<html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body ocsi="0" fpstyle="1" bgcolor="#FFFFFF"> <div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">got a new CA cert and seem to be in buisness [root@se-idm-01.boingo.com cacerts]$ ipa-replica-manage connect --winsync --binddn "cn=idm admin, cn=Users, dc=boingoqa, dc=local" --bindpw "g0_b0ing0" --passsync "l0v3ish@rd" --cacert=/etc/openldap/cacerts/skywarp.cer qatestdc2.boingoqa.local -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/skywarp.cer to certificate database for se-idm-01.boingo.com ipa: INFO: AD Suffix is: DC=boingoqa,DC=local The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=boingo,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update succeeded Connected 'se-idm-01.boingo.com' to 'qatestdc2.boingoqa.local' then ran your command [root@se-idm-01.boingo.com cacerts]$ LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local) ldap_create ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local:389/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP qatestdc2.boingoqa.local:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.194.55.48:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x1b7c160 msgid 1 wait4msg ld 0x1b7c160 msgid 1 (infinite timeout) wait4msg continue ld 0x1b7c160 msgid 1 all 1 ** ld 0x1b7c160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 23:59:09 2014 ** ld 0x1b7c160 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x1b7c160 request count 1 (abandoned 0) ** ld 0x1b7c160 Response Queue: Empty ld 0x1b7c160 response count 0 ldap_chkResponseList ld 0x1b7c160 msgid 1 all 1 ldap_chkResponseList returns ld 0x1b7c160 NULL ldap_int_select read1msg: ld 0x1b7c160 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 40 contents: read1msg: ld 0x1b7c160 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x1b7c160 0 new referrals read1msg: mark request completed, ld 0x1b7c160 msgid 1 request done: ld 0x1b7c160 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: certdb config: configDir='/etc/dirsrv/slapd-BOINGO-COM/' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/dirsrv/slapd-BOINGO-COM/ prefix . TLS: loaded CA certificate file /etc/ipa/ca.crt. TLS: certificate [CN=QATESTDC2.boingoqa.local] is valid TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 66 bytes to sd 3 ldap_result ld 0x1b7c160 msgid 2 wait4msg ld 0x1b7c160 msgid 2 (infinite timeout) wait4msg continue ld 0x1b7c160 msgid 2 all 1 ** ld 0x1b7c160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 23:59:13 2014 ** ld 0x1b7c160 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x1b7c160 request count 1 (abandoned 0) ** ld 0x1b7c160 Response Queue: Empty ld 0x1b7c160 response count 0 ldap_chkResponseList ld 0x1b7c160 msgid 2 all 1 ldap_chkResponseList returns ld 0x1b7c160 NULL ldap_int_select read1msg: ld 0x1b7c160 msgid 2 all 1 ber_get_next ber_get_next: tag 0x30 len 104 contents: read1msg: ld 0x1b7c160 msgid 2 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x1b7c160 0 new referrals read1msg: mark request completed, ld 0x1b7c160 msgid 2 request done: ld 0x1b7c160 msgid 2 res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_err2string ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 [root@se-idm-01.boingo.com cacerts]$ LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local) ldap_create ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local:389/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP qatestdc2.boingoqa.local:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.194.55.48:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x1fe2160 msgid 1 wait4msg ld 0x1fe2160 msgid 1 (infinite timeout) wait4msg continue ld 0x1fe2160 msgid 1 all 1 ** ld 0x1fe2160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 23:59:19 2014 ** ld 0x1fe2160 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x1fe2160 request count 1 (abandoned 0) ** ld 0x1fe2160 Response Queue: Empty ld 0x1fe2160 response count 0 ldap_chkResponseList ld 0x1fe2160 msgid 1 all 1 ldap_chkResponseList returns ld 0x1fe2160 NULL ldap_int_select read1msg: ld 0x1fe2160 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 40 contents: read1msg: ld 0x1fe2160 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x1fe2160 0 new referrals read1msg: mark request completed, ld 0x1fe2160 msgid 1 request done: ld 0x1fe2160 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: certdb config: configDir='/etc/dirsrv/slapd-BOINGO-COM/' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/dirsrv/slapd-BOINGO-COM/ prefix . TLS: loaded CA certificate file /etc/ipa/ca.crt. TLS: certificate [CN=QATESTDC2.boingoqa.local] is valid TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 65 bytes to sd 3 ldap_result ld 0x1fe2160 msgid 2 wait4msg ld 0x1fe2160 msgid 2 (infinite timeout) wait4msg continue ld 0x1fe2160 msgid 2 all 1 ** ld 0x1fe2160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 23:59:23 2014 ** ld 0x1fe2160 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x1fe2160 request count 1 (abandoned 0) ** ld 0x1fe2160 Response Queue: Empty ld 0x1fe2160 response count 0 ldap_chkResponseList ld 0x1fe2160 msgid 2 all 1 ldap_chkResponseList returns ld 0x1fe2160 NULL ldap_int_select read1msg: ld 0x1fe2160 msgid 2 all 1 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0x1fe2160 msgid 2 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x1fe2160 0 new referrals read1msg: mark request completed, ld 0x1fe2160 msgid 2 request done: ld 0x1fe2160 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search_ext put_filter: "objectclass=*" put_filter: default put_simple_filter: "objectclass=*" ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 85 bytes to sd 3 ldap_result ld 0x1fe2160 msgid -1 wait4msg ld 0x1fe2160 msgid -1 (infinite timeout) wait4msg continue ld 0x1fe2160 msgid -1 all 0 ** ld 0x1fe2160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 23:59:23 2014 ** ld 0x1fe2160 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0x1fe2160 request count 1 (abandoned 0) ** ld 0x1fe2160 Response Queue: Empty ld 0x1fe2160 response count 0 ldap_chkResponseList ld 0x1fe2160 msgid -1 all 0 ldap_chkResponseList returns ld 0x1fe2160 NULL ldap_int_select read1msg: ld 0x1fe2160 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 59 contents: read1msg: ld 0x1fe2160 msgid 3 message type search-entry ldap_get_dn_ber ber_scanf fmt ({ml{) ber: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local ber_scanf fmt ({xx) ber: ldap_get_attribute_ber ldap_msgfree ldap_result ld 0x1fe2160 msgid -1 wait4msg ld 0x1fe2160 msgid -1 (infinite timeout) wait4msg continue ld 0x1fe2160 msgid -1 all 0 ** ld 0x1fe2160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 23:59:23 2014 ** ld 0x1fe2160 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0x1fe2160 request count 1 (abandoned 0) ** ld 0x1fe2160 Response Queue: Empty ld 0x1fe2160 response count 0 ldap_chkResponseList ld 0x1fe2160 msgid -1 all 0 ldap_chkResponseList returns ld 0x1fe2160 NULL read1msg: ld 0x1fe2160 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0x1fe2160 msgid 3 message type search-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x1fe2160 0 new referrals read1msg: mark request completed, ld 0x1fe2160 msgid 3 request done: ld 0x1fe2160 msgid 3 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 3, msgid 3) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_free_connection: actually freed <div style="font-family: Times New Roman; color: #000000; font-size: 16px"> <hr tabindex="-1"> <div style="direction: ltr;" id="divRpF276177">From: Rich Megginson [rmeggins@redhat.com] Sent: Friday, January 31, 2014 3:58 PM To: Todd Maugh; dpal@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication </div> <div></div> <div> <div class="moz-cite-prefix">On 01/31/2014 04:13 PM, Todd Maugh wrote: </div> <blockquote type="cite"><style id="owaParaStyle" type="text/css">  BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;}</style> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt"> <div style="font-family:Times New Roman; color:#000000; font-size:16px"> <div>asked: Can you provide your /etc/openldap/ldap.conf? answer: /etc/openldap/ldap.con #File modified by ipa-client-install URI <a class="moz-txt-link-freetext" href="UrlBlockedError.aspx" target="_blank"> ldaps://se-idm-01.boingo.com</a> BASE dc=boingo,dc=com TLS_CACERT /etc/ipa/ca.crt TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow </div> </div> </div> </blockquote> This will allow errors where the hostname in the cert subject DN does not match the IP address or vice versa. What happens if you set it to TLS_REQCERT demand? Or, if you don't want to touch this file (because it will probably break other things), try this: LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H <a class="moz-txt-link-freetext" href="UrlBlockedError.aspx" target="_blank">ldap://qatestdc2.boingoqa.local</a> -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn If that works, then please provide the output of rpm -q 389-ds-base openldap nss <blockquote type="cite"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt"> <div style="font-family:Times New Roman; color:#000000; font-size:16px"> <div>ping <blockquote type="cite"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt">TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error -8179:Peer's Certificate issuer is not recognized.. </div> </blockquote> This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP address does not match. This is usually a problem, but perhaps you have set your ldap.conf to continue despite this problem? PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of data. 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=1 ttl=124 time=0.559 ms 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=2 ttl=124 time=0.660 ms ^C --- qatestdc2.boingoqa.local ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1070ms rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms </div> </div> </div> </blockquote> Ok. Does 10.194.55.48 resolve to qatestdc2.boingoqa.local? <blockquote type="cite"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt"> <div style="font-family:Times New Roman; color:#000000; font-size:16px"> <div> <blockquote type="cite"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt">TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request </div> </blockquote> </div> </div> </div> </blockquote> </div> </div> </div> </body> </html>