> TLS trace: SSL_connect:SSLv3 write client key exchange A
> TLS trace: SSL_connect:SSLv3 write change cipher spec A
> TLS trace: SSL_connect:SSLv3 write finished A
> TLS trace: SSL_connect:SSLv3 flush data
> TLS trace: SSL_connect:SSLv3 read finished A
> TLS trace: SSL3 alert write:warning:bad certificate
> TLS: unable to get peer certificate.
> ldap_bind
> ldap_simple_bind
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({i) ber:
> ber_flush: 14 bytes to sd 3
> ldap_result ld 0x1aa8c6f0 msgid 2
> wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout)
> wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1
> ** ld 0x1aa8c6f0 Connections:
> * host: sbpaddc003.corp.mydomain.ad
> <http://sbpaddc003.corp.mydomain.ad/>
> <http://sbpaddc003.corp.mydomain.ad
> <http://sbpaddc003.corp.mydomain.ad/>> port: 389 (default)
>
> refcnt: 2 status: Connected
> last used: Tue Sep 21 10:23:41 2010
> ** ld 0x1aa8c6f0 Outstanding Requests:
> * msgid 2, origid 2, status InProgress
> outstanding referrals 0, parent count 0
> ** ld 0x1aa8c6f0 Response Queue:
> Empty
> ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1
> ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
> ldap_int_select
> read1msg: ld 0x1aa8c6f0 msgid 2 all 1
> ber_get_next
> ldap_perror
> ldap_result: Can't contact LDAP server (-1)
> Please help to resolve this issue.
>
>
>
>
>
> On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> I am again facing some issue with IPA+AD Sync and I
> tested all
> the levels:
> Windows PassSync entry exists, not resetting password
> INFO:root:Added new sync agreement, waiting for it to
> become
> ready . . .
> INFO:root:Replication Update in progress: FALSE:
> status: 81 -
> LDAP error: Can't contact LDAP server: start: 0: end: 0
> INFO:root:Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> [saprhds001.bmibank.com
> <http://saprhds001.bmibank.com/> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com
> <http://saprhds001.bmibank.com/>
>
> <http://saprhds001.bmibank.com/>>] reports: Update failed!
> Status: [81 - LDAP error: Can't contact LDAP server]
>
> I have imported right CA to IPA box and the out put is:
> Certificate Nickname
> Trust Attributes
>
> SSL,S/MIME,JAR/XPI
> CA certificate
> CTu,u,Cu
> Imported CA
> CT,,C
> Server-Cert
> u,u,u
> And also I done the openssl s_client option too, but
> no luck.
>
> What exactly did you do? with openssl s_client?
>
> Did you try
> /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
> /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b ""
> "objectclass=*"
>
> LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
> fqdn.of.ad.hostname -p 389 -Z -s base -b ""
>
> Without cert when I try ldap search its gives out put. but
> with cert (AD CA) through error.
> Please help me fix this issue.
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
More information about the Freeipa-users
mailing list