[Freeipa-users] cant create winsync reolication

Rich Megginson rmeggins at redhat.com
Fri Jan 31 23:58:16 UTC 2014 

On 01/31/2014 04:13 PM, Todd Maugh wrote:
>
> asked:   Can you provide your /etc/openldap/ldap.conf?
>
>
> answer:
>
> /etc/openldap/ldap.con
> #File modified by ipa-client-install
>
> URI ldaps://se-idm-01.boingo.com
> BASE dc=boingo,dc=com
> TLS_CACERT /etc/ipa/ca.crt
> TLS_CACERTDIR /etc/openldap/cacerts/
> TLS_REQCERT allow

This will allow errors where the hostname in the cert subject DN does 
not match the IP address or vice versa.

What happens if you set it to TLS_REQCERT demand?

Or, if you don't want to touch this file (because it will probably break 
other things), try this:

LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ 
ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm 
admin,cn=users,dc=boingoqa,dc=local" -D  "cn=idm 
admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn

If that works, then please provide the output of

rpm -q 389-ds-base openldap nss

> ping
>
>> TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error 
>> -8179:Peer's Certificate issuer is not recognized..
>
> This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP 
> address does not match.
>
> This is usually a problem, but perhaps you have set your ldap.conf to 
> continue despite this problem?
> PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of data.
> 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=1 
> ttl=124 time=0.559 ms
> 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=2 
> ttl=124 time=0.660 ms
> ^C
> --- qatestdc2.boingoqa.local ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1070ms
> rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms

Ok.  Does 10.194.55.48 resolve to qatestdc2.boingoqa.local?

>
>
>
>
>> TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, 
>> issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security 
>> level: high, secret key bits: 128, total key bits: 128, cache hits: 
>> 0, cache misses: 0, cache not reusable: 0
>> Enter LDAP Password:
>> ldap_sasl_bind
>> ldap_send_initial_request
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140131/8b3f1cb1/attachment.htm>

More information about the Freeipa-users mailing list