[Freeipa-users] [freeipa] Issues with Winsync agreement
Rich Megginson
rmeggins at redhat.com
Thu Mar 13 22:46:41 UTC 2014
On 03/13/2014 04:30 PM, Todd Maugh wrote:
> ok Rich thanks for all the Help, I got the windows cert issue resolved
> and now the repication agreement is working
Great! Thanks for letting us know.
>
>
> ------------------------------------------------------------------------
> *From:* Rich Megginson [rmeggins at redhat.com]
> *Sent:* Thursday, March 13, 2014 2:04 PM
> *To:* Todd Maugh; freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
>
> On 03/13/2014 02:49 PM, Todd Maugh wrote:
>> I'm curious if the ldap.conf is wrong: heres what it looks like
>>
>> #File modified by ipa-client-install
>>
>> URI ldaps://idm-master-els.ops.boingo.com
>> BASE dc=ops,dc=boingo,dc=com
>> TLS_CACERT /etc/openldap/cacerts/
>
> This is wrong - TLS_CACERT should be a single _file_, containing one
> or more CA certs, not a directory. For a directory, use TLS_CACERTDIR.
>
>> TLS_REQCERT allow
>
> This tells ldapsearch et. al. to warn but allow certificate validation
> errors.
>
> Try the ldapsearch like this:
>
> [root at idm-master-els.ops.boingo.com ~]$ LDAPTLS_REQCERT=demand
> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -d 1
> -xLLLZZ -h adc13-els.bwinc.local -D
> "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXXX" -s base -b
> "cn=Users,dc=bwinc,dc=local" "objectclass=*" dn
>
> But if that fails with the same error as below, that means you are not
> using the correct CA cert for the CA that issued the Windows AD server
> cert.
>
>>
>> ------------------------------------------------------------------------
>> *From:* Todd Maugh
>> *Sent:* Thursday, March 13, 2014 1:47 PM
>> *To:* Rich Megginson; freeipa-users at redhat.com
>> *Subject:* RE: [Freeipa-users] [freeipa] Issues with Winsync agreement
>>
>> thank you Rich for all your help as I am inclined to think its a cert
>> issue as well
>>
>> so I ran the new command, and there are some lines that stick out to
>> me in reference to the cert:
>>
>> [root at idm-master-els.ops.boingo.com ~]$
>> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -d 1
>> -xLLLZZ -h adc13-els.bwinc.local -D
>> "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" -s base -b
>> "cn=Users,dc=bwinc,dc=local" "objectclass=*" dn
>> ldap_create
>> ldap_url_parse_ext(ldap://adc13-els.bwinc.local)
>> ldap_extended_operation_s
>> ldap_extended_operation
>> ldap_send_initial_request
>> ldap_new_connection 1 1 0
>> ldap_int_open_connection
>> ldap_connect_to_host: TCP adc13-els.bwinc.local:389
>> ldap_new_socket: 3
>> ldap_prepare_socket: 3
>> ldap_connect_to_host: Trying 172.22.170.13:389
>> ldap_pvt_connect: fd: 3 tm: -1 async: 0
>> ldap_open_defconn: successful
>> ldap_send_server_request
>> ber_scanf fmt ({it) ber:
>> ber_scanf fmt ({) ber:
>> ber_flush2: 31 bytes to sd 3
>> ldap_result ld 0x25c4210 msgid 1
>> wait4msg ld 0x25c4210 msgid 1 (infinite timeout)
>> wait4msg continue ld 0x25c4210 msgid 1 all 1
>> ** ld 0x25c4210 Connections:
>> * host: adc13-els.bwinc.local port: 389 (default)
>> refcnt: 2 status: Connected
>> last used: Thu Mar 13 20:44:41 2014
>>
>>
>> ** ld 0x25c4210 Outstanding Requests:
>> * msgid 1, origid 1, status InProgress
>> outstanding referrals 0, parent count 0
>> ld 0x25c4210 request count 1 (abandoned 0)
>> ** ld 0x25c4210 Response Queue:
>> Empty
>> ld 0x25c4210 response count 0
>> ldap_chkResponseList ld 0x25c4210 msgid 1 all 1
>> ldap_chkResponseList returns ld 0x25c4210 NULL
>> ldap_int_select
>> read1msg: ld 0x25c4210 msgid 1 all 1
>> ber_get_next
>> ber_get_next: tag 0x30 len 40 contents:
>> read1msg: ld 0x25c4210 msgid 1 message type extended-result
>> ber_scanf fmt ({eAA) ber:
>> read1msg: ld 0x25c4210 0 new referrals
>> read1msg: mark request completed, ld 0x25c4210 msgid 1
>> request done: ld 0x25c4210 msgid 1
>> res_errno: 0, res_error: <>, res_matched: <>
>> ldap_free_request (origid 1, msgid 1)
>> ldap_parse_extended_result
>> ber_scanf fmt ({eAA) ber:
>> ber_scanf fmt (a) ber:
>> ldap_parse_result
>> ber_scanf fmt ({iAA) ber:
>> ber_scanf fmt (x) ber:
>> ber_scanf fmt (}) ber:
>> ldap_msgfree
>> *TLS: certdb config: configDir='/etc/dirsrv/slapd-OPS-BOINGO-COM'
>> tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
>> TLS: using moznss security dir /etc/dirsrv/slapd-OPS-BOINGO-COM prefix .
>> TLS: error: the certificate file /etc/openldap/cacerts/ is not a file.
>> TLS: /etc/openldap/cacerts/ is not a valid CA certificate file -
>> error -5953:Cannot perform a normal file operation on a directory.
>> TLS: certificate [CN=ADC13-ELS.BWINC.local] is not valid - error
>> -8179:Peer's Certificate issuer is not recognized..
>> TLS certificate verification: subject: CN=ADC13-ELS.BWINC.local,
>> issuer: CN=BoingoWirelessCA,DC=BWINC,DC=local, cipher: AES-128,
>> security level: high, secret key bits: 128, total key bits: 128,
>> cache hits: 0, cache misses: 0, cache not reusable: 0*
>> ldap_sasl_bind
>> ldap_send_initial_request
>> ldap_send_server_request
>> ber_scanf fmt ({it) ber:
>> ber_scanf fmt ({i) ber:
>> ber_flush2: 61 bytes to sd 3
>> ldap_result ld 0x25c4210 msgid 2
>> wait4msg ld 0x25c4210 msgid 2 (infinite timeout)
>> wait4msg continue ld 0x25c4210 msgid 2 all 1
>> ** ld 0x25c4210 Connections:
>> * host: adc13-els.bwinc.local port: 389 (default)
>> refcnt: 2 status: Connected
>> last used: Thu Mar 13 20:44:41 2014
>>
>>
>> ** ld 0x25c4210 Outstanding Requests:
>> * msgid 2, origid 2, status InProgress
>> outstanding referrals 0, parent count 0
>> ld 0x25c4210 request count 1 (abandoned 0)
>> ** ld 0x25c4210 Response Queue:
>> Empty
>> ld 0x25c4210 response count 0
>> ldap_chkResponseList ld 0x25c4210 msgid 2 all 1
>> ldap_chkResponseList returns ld 0x25c4210 NULL
>> ldap_int_select
>> read1msg: ld 0x25c4210 msgid 2 all 1
>> ber_get_next
>> ber_get_next: tag 0x30 len 16 contents:
>> read1msg: ld 0x25c4210 msgid 2 message type bind
>> ber_scanf fmt ({eAA) ber:
>> read1msg: ld 0x25c4210 0 new referrals
>> read1msg: mark request completed, ld 0x25c4210 msgid 2
>> request done: ld 0x25c4210 msgid 2
>> res_errno: 0, res_error: <>, res_matched: <>
>> ldap_free_request (origid 2, msgid 2)
>> ldap_parse_result
>> ber_scanf fmt ({iAA) ber:
>> ber_scanf fmt (}) ber:
>> ldap_msgfree
>> ldap_search_ext
>> put_filter: "objectclass=*"
>> put_filter: default
>> put_simple_filter: "objectclass=*"
>> ldap_send_initial_request
>> ldap_send_server_request
>> ber_scanf fmt ({it) ber:
>> ber_scanf fmt ({) ber:
>> ber_flush2: 69 bytes to sd 3
>> ldap_result ld 0x25c4210 msgid -1
>> wait4msg ld 0x25c4210 msgid -1 (infinite timeout)
>> wait4msg continue ld 0x25c4210 msgid -1 all 0
>> ** ld 0x25c4210 Connections:
>> * host: adc13-els.bwinc.local port: 389 (default)
>> refcnt: 2 status: Connected
>> last used: Thu Mar 13 20:44:41 2014
>>
>>
>> ** ld 0x25c4210 Outstanding Requests:
>> * msgid 3, origid 3, status InProgress
>> outstanding referrals 0, parent count 0
>> ld 0x25c4210 request count 1 (abandoned 0)
>> ** ld 0x25c4210 Response Queue:
>> Empty
>> ld 0x25c4210 response count 0
>> ldap_chkResponseList ld 0x25c4210 msgid -1 all 0
>> ldap_chkResponseList returns ld 0x25c4210 NULL
>> ldap_int_select
>> read1msg: ld 0x25c4210 msgid -1 all 0
>> ber_get_next
>> ber_get_next: tag 0x30 len 43 contents:
>> read1msg: ld 0x25c4210 msgid 3 message type search-entry
>> ldap_get_dn_ber
>> ber_scanf fmt ({ml{) ber:
>> dn: cn=Users,dc=bwinc,dc=local
>> ber_scanf fmt ({xx) ber:
>> ldap_get_attribute_ber
>> ldap_msgfree
>> ldap_result ld 0x25c4210 msgid -1
>> wait4msg ld 0x25c4210 msgid -1 (infinite timeout)
>> wait4msg continue ld 0x25c4210 msgid -1 all 0
>> ** ld 0x25c4210 Connections:
>> * host: adc13-els.bwinc.local port: 389 (default)
>> refcnt: 2 status: Connected
>> last used: Thu Mar 13 20:44:41 2014
>>
>>
>> ** ld 0x25c4210 Outstanding Requests:
>> * msgid 3, origid 3, status InProgress
>> outstanding referrals 0, parent count 0
>> ld 0x25c4210 request count 1 (abandoned 0)
>> ** ld 0x25c4210 Response Queue:
>> Empty
>> ld 0x25c4210 response count 0
>> ldap_chkResponseList ld 0x25c4210 msgid -1 all 0
>> ldap_chkResponseList returns ld 0x25c4210 NULL
>> read1msg: ld 0x25c4210 msgid -1 all 0
>> ber_get_next
>> ber_get_next: tag 0x30 len 16 contents:
>> read1msg: ld 0x25c4210 msgid 3 message type search-result
>> ber_scanf fmt ({eAA) ber:
>> read1msg: ld 0x25c4210 0 new referrals
>> read1msg: mark request completed, ld 0x25c4210 msgid 3
>> request done: ld 0x25c4210 msgid 3
>> res_errno: 0, res_error: <>, res_matched: <>
>> ldap_free_request (origid 3, msgid 3)
>>
>> ldap_parse_result
>> ber_scanf fmt ({iAA) ber:
>> ber_scanf fmt (}) ber:
>> ldap_msgfree
>> ldap_free_connection 1 1
>> ldap_send_unbind
>> ber_flush2: 7 bytes to sd 3
>> ldap_free_connection: actually freed
>>
>> ------------------------------------------------------------------------
>> *From:* Rich Megginson [rmeggins at redhat.com]
>> *Sent:* Thursday, March 13, 2014 1:29 PM
>> *To:* Todd Maugh; freeipa-users at redhat.com
>> *Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
>>
>> On 03/13/2014 01:58 PM, Todd Maugh wrote:
>>> I believe they are.
>>>
>>> so here is the out put of the log. it was showing those errors, I
>>> deleted the wynsync agreement and then restarted ipa and then
>>> readded the winsync and the errors returned. could this be a cert issue?
>>>
>>> [13/Mar/2014:19:48:20 +0000] slapi_ldap_bind - Error: could not send
>>> startTLS request: error -11 (Connect error) errno 0 (Success)
>>> [13/Mar/2014:19:48:44 +0000] slapi_ldap_bind - Error: could not send
>>> startTLS request: error -11 (Connect error) errno 0 (Success)
>>> [13/Mar/2014:19:49:32 +0000] slapi_ldap_bind - Error: could not send
>>> startTLS request: error -11 (Connect error) errno 0 (Success)
>>> [13/Mar/2014:19:51:08 +0000] slapi_ldap_bind - Error: could not send
>>> startTLS request: error -11 (Connect error) errno 0 (Success)
>>>
>>> here I removed the winsync agreement :ipa-replica-manage del
>>> adc13-els.bwinc.local
>>> then restartd ipa
>>>
>>> ipactl restart
>>>
>>> [13/Mar/2014:19:51:50 +0000] NSMMReplicationPlugin - agmt_delete: begin
>>> [13/Mar/2014:19:51:59 +0000] - slapd shutting down - signaling
>>> operation threads
>>> [13/Mar/2014:19:51:59 +0000] - slapd shutting down - waiting for 29
>>> threads to terminate
>>> [13/Mar/2014:19:51:59 +0000] - slapd shutting down - closing down
>>> internal subsystems and plugins
>>> [13/Mar/2014:19:51:59 +0000] - Waiting for 4 database threads to stop
>>> [13/Mar/2014:19:51:59 +0000] - All database threads now stopped
>>> [13/Mar/2014:19:51:59 +0000] - slapd stopped.
>>> [13/Mar/2014:19:52:14 +0000] - 389-Directory/1.2.11.15
>>> B2013.337.1530 starting up
>>> [13/Mar/2014:19:52:14 +0000] schema-compat-plugin - warning: no
>>> entries set up under cn=computers, cn=compat,dc=ops,dc=boingo,dc=com
>>> [13/Mar/2014:19:52:14 +0000] schema-compat-plugin - warning: no
>>> entries set up under cn=ng, cn=compat,dc=ops,dc=boingo,dc=com
>>> [13/Mar/2014:19:52:14 +0000] schema-compat-plugin - warning: no
>>> entries set up under ou=sudoers,dc=ops,dc=boingo,dc=com
>>> [13/Mar/2014:19:52:14 +0000] - Skipping CoS Definition cn=Password
>>> Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found,
>>> which should be added before the CoS Definition.
>>> [13/Mar/2014:19:52:14 +0000] set_krb5_creds - Could not get initial
>>> credentials for principal
>>> [ldap/idm-master-els.ops.boingo.com at OPS.BOINGO.COM] in keytab
>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
>>> [13/Mar/2014:19:52:14 +0000] - Skipping CoS Definition cn=Password
>>> Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found,
>>> which should be added before the CoS Definition.
>>> [13/Mar/2014:19:52:14 +0000] slapd_ldap_sasl_interactive_bind -
>>> Error: could not perform interactive bind for id [] mech [GSSAPI]:
>>> LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
>>> Error: Unspecified GSS failure. Minor code may provide more
>>> information (Credentials cache file '/tmp/krb5cc_495' not found))
>>> errno 0 (Success)
>>> [13/Mar/2014:19:52:14 +0000] slapi_ldap_bind - Error: could not
>>> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>>> [13/Mar/2014:19:52:14 +0000] NSMMReplicationPlugin -
>>> agmt="cn=meToidm-rep01-els.ops.boingo.com" (idm-rep01-els:389):
>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local
>>> error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
>>> failure. Minor code may provide more information (Credentials cache
>>> file '/tmp/krb5cc_495' not found))
>>> [13/Mar/2014:19:52:14 +0000] - slapd started. Listening on All
>>> Interfaces port 389 for LDAP requests
>>> [13/Mar/2014:19:52:14 +0000] - Listening on All Interfaces port 636
>>> for LDAPS requests
>>> [13/Mar/2014:19:52:14 +0000] - Listening on
>>> /var/run/slapd-OPS-BOINGO-COM.socket for LDAPI requests
>>> [13/Mar/2014:19:52:18 +0000] NSMMReplicationPlugin -
>>> agmt="cn=meToidm-rep01-els.ops.boingo.com" (idm-rep01-els:389):
>>> Replication bind with GSSAPI auth resumed
>>>
>>> here i added the winsync agreement again
>>>
>>> [13/Mar/2014:19:53:16 +0000] - slapd shutting down - signaling
>>> operation threads
>>> [13/Mar/2014:19:53:16 +0000] - slapd shutting down - waiting for 30
>>> threads to terminate
>>> [13/Mar/2014:19:53:16 +0000] - slapd shutting down - closing down
>>> internal subsystems and plugins
>>> [13/Mar/2014:19:53:16 +0000] - Waiting for 4 database threads to stop
>>> [13/Mar/2014:19:53:16 +0000] - All database threads now stopped
>>> [13/Mar/2014:19:53:16 +0000] - slapd stopped.
>>> [13/Mar/2014:19:53:20 +0000] - 389-Directory/1.2.11.15
>>> B2013.337.1530 starting up
>>> [13/Mar/2014:19:53:20 +0000] schema-compat-plugin - warning: no
>>> entries set up under cn=computers, cn=compat,dc=ops,dc=boingo,dc=com
>>> [13/Mar/2014:19:53:20 +0000] schema-compat-plugin - warning: no
>>> entries set up under cn=ng, cn=compat,dc=ops,dc=boingo,dc=com
>>> [13/Mar/2014:19:53:20 +0000] schema-compat-plugin - warning: no
>>> entries set up under ou=sudoers,dc=ops,dc=boingo,dc=com
>>> [13/Mar/2014:19:53:20 +0000] - Skipping CoS Definition cn=Password
>>> Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found,
>>> which should be added before the CoS Definition.
>>> [13/Mar/2014:19:53:20 +0000] - Skipping CoS Definition cn=Password
>>> Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found,
>>> which should be added before the CoS Definition.
>>> [13/Mar/2014:19:53:20 +0000] - slapd started. Listening on All
>>> Interfaces port 389 for LDAP requests
>>> [13/Mar/2014:19:53:20 +0000] - Listening on All Interfaces port 636
>>> for LDAPS requests
>>> [13/Mar/2014:19:53:20 +0000] - Listening on
>>> /var/run/slapd-OPS-BOINGO-COM.socket for LDAPI requests
>>> [13/Mar/2014:19:53:22 +0000] slapi_ldap_bind - Error: could not send
>>> startTLS request: error -11 (Connect error) errno 0 (Success)
>>> [13/Mar/2014:19:53:22 +0000] NSMMReplicationPlugin -
>>> agmt="cn=meToadc13-els.bwinc.local" (adc13-els:389): Replication
>>> bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS
>>> error -8179:Peer's Certificate issuer is not recognized.)
>>
>> This is seems like a cert issue. "Peer's" the AD server "Certificate
>> issuer" the CA that issued the AD server cert "is not recognized" IdM
>> has no knowledge of the CA cert.
>>
>> But you verified that ldapsearch was working? LDAPTLS_CACERTDIR tells
>> ldapsearch to use /etc/dirsrv/slapd-OPS-BOINGO-COM, which is the same
>> as winsync is using.
>>
>> Try doing the ldapsearch again, like this:
>>
>> [root at idm-master-els.ops.boingo.com cacerts]$
>> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -d 1
>> -xLLLZZ -h adc13-els.bwinc.local -D
>> "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" -s base -b
>> "cn=Users,dc=bwinc,dc=local" "objectclass=*" dn
>>
>> The -d 1 will make it spew debugging information. Perhaps ldapsearch
>> is picking up some option from /etc/openldap/ldap.conf or ~/.ldaprc
>> which tells it to ignore certificate verification.
>>
>>> [13/Mar/2014:19:53:22 +0000] - Entry
>>> "cn=meToadc13-els.bwinc.local,cn=replica,cn=dc\3Dops\2Cdc\3Dboingo\2Cdc\3Dcom,cn=mapping
>>> tree,cn=config" -- attribute "nsDS5ReplicatedAttributeListTotal" not
>>> allowed
>>> [13/Mar/2014:19:53:22 +0000] slapi_ldap_bind - Error: could not send
>>> startTLS request: error -11 (Connect error) errno 0 (Success)
>>> [13/Mar/2014:19:53:22 +0000] slapi_ldap_bind - Error: could not send
>>> startTLS request: error -11 (Connect error) errno 0 (Success)
>>> [13/Mar/2014:19:53:24 +0000] slapi_ldap_bind - Error: could not send
>>> startTLS request: error -11 (Connect error) errno 0 (Success)
>>> [13/Mar/2014:19:53:24 +0000] slapi_ldap_bind - Error: could not send
>>> startTLS request: error -11 (Connect error) errno 0 (Success)
>>> [13/Mar/2014:19:53:25 +0000] slapi_ldap_bind - Error: could not send
>>> startTLS request: error -11 (Connect error) errno 0 (Success)
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>> *Sent:* Thursday, March 13, 2014 12:05 PM
>>> *To:* Todd Maugh; freeipa-users at redhat.com
>>> *Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
>>>
>>> On 03/13/2014 12:50 PM, Todd Maugh wrote:
>>>> Ok the error I see repeated in the log is
>>>>
>>>> [13/Mar/2014:18:41:21 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:43:11 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:43:14 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:43:20 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:43:32 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:43:56 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:44:30 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -1 (Can't contact LDAP server) errno 0
>>>> (Success)
>>>> [13/Mar/2014:18:44:33 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:44:44 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:46:20 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:47:29 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:47:32 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:47:38 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:47:50 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:48:11 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:48:14 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:48:20 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:48:32 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [13/Mar/2014:18:48:56 +0000] slapi_ldap_bind - Error: could not
>>>> send startTLS request: error -11 (Connect error) errno 0 (Success)
>>>> [root at idm-master-els.ops.boingo.com cacerts]$
>>>
>>> Are all of these associated with the winsync agreement?
>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>>> *Sent:* Thursday, March 13, 2014 11:43 AM
>>>> *To:* Todd Maugh; freeipa-users at redhat.com
>>>> *Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
>>>>
>>>> On 03/13/2014 12:29 PM, Todd Maugh wrote:
>>>>> ok so I ran that and Get this output
>>>>
>>>> Ok. Next, take a look at /var/log/dirsrv/slapd-OPS-BOINGO-COM/errors
>>>>
>>>>>
>>>>>
>>>>> [root at idm-master-els.ops.boingo.com cacerts]$
>>>>> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch
>>>>> -xLLLZZ -h adc13-els.bwinc.local -D
>>>>> "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" -s base -b
>>>>> "cn=Users,dc=bwinc,dc=local"
>>>>> dn: cn=Users,dc=bwinc,dc=local
>>>>> objectClass: top
>>>>> objectClass: container
>>>>> cn: Users
>>>>> description: Default container for upgraded user accounts
>>>>> distinguishedName: CN=Users,DC=BWINC,DC=local
>>>>> instanceType: 4
>>>>> whenCreated: 20060824234034.0Z
>>>>> whenChanged: 20140306190741.0Z
>>>>> uSNCreated: 17702
>>>>> uSNChanged: 17702
>>>>> showInAdvancedViewOnly: FALSE
>>>>> name: Users
>>>>> objectGUID:: kCZ7CbnIZk+0GpmCr3PCfw==
>>>>> systemFlags: -1946157056
>>>>> objectCategory:
>>>>> CN=Container,CN=Schema,CN=Configuration,DC=BWINC,DC=local
>>>>> isCriticalSystemObject: TRUE
>>>>> dSCorePropagationData: 20140306234416.0Z
>>>>> dSCorePropagationData: 20140306234348.0Z
>>>>> dSCorePropagationData: 20140306225101.0Z
>>>>> dSCorePropagationData: 20140306225055.0Z
>>>>> dSCorePropagationData: 16010101000000.0Z
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>>>> *Sent:* Wednesday, March 12, 2014 3:47 PM
>>>>> *To:* Todd Maugh; freeipa-users at redhat.com
>>>>> *Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
>>>>>
>>>>> On 03/12/2014 04:39 PM, Todd Maugh wrote:
>>>>>> thanks Rich,
>>>>>>
>>>>>> when I run that I get the following:
>>>>>>
>>>>>>
>>>>>> *[root at idm-master-els.ops.boingo.com ipa]$
>>>>>> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch
>>>>>> -xLLLZZ -h adc13-els.bwinc.local -D
>>>>>> "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" s base -b
>>>>>> "cn=Users,dc=bwinc,dc=local"
>>>>>> ldap_bind: Invalid credentials (49)
>>>>>> *
>>>>>
>>>>> *Invalid credentials almost always means your password "XXXXXX" is
>>>>> not correct for user "**cn=idmadmin,cn=Users,dc=bwinc,dc=local"
>>>>>
>>>>> *
>>>>>> *additional info: 80090308: LdapErr: DSID-0C0903C5, comment:
>>>>>> AcceptSecurityContext error, data 52e, v2580
>>>>>> *
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>>>>> *Sent:* Wednesday, March 12, 2014 3:30 PM
>>>>>> *To:* Todd Maugh; freeipa-users at redhat.com
>>>>>> *Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync
>>>>>> agreement
>>>>>>
>>>>>> On 03/12/2014 04:18 PM, Todd Maugh wrote:
>>>>>>> Hello.
>>>>>>>
>>>>>>> I'm using latest IPA build on red hat 6.5
>>>>>>>
>>>>>>> I retrieved my CA cert from the AD Domain controller
>>>>>>>
>>>>>>> I try to set up my winsyncagreement and I am getting this
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> [root at idm-master-els.ops.boingo.com ipa]$ ipa-replica-manage
>>>>>>> connect --winsync --binddn "cn=idmadmin, cn=Users, dc=bwinc,
>>>>>>> dc=local" --bindpw "XXXXXX" --passsync "XXXXXX"
>>>>>>> --cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer
>>>>>>> adc13-els.bwinc.local
>>>>>>> Directory Manager password:
>>>>>>>
>>>>>>> Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to
>>>>>>> certificate database for idm-master-els.ops.boingo.com
>>>>>>> ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local
>>>>>>> ipa: INFO: The error was: {'info': '80090308: LdapErr:
>>>>>>> DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e,
>>>>>>> v2580', 'desc': 'Invalid credentials'}
>>>>>>> Failed to setup winsync replication
>>>>>>>
>>>>>>>
>>>>>>> not sure where to look for the logs for this to see what the
>>>>>>> invalivd credentials are or wether this might still be a cert
>>>>>>> issue or a log in issue or what not?
>>>>>>
>>>>>> You can test with ldapsearch like this:
>>>>>>
>>>>>> $ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch
>>>>>> -xLLLZZ -h adc13-els.bwinc.local -D
>>>>>> "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" -s base -b
>>>>>> "cn=Users,dc=bwinc,dc=local"
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thanks in advance for the help
>>>>>>>
>>>>>>> -Todd
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Freeipa-users mailing list
>>>>>>> Freeipa-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140313/2d2fa0df/attachment.htm>
More information about the Freeipa-users
mailing list