[Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
Rich Megginson
rmeggins at redhat.com
Fri May 15 20:49:31 UTC 2015
On 05/15/2015 02:44 PM, nathan at nathanpeters.com wrote:
>> On 05/14/2015 11:33 PM, nathan at nathanpeters.com wrote:
>>>>> [root at ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn
>>>>> "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw
>>>>> supersecretpassword --passsync supersecretpassword --cacert
>>>>> /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v
>>>>> Directory Manager password:
>>>>>
>>>>> Added CA certificate /etc/openldap/cacerts/addc2-test.cer to
>>>>> certificate
>>>>> database for ipadc1.ipadomain.net
>>>>> ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net
>>>>> The user for the Windows PassSync service is
>>>>> uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net
>>>>> Windows PassSync system account exists, not resetting password
>>>>> ipa: INFO: Added new sync agreement, waiting for it to become ready .
>>>>> .
>>>>> .
>>>>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP
>>>>> error: Connect error: start: 0: end: 0
>>>>> ipa: INFO: Agreement is ready, starting replication . . .
>>>>> Starting replication, please wait until this has completed.
>>>>>
>>>>> [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP
>>>>> error:
>>>>> Connect error]
>>>> Have you tried using ldapsearch to verify the connection?
>>>>
>>>> # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ
>>>> -h
>>>> addc2.test.mycompany.net -D "cn=ad
>>>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
>>>> "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
>>>> "objectclass=*"
>>>>
>>>> and/or
>>>>
>>>> # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL
>>>> -ZZ -h addc2.test.mycompany.net -D "cn=ad
>>>> sync,cn=Users,dc=test,dc=mycompany,dc=net" -w
>>>> "supersecretpassword" -s base -b "cn=Users,dc=test,dc=mycompany,dc=net"
>>>> "objectclass=*"
>>>>
>>> Both commands give the same successful result. I don't think it's a
>>> problem with the credentials because I was able to generate different
>>> error messages during the attempted sync setup if I intentionally gave a
>>> bad password or username.
>> Ok. Have you tried enabling the replication log level?
>>
>> http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
>>
> After doing that and poking around in
> /var/log/dirsrv/slapd-IPADOMAIN-NET/errors I found this :
>
> [15/May/2015:20:27:17 +0000] slapi_ldap_bind - Error: could not send
> startTLS request: error -11 (Connect error) errno 0 (Success)
> [15/May/2015:20:27:17 +0000] NSMMReplicationPlugin - windows sync -
> agmt="cn=meToaddc2.test.mycompany.net" (addc2:389): Replication bind with
> SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8179:Peer's
> Certificate issuer is not recognized.)
>
> So it's complaining that it doesn't recognize the certificate that was
> signed by my AD certificate authority as suggested in here :
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html#ad-ca-req
>
> I copied the certificate
Which certificate? The CA cert or the server cert? You need the CA
cert, not the server cert.
> to my server though and created the hashes just
> like the manual said.
"created the hashes"? There is nothing in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html#ad-ca-req
about creating any hashes.
>
> The only issue I had was the directions here :
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/managing-sync-agmt.html
> tell you to go to my network places but that didn't exist on my server. I
> did it through start menu -> administrative tools -> certification
> authority. The rest of double clicking on the cert and going to the
> details tab and copy to file was the same though.
Was it the CA cert or the server cert? You need the CA cert, not the
server cert.
>
> So how do I get FreeIPA to not choke up on the self signed cert?
>
More information about the Freeipa-users
mailing list