<div dir="ltr"><div>Hi Rich,</div> <div>Finall I impoted right CA in to IPA box, now I am getting this error while executing sycn command:</div> <div> </div> <div> </div> <div><br>INFO:root:<br>INFO:root:<br>INFO:root:<br>INFO:root:Starting dirsrv:<br> MYDOMAIN-COM... [ OK ]</div> <div>INFO:root:<br>INFO:root:Added CA certificate /etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to certificate database for <a href="http://saprhds001.mydomain.com">saprhds001.mydomain.com</a><br>INFO:root:Restarted directory server <a href="http://saprhds001.mydomain.com">saprhds001.mydomain.com</a><br> INFO:root:Could not validate connection to remote server <a href="http://sbpaddc003.mydomain.ad:636">sbpaddc003.mydomain.ad:636</a> - continuing<br>INFO:root:The error was: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"}<br> The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com<br>Windows PassSync entry exists, not resetting password<br>INFO:root:Added new sync agreement, waiting for it to become ready . . .<br> INFO:root:Replication Update in progress: FALSE: status: 0 Incremental update started: start: 20100921163646Z: end: 20100921163646Z<br>INFO:root:Agreement is ready, starting replication . . .<br>Starting replication, please wait until this has completed.<br> Update succeeded<br>INFO:root:Added agreement for other host <a href="http://sbpaddc003.corp.mydomain.ad">sbpaddc003.corp.mydomain.ad</a></div> <div> </div> <div> </div> <div> </div> <div>Please advice.<br><br></div> <div class="gmail_quote">On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Shan Kumaraswamy wrote:<br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> <div class="im">Hi Rich,<br>While executing your command (ldapserch), I am getting the following output:<br> _Command:_<br>/usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"<br> _Output:_<br>ldap_search: Can't contact LDAP server<br> SSL error -8179 (Peer's Certificate issuer is not recognized.)<br>_Command:_<br>LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h fqdn.of.ad.hostname -p 389 -Z -s base -b ""<br> _Output:_<br></div> [root@saprhds001 ~]# LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer ldapsearch -d 1 -x -h <a href="http://sbpaddc003.corp.mydomain.ad/" target="_blank">sbpaddc003.corp.mydomain.ad</a> <<a href="http://sbpaddc003.corp.mydomain.ad/" target="_blank">http://sbpaddc003.corp.mydomain.ad</a>> -p 389 -Z -s base -b ""<br> ldap_create<br>ldap_url_parse_ext(ldap://<a href="http://sbpaddc003.corp.mydomain.ad:389/" target="_blank">sbpaddc003.corp.mydomain.ad:389</a> <ldap://<a href="http://sbpaddc003.corp.mydomain.ad:389/" target="_blank">sbpaddc003.corp.mydomain.ad:389/</a>>) <div class="im"><br>ldap_extended_operation_s<br>ldap_extended_operation<br>ldap_send_initial_request<br>ldap_new_connection 1 1 0<br>ldap_int_open_connection<br></div>ldap_connect_to_host: TCP <a href="http://sbpaddc003.corp.mydomain.ad:389/" target="_blank">sbpaddc003.corp.mydomain.ad:389</a> <<a href="http://sbpaddc003.corp.mydomain.ad:389/" target="_blank">http://sbpaddc003.corp.mydomain.ad:389</a>> <div class="im"><br>ldap_new_socket: 3<br>ldap_prepare_socket: 3<br></div>ldap_connect_to_host: Trying <a href="http://10.8.27.22:389/" target="_blank">10.8.27.22:389</a> <<a href="http://10.8.27.22:389/" target="_blank">http://10.8.27.22:389</a>> <div class="im"><br>ldap_connect_timeout: fd: 3 tm: -1 async: 0<br>ldap_open_defconn: successful<br>ldap_send_server_request<br>ber_scanf fmt ({it) ber:<br>ber_scanf fmt ({) ber:<br>ber_flush: 31 bytes to sd 3<br>ldap_result ld 0x1aa8c6f0 msgid 1<br> wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)<br>wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1<br>** ld 0x1aa8c6f0 Connections:<br></div>* host: <a href="http://sbpaddc003.corp.mydomain.ad/" target="_blank">sbpaddc003.corp.mydomain.ad</a> <<a href="http://sbpaddc003.corp.mydomain.ad/" target="_blank">http://sbpaddc003.corp.mydomain.ad</a>> port: 389 (default) <div> <div></div> <div class="h5"><br> refcnt: 2 status: Connected<br> last used: Tue Sep 21 10:23:41 2010<br>** ld 0x1aa8c6f0 Outstanding Requests:<br> * msgid 1, origid 1, status InProgress<br> outstanding referrals 0, parent count 0<br> ** ld 0x1aa8c6f0 Response Queue:<br> Empty<br>ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1<br>ldap_chkResponseList returns ld 0x1aa8c6f0 NULL<br>ldap_int_select<br>read1msg: ld 0x1aa8c6f0 msgid 1 all 1<br>ber_get_next<br> ber_get_next: tag 0x30 len 40 contents:<br>read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result<br>ber_scanf fmt ({eaa) ber:<br>read1msg: ld 0x1aa8c6f0 0 new referrals<br>read1msg: mark request completed, ld 0x1aa8c6f0 msgid 1<br> request done: ld 0x1aa8c6f0 msgid 1<br>res_errno: 0, res_error: <>, res_matched: <><br>ldap_free_request (origid 1, msgid 1)<br>ldap_parse_extended_result<br>ber_scanf fmt ({eaa) ber:<br>ber_scanf fmt (a) ber:<br> ldap_parse_result<br>ber_scanf fmt ({iaa) ber:<br>ber_scanf fmt (x) ber:<br>ber_scanf fmt (}) ber:<br>ldap_msgfree<br>TLS trace: SSL_connect:before/connect initialization<br>TLS trace: SSL_connect:SSLv2/v3 write client hello A<br> TLS trace: SSL_connect:SSLv3 read server hello A<br></div></div>TLS certificate verification: depth: 0, err: 20, subject: /CN=<a href="http://sbpaddc003.corp.mydomain.ad/" target="_blank">SBPADDC003.Corp.MYDOMAIN.AD</a> <<a href="http://sbpaddc003.corp.mydomain.ad/" target="_blank">http://SBPADDC003.Corp.MYDOMAIN.AD</a>>, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA <div class="im"><br>TLS certificate verification: Error, unable to get local issuer certificate<br></div></blockquote>Unable to get local issuer certificate? Is the adcacert.asc file the actual CA cert in ascii/pem/base64 format from the AD CA? Do you have more than one CA or subordinate CAs? If so, you may need to have the entire CA cert chain in the file.<br> <br>If you are sure that adcacert.asc is from the AD CA, then try adding TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc file and try the above ldapsearch again.<br><br>Let's see what the subject and issuer are in the CA cert:<br> openssl x509 -in /path/to/adcacert.asc -text<br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">TLS certificate verification: depth: 0, err: 27, subject: /CN=<a href="http://sbpaddc003.corp.mydomain.ad/" target="_blank">SBPADDC003.Corp.MYDOMAIN.AD</a> <<a href="http://sbpaddc003.corp.mydomain.ad/" target="_blank">http://SBPADDC003.Corp.MYDOMAIN.AD</a>>, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA <div class="im"><br>TLS certificate verification: Error, certificate not trusted<br></div>TLS certificate verification: depth: 0, err: 21, subject: /CN=<a href="http://sbpaddc003.corp.mydomain.ad/" target="_blank">SBPADDC003.Corp.MYDOMAIN.AD</a> <<a href="http://sbpaddc003.corp.mydomain.ad/" target="_blank">http://SBPADDC003.Corp.MYDOMAIN.AD</a>>, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA <div class="im"><br>TLS certificate verification: Error, unable to verify the first certificate<br>TLS trace: SSL_connect:SSLv3 read server certificate A<br>TLS trace: SSL_connect:SSLv3 read server certificate request A<br> TLS trace: SSL_connect:SSLv3 read server done A<br>TLS trace: SSL_connect:SSLv3 write client certificate A<br>TLS trace: SSL_connect:SSLv3 write client key exchange A<br>TLS trace: SSL_connect:SSLv3 write change cipher spec A<br> TLS trace: SSL_connect:SSLv3 write finished A<br>TLS trace: SSL_connect:SSLv3 flush data<br>TLS trace: SSL_connect:SSLv3 read finished A<br>TLS trace: SSL3 alert write:warning:bad certificate<br>TLS: unable to get peer certificate.<br> ldap_bind<br>ldap_simple_bind<br>ldap_sasl_bind<br>ldap_send_initial_request<br>ldap_send_server_request<br>ber_scanf fmt ({it) ber:<br>ber_scanf fmt ({i) ber:<br>ber_flush: 14 bytes to sd 3<br>ldap_result ld 0x1aa8c6f0 msgid 2<br> wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout)<br>wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1<br>** ld 0x1aa8c6f0 Connections:<br></div>* host: <a href="http://sbpaddc003.corp.mydomain.ad/" target="_blank">sbpaddc003.corp.mydomain.ad</a> <<a href="http://sbpaddc003.corp.mydomain.ad/" target="_blank">http://sbpaddc003.corp.mydomain.ad</a>> port: 389 (default) <div class="im"><br> refcnt: 2 status: Connected<br> last used: Tue Sep 21 10:23:41 2010<br>** ld 0x1aa8c6f0 Outstanding Requests:<br> * msgid 2, origid 2, status InProgress<br> outstanding referrals 0, parent count 0<br> ** ld 0x1aa8c6f0 Response Queue:<br> Empty<br>ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1<br>ldap_chkResponseList returns ld 0x1aa8c6f0 NULL<br>ldap_int_select<br>read1msg: ld 0x1aa8c6f0 msgid 2 all 1<br>ber_get_next<br> ldap_perror<br>ldap_result: Can't contact LDAP server (-1)<br> Please help to resolve this issue.<br></div></blockquote><br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> <div class="im"><br><br><br> On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson <<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>> wrote:<br> <br> Shan Kumaraswamy wrote:<br><br> Rich,<br> I am again facing some issue with IPA+AD Sync and I tested all<br> the levels:<br> Windows PassSync entry exists, not resetting password<br> INFO:root:Added new sync agreement, waiting for it to become<br> ready . . .<br> INFO:root:Replication Update in progress: FALSE: status: 81 -<br> LDAP error: Can't contact LDAP server: start: 0: end: 0<br> INFO:root:Agreement is ready, starting replication . . .<br> Starting replication, please wait until this has completed.<br></div> [<a href="http://saprhds001.bmibank.com/" target="_blank">saprhds001.bmibank.com</a> <<a href="http://saprhds001.bmibank.com/" target="_blank">http://saprhds001.bmibank.com/</a>><br> <<a href="http://saprhds001.bmibank.com/" target="_blank">http://saprhds001.bmibank.com</a> <div class="im"><br> <<a href="http://saprhds001.bmibank.com/" target="_blank">http://saprhds001.bmibank.com/</a>>>] reports: Update failed!<br> Status: [81 - LDAP error: Can't contact LDAP server]<br> <br> I have imported right CA to IPA box and the out put is:<br> Certificate Nickname Trust Attributes<br> SSL,S/MIME,JAR/XPI<br> CA certificate CTu,u,Cu<br> Imported CA CT,,C<br> Server-Cert u,u,u<br> And also I done the openssl s_client option too, but no luck.<br><br> What exactly did you do? with openssl s_client?<br><br> Did you try<br> /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P<br> /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"<br> <br> LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h<br> fqdn.of.ad.hostname -p 389 -Z -s base -b ""<br><br> Without cert when I try ldap search its gives out put. but<br> with cert (AD CA) through error.<br> Please help me fix this issue.<br> <br> -- Thanks & Regards<br> Shan Kumaraswamy<br><br><br><br><br><br>-- <br>Thanks & Regards<br>Shan Kumaraswamy<br><br></div></blockquote><br> </blockquote></div><br><br clear="all"><br>-- <br>Thanks & Regards<br>Shan Kumaraswamy<br><br></div>