<div dir="ltr"><div>When I try to run this command I am getting this error:</div>
<div> </div>
<div>[root@sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h <a href="http://sbtaddc001.bmitest.com">sbtaddc001.bmitest.com</a> -D "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s base -b "" "objectclass=*"<br>
</div>
<div>ldap_simple_bind: Invalid credentials<br>ldap_simple_bind: additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1771<br></div>
<div><br><br> </div>
<div class="gmail_quote">On Tue, Mar 9, 2010 at 6:16 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Please keep replies on list<br><br>Shan Kumaraswamy wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div class="im">Rich,<br> Does a reverse DNS lookup on the IP address return that hostname? -Yes<br> Is Active Directory configured to use/listen to SSL? -Yes, Active Directory Cert Auth installed and exported the and verifityed.<br>
<br> Does the cert db /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain the CA cert of the windows CA? -yes "Imported CA cert"<br><br>certutil -L -d /etc/dirsrv/slapd-BMITEST-COM- Its listing installed cert<br>I am trying to creating syn agreement from IPA server using following syntex:<br>
</div> ipa-replica-manage add --winsync --binddn CN=Administrator,CN=Users,CN=Accounts,DC=bmitest,DC=com --bindpw secretpw --cacert /etc/dirsrv/slapd-BMITEST-COM/dsca.cer <a href="http://sbtaddc001.bmitest.com/" target="_blank">sbtaddc001.bmitest.com</a> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com</a>> -v
<div class="im"><br> Please corret me where I am doing worng?<br></div></blockquote>
<div class="im">ldap_simple_bind: Can't contact LDAP server<br> SSL error -5961 (TCP connection reset by peer.)<br><br></div>This usually indicates some low level error. Let's try this:<br>/usr/lib64/mozldap/ldapsearch -h <a href="http://sbtaddc001.bmitest.com/" target="_blank">sbtaddc001.bmitest.com</a> -D "CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s base -b "" "objectclass=*"<br>
<br>Does that work?<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div class="im"> <br><br><br>On Mon, Mar 8, 2010 at 6:30 PM, Rich Megginson <<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>> wrote:<br>
<br> Shan Kumaraswamy wrote:<br><br></div>
<div class="im"> Hi Rich,<br><br> Sorry for the delay replay, after I executed your command I am<br> getting the following error from my directory server. Please<br> help me to resolve this error.<br>
<br> [root@sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h<br></div> <a href="http://sbtaddc001.bmitest.com/" target="_blank">sbtaddc001.bmitest.com</a> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com</a><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>>> -p 636 -Z -P
<div class="im"><br> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D<br> CN=administrator,CN=users,DC=bmitest,DC=com -w "secretpw" -s<br> base -b "" "objectclass=*"<br><br> ldap_simple_bind: Can't contact LDAP server<br>
SSL error -5961 (TCP connection reset by peer.)<br><br></div> Is <a href="http://sbtaddc001.bmitest.com/" target="_blank">sbtaddc001.bmitest.com</a> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com</a> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>>>
<div class="im"><br> the real, registered DNS address for the Active Directory server?<br> On both the linux machine and the windows machine?<br> Does a reverse DNS lookup on the IP address return that hostname?<br>
Is Active Directory configured to use/listen to SSL?<br> Does the cert db /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain<br> the CA cert of the windows CA?<br> certutil -L -d /etc/dirsrv/slapd-BMITEST-COM<br><br>
<br><br> On Wed, Feb 24, 2010 at 6:20 PM, Rich Megginson<br> <<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>><br>
</div>
<div>
<div></div>
<div class="h5"> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>>> wrote:<br>
<br> Shan Kumaraswamy wrote:<br><br> Dear All,<br> I am facing the AD Sync issue with FreeIPA to Active<br> Directory, and as per the redhat-ds doc I have done all the<br> settings from AD front. please help me to resolve this<br>
issue.<br> And find the below error message:<br> [root@sbttipa001 ~]# ipa-replica-manage add --winsync<br> --binddn CN=ipaadmin,CN=users,DC=bmitest,DC=com --bindpw<br> secretpw --ca cert /etc/dirsrv/slapd-BMITEST-COM/adsync.cer<br>
<a href="http://sbtaddc001.bmitest.com/" target="_blank">sbtaddc001.bmitest.com</a> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com</a><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br>
<br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>>> -v --passsync bmi.123<br><br> Directory Manager password:<br> INFO:root:Shutting down dirsrv:<br>
BMITEST-COM... [ OK ]<br> INFO:root:<br> INFO:root:<br> INFO:root:<br> INFO:root:Starting dirsrv:<br> BMITEST-COM... [ OK ]<br>
INFO:root:<br> INFO:root:Added CA certificate<br> /etc/dirsrv/slapd-BMITEST-COM/adsync.cer to certificate<br> database for <a href="http://sbttipa001.bmitest.com/" target="_blank">sbttipa001.bmitest.com</a><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com</a><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>>><br><br> INFO:root:Restarted directory server<br> <a href="http://sbttipa001.bmitest.com/" target="_blank">sbttipa001.bmitest.com</a> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com</a><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>>><br>
<br> INFO:root:Could not validate connection to remote server<br> <a href="http://sbtaddc001.bmitest.com:636/" target="_blank">sbtaddc001.bmitest.com:636</a><br> <<a href="http://sbtaddc001.bmitest.com:636/" target="_blank">http://sbtaddc001.bmitest.com:636/</a>><br>
<<a href="http://sbtaddc001.bmitest.com:636/" target="_blank">http://sbtaddc001.bmitest.com:636/</a>><br><br> <<a href="http://sbtaddc001.bmitest.com:636/" target="_blank">http://sbtaddc001.bmitest.com:636</a><br>
<<a href="http://sbtaddc001.bmitest.com:636/" target="_blank">http://sbtaddc001.bmitest.com:636/</a>><br> <<a href="http://sbtaddc001.bmitest.com:636/" target="_blank">http://sbtaddc001.bmitest.com:636/</a>>> - continuing<br>
<br> INFO:root:The error was: {'info': 'error:14090086:SSL<br> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify<br> failed', 'desc ': "Can't contact LDAP server"}<br>
The user for the Windows PassSync service is<br> uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com<br> Windows PassSync entry exists, not resetting password<br> INFO:root:Added new sync agreement, waiting for it to<br>
become<br> ready . . .<br> INFO:root:Replication Update in progress: FALSE:<br> status: 49 -<br> LDAP error: Invalid credentials: start: 0: end: 0<br> INFO:root:Agreement is ready, starting replication . . .<br>
Starting replication, please wait until this has completed.<br> [<a href="http://sbttipa001.bmitest.com/" target="_blank">sbttipa001.bmitest.com</a><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br>
<<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com</a><br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>><br>
<br> <<a href="http://sbttipa001.bmitest.com/" target="_blank">http://sbttipa001.bmitest.com/</a>>>] reports: Update failed!<br> Status: [49 - LDAP error: Invalid credentials]<br> INFO:root:Added agreement for other host<br>
<a href="http://sbtaddc001.bmitest.com/" target="_blank">sbtaddc001.bmitest.com</a> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com</a><br> <<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>><br>
<<a href="http://sbtaddc001.bmitest.com/" target="_blank">http://sbtaddc001.bmitest.com/</a>>><br><br><br> Error 49 usually means the password is not correct. You<br> can use<br> mozldap ldapsearch to test the connection like this:<br>
<br> /usr/lib/mozldap/ldapsearch -h dchost -p 636 -Z -P<br> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D<br> CN=ipaadmin,CN=users,DC=bmitest,DC=com -w "secretpw" -s<br> base -b ""<br>
"objectclass=*"<br><br> -- Thanks & Regards<br> Shan Kumaraswamy<br><br> ------------------------------------------------------------------------<br>
<br> _______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>><br>
<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br><br><br><br><br><br> -- Thanks & Regards<br>
Shan Kumaraswamy<br><br><br><br><br><br>-- <br>Thanks & Regards<br>Shan Kumaraswamy<br><br></div></div></blockquote><br></blockquote></div><br><br clear="all"><br>-- <br>Thanks & Regards<br>Shan Kumaraswamy<br>
<br></div>