[Freeipa-users] cant create winsync reolication

Rich Megginson rmeggins at redhat.com
Sat Feb 1 00:08:03 UTC 2014 

On 01/31/2014 05:00 PM, Todd Maugh wrote:
> got a new CA cert and seem to be in buisness
>
> [root at se-idm-01.boingo.com cacerts]$ ipa-replica-manage connect 
> --winsync --binddn "cn=idm admin, cn=Users, dc=boingoqa, dc=local" 
> --bindpw "g0_b0ing0" --passsync "l0v3ish at rd" 
> --cacert=/etc/openldap/cacerts/skywarp.cer qatestdc2.boingoqa.local -v
> Directory Manager password:
>
> Added CA certificate /etc/openldap/cacerts/skywarp.cer to certificate 
> database for se-idm-01.boingo.com
> ipa: INFO: AD Suffix is: DC=boingoqa,DC=local
> The user for the Windows PassSync service is 
> uid=passsync,cn=sysaccounts,cn=etc,dc=boingo,dc=com
> Windows PassSync entry exists, not resetting password
> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica 
> acquired successfully: Incremental update started: start: 0: end: 0
> ipa: INFO: Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> Update in progress
> Update in progress
> Update in progress
> Update in progress
> Update succeeded
> Connected 'se-idm-01.boingo.com' to 'qatestdc2.boingoqa.local'

Great!

>
>
> then ran  your command
>
>
> [root at se-idm-01.boingo.com cacerts]$ LDAPTLS_REQCERT=demand 
> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx 
> -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm 
> admin,cn=users,dc=boingoqa,dc=local" -D  "cn=idm 
> admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn
> ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local)
> ldap_create
> ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local:389/??base)
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP qatestdc2.boingoqa.local:389
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.194.55.48:389
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush2: 31 bytes to sd 3
> ldap_result ld 0x1b7c160 msgid 1
> wait4msg ld 0x1b7c160 msgid 1 (infinite timeout)
> wait4msg continue ld 0x1b7c160 msgid 1 all 1
> ** ld 0x1b7c160 Connections:
> * host: qatestdc2.boingoqa.local  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Fri Jan 31 23:59:09 2014
>
>
> ** ld 0x1b7c160 Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>    outstanding referrals 0, parent count 0
>   ld 0x1b7c160 request count 1 (abandoned 0)
> ** ld 0x1b7c160 Response Queue:
>    Empty
>   ld 0x1b7c160 response count 0
> ldap_chkResponseList ld 0x1b7c160 msgid 1 all 1
> ldap_chkResponseList returns ld 0x1b7c160 NULL
> ldap_int_select
> read1msg: ld 0x1b7c160 msgid 1 all 1
> ber_get_next
> ber_get_next: tag 0x30 len 40 contents:
> read1msg: ld 0x1b7c160 msgid 1 message type extended-result
> ber_scanf fmt ({eAA) ber:
> read1msg: ld 0x1b7c160 0 new referrals
> read1msg:  mark request completed, ld 0x1b7c160 msgid 1
> request done: ld 0x1b7c160 msgid 1
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_parse_extended_result
> ber_scanf fmt ({eAA) ber:
> ber_scanf fmt (a) ber:
> ldap_parse_result
> ber_scanf fmt ({iAA) ber:
> ber_scanf fmt (x) ber:
> ber_scanf fmt (}) ber:
> ldap_msgfree
> TLS: certdb config: configDir='/etc/dirsrv/slapd-BOINGO-COM/' 
> tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
> TLS: using moznss security dir /etc/dirsrv/slapd-BOINGO-COM/ prefix .
> TLS: loaded CA certificate file /etc/ipa/ca.crt.
> TLS: certificate [CN=QATESTDC2.boingoqa.local] is valid
> TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, 
> issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security 
> level: high, secret key bits: 128, total key bits: 128, cache hits: 0, 
> cache misses: 0, cache not reusable: 0
> Enter LDAP Password:
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({i) ber:
> ber_flush2: 66 bytes to sd 3
> ldap_result ld 0x1b7c160 msgid 2
> wait4msg ld 0x1b7c160 msgid 2 (infinite timeout)
> wait4msg continue ld 0x1b7c160 msgid 2 all 1
> ** ld 0x1b7c160 Connections:
> * host: qatestdc2.boingoqa.local  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Fri Jan 31 23:59:13 2014
>
>
> ** ld 0x1b7c160 Outstanding Requests:
>  * msgid 2,  origid 2, status InProgress
>    outstanding referrals 0, parent count 0
>   ld 0x1b7c160 request count 1 (abandoned 0)
> ** ld 0x1b7c160 Response Queue:
>    Empty
>   ld 0x1b7c160 response count 0
> ldap_chkResponseList ld 0x1b7c160 msgid 2 all 1
> ldap_chkResponseList returns ld 0x1b7c160 NULL
> ldap_int_select
> read1msg: ld 0x1b7c160 msgid 2 all 1
> ber_get_next
> ber_get_next: tag 0x30 len 104 contents:
> read1msg: ld 0x1b7c160 msgid 2 message type bind
> ber_scanf fmt ({eAA) ber:
> read1msg: ld 0x1b7c160 0 new referrals
> read1msg:  mark request completed, ld 0x1b7c160 msgid 2
> request done: ld 0x1b7c160 msgid 2
> res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903A9, comment: 
> AcceptSecurityContext error, data 52e, v1db1>, res_matched: <>
> ldap_free_request (origid 2, msgid 2)
> ldap_parse_result
> ber_scanf fmt ({iAA) ber:
> ber_scanf fmt (}) ber:
> ldap_msgfree
> ldap_err2string
> ldap_bind: Invalid credentials (49)
>     additional info: 80090308: LdapErr: DSID-0C0903A9, comment: 
> AcceptSecurityContext error, data 52e, v1db1
> [root at se-idm-01.boingo.com cacerts]$ LDAPTLS_REQCERT=demand 
> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx 
> -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm 
> admin,cn=users,dc=boingoqa,dc=local" -D  "cn=idm 
> admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn
> ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local)
> ldap_create
> ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local:389/??base)
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP qatestdc2.boingoqa.local:389
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.194.55.48:389
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush2: 31 bytes to sd 3
> ldap_result ld 0x1fe2160 msgid 1
> wait4msg ld 0x1fe2160 msgid 1 (infinite timeout)
> wait4msg continue ld 0x1fe2160 msgid 1 all 1
> ** ld 0x1fe2160 Connections:
> * host: qatestdc2.boingoqa.local  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Fri Jan 31 23:59:19 2014
>
>
> ** ld 0x1fe2160 Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>    outstanding referrals 0, parent count 0
>   ld 0x1fe2160 request count 1 (abandoned 0)
> ** ld 0x1fe2160 Response Queue:
>    Empty
>   ld 0x1fe2160 response count 0
> ldap_chkResponseList ld 0x1fe2160 msgid 1 all 1
> ldap_chkResponseList returns ld 0x1fe2160 NULL
> ldap_int_select
> read1msg: ld 0x1fe2160 msgid 1 all 1
> ber_get_next
> ber_get_next: tag 0x30 len 40 contents:
> read1msg: ld 0x1fe2160 msgid 1 message type extended-result
> ber_scanf fmt ({eAA) ber:
> read1msg: ld 0x1fe2160 0 new referrals
> read1msg:  mark request completed, ld 0x1fe2160 msgid 1
> request done: ld 0x1fe2160 msgid 1
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_parse_extended_result
> ber_scanf fmt ({eAA) ber:
> ber_scanf fmt (a) ber:
> ldap_parse_result
> ber_scanf fmt ({iAA) ber:
> ber_scanf fmt (x) ber:
> ber_scanf fmt (}) ber:
> ldap_msgfree
> TLS: certdb config: configDir='/etc/dirsrv/slapd-BOINGO-COM/' 
> tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
> TLS: using moznss security dir /etc/dirsrv/slapd-BOINGO-COM/ prefix .
> TLS: loaded CA certificate file /etc/ipa/ca.crt.
> TLS: certificate [CN=QATESTDC2.boingoqa.local] is valid
> TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, 
> issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security 
> level: high, secret key bits: 128, total key bits: 128, cache hits: 0, 
> cache misses: 0, cache not reusable: 0
> Enter LDAP Password:
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({i) ber:
> ber_flush2: 65 bytes to sd 3
> ldap_result ld 0x1fe2160 msgid 2
> wait4msg ld 0x1fe2160 msgid 2 (infinite timeout)
> wait4msg continue ld 0x1fe2160 msgid 2 all 1
> ** ld 0x1fe2160 Connections:
> * host: qatestdc2.boingoqa.local  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Fri Jan 31 23:59:23 2014
>
>
> ** ld 0x1fe2160 Outstanding Requests:
>  * msgid 2,  origid 2, status InProgress
>    outstanding referrals 0, parent count 0
>   ld 0x1fe2160 request count 1 (abandoned 0)
> ** ld 0x1fe2160 Response Queue:
>    Empty
>   ld 0x1fe2160 response count 0
> ldap_chkResponseList ld 0x1fe2160 msgid 2 all 1
> ldap_chkResponseList returns ld 0x1fe2160 NULL
> ldap_int_select
> read1msg: ld 0x1fe2160 msgid 2 all 1
> ber_get_next
> ber_get_next: tag 0x30 len 16 contents:
> read1msg: ld 0x1fe2160 msgid 2 message type bind
> ber_scanf fmt ({eAA) ber:
> read1msg: ld 0x1fe2160 0 new referrals
> read1msg:  mark request completed, ld 0x1fe2160 msgid 2
> request done: ld 0x1fe2160 msgid 2
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 2, msgid 2)
> ldap_parse_result
> ber_scanf fmt ({iAA) ber:
> ber_scanf fmt (}) ber:
> ldap_msgfree
> ldap_search_ext
> put_filter: "objectclass=*"
> put_filter: default
> put_simple_filter: "objectclass=*"
> ldap_send_initial_request
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush2: 85 bytes to sd 3
> ldap_result ld 0x1fe2160 msgid -1
> wait4msg ld 0x1fe2160 msgid -1 (infinite timeout)
> wait4msg continue ld 0x1fe2160 msgid -1 all 0
> ** ld 0x1fe2160 Connections:
> * host: qatestdc2.boingoqa.local  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Fri Jan 31 23:59:23 2014
>
>
> ** ld 0x1fe2160 Outstanding Requests:
>  * msgid 3,  origid 3, status InProgress
>    outstanding referrals 0, parent count 0
>   ld 0x1fe2160 request count 1 (abandoned 0)
> ** ld 0x1fe2160 Response Queue:
>    Empty
>   ld 0x1fe2160 response count 0
> ldap_chkResponseList ld 0x1fe2160 msgid -1 all 0
> ldap_chkResponseList returns ld 0x1fe2160 NULL
> ldap_int_select
> read1msg: ld 0x1fe2160 msgid -1 all 0
> ber_get_next
> ber_get_next: tag 0x30 len 59 contents:
> read1msg: ld 0x1fe2160 msgid 3 message type search-entry
> ldap_get_dn_ber
> ber_scanf fmt ({ml{) ber:
> dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
> ber_scanf fmt ({xx) ber:
> ldap_get_attribute_ber
> ldap_msgfree
> ldap_result ld 0x1fe2160 msgid -1
> wait4msg ld 0x1fe2160 msgid -1 (infinite timeout)
> wait4msg continue ld 0x1fe2160 msgid -1 all 0
> ** ld 0x1fe2160 Connections:
> * host: qatestdc2.boingoqa.local  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Fri Jan 31 23:59:23 2014
>
>
> ** ld 0x1fe2160 Outstanding Requests:
>  * msgid 3,  origid 3, status InProgress
>    outstanding referrals 0, parent count 0
>   ld 0x1fe2160 request count 1 (abandoned 0)
> ** ld 0x1fe2160 Response Queue:
>    Empty
>   ld 0x1fe2160 response count 0
> ldap_chkResponseList ld 0x1fe2160 msgid -1 all 0
> ldap_chkResponseList returns ld 0x1fe2160 NULL
> read1msg: ld 0x1fe2160 msgid -1 all 0
> ber_get_next
> ber_get_next: tag 0x30 len 16 contents:
> read1msg: ld 0x1fe2160 msgid 3 message type search-result
> ber_scanf fmt ({eAA) ber:
> read1msg: ld 0x1fe2160 0 new referrals
> read1msg:  mark request completed, ld 0x1fe2160 msgid 3
> request done: ld 0x1fe2160 msgid 3
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 3, msgid 3)
>
> ldap_parse_result
> ber_scanf fmt ({iAA) ber:
> ber_scanf fmt (}) ber:
> ldap_msgfree
> ldap_free_connection 1 1
> ldap_send_unbind
> ber_flush2: 7 bytes to sd 3
> ldap_free_connection: actually freed
>
>
>
> ------------------------------------------------------------------------
> *From:* Rich Megginson [rmeggins at redhat.com]
> *Sent:* Friday, January 31, 2014 3:58 PM
> *To:* Todd Maugh; dpal at redhat.com
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] cant create winsync reolication
>
> On 01/31/2014 04:13 PM, Todd Maugh wrote:
>>
>> asked:   Can you provide your /etc/openldap/ldap.conf?
>>
>>
>> answer:
>>
>> /etc/openldap/ldap.con
>> #File modified by ipa-client-install
>>
>> URI ldaps://se-idm-01.boingo.com
>> BASE dc=boingo,dc=com
>> TLS_CACERT /etc/ipa/ca.crt
>> TLS_CACERTDIR /etc/openldap/cacerts/
>> TLS_REQCERT allow
>
> This will allow errors where the hostname in the cert subject DN does 
> not match the IP address or vice versa.
>
> What happens if you set it to TLS_REQCERT demand?
>
> Or, if you don't want to touch this file (because it will probably 
> break other things), try this:
>
> LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ 
> ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b 
> "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D  "cn=idm 
> admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn
>
> If that works, then please provide the output of
>
> rpm -q 389-ds-base openldap nss
>
>> ping
>>
>>> TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error 
>>> -8179:Peer's Certificate issuer is not recognized..
>>
>> This is saying QATESTDC2.boingoqa.local cannot be resolved - or the 
>> IP address does not match.
>>
>> This is usually a problem, but perhaps you have set your ldap.conf to 
>> continue despite this problem?
>> PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of data.
>> 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=1 
>> ttl=124 time=0.559 ms
>> 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=2 
>> ttl=124 time=0.660 ms
>> ^C
>> --- qatestdc2.boingoqa.local ping statistics ---
>> 2 packets transmitted, 2 received, 0% packet loss, time 1070ms
>> rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms
>
> Ok.  Does 10.194.55.48 resolve to qatestdc2.boingoqa.local?
>
>>
>>
>>
>>
>>> TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, 
>>> issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security 
>>> level: high, secret key bits: 128, total key bits: 128, cache hits: 
>>> 0, cache misses: 0, cache not reusable: 0
>>> Enter LDAP Password:
>>> ldap_sasl_bind
>>> ldap_send_initial_request
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140131/5beebaa7/attachment.htm>

More information about the Freeipa-users mailing list