[Fedora-directory-users] LDAP Error

Richard Megginson rmeggins at redhat.com
Fri Aug 4 22:26:36 UTC 2006 

Joe Sheehan wrote:
> Thanks - we will definitely take your advice.
> Curious if switching the order within the nsswitch.conf would do the 
> trick.
It might.
>
> Joe
>
>
>> From: Richard Megginson <rmeggins at redhat.com>
>> Reply-To: "General discussion list for the Fedora Directory server 
>> project." <fedora-directory-users at redhat.com>
>> To: "General discussion list for the Fedora Directory server 
>> project." <fedora-directory-users at redhat.com>
>> Subject: Re: [Fedora-directory-users] LDAP Error
>> Date: Fri, 04 Aug 2006 15:26:21 -0600
>>
>> Joe Sheehan wrote:
>>> google(ing) for this - it basically says the same thing as you've 
>>> stated.
>>> Is there a way to fix this by hand
>> Fix your DNS and reverse DNS set up.  Are you also using NIS for 
>> hostname resolution?  You may have to make sure NIS and DNS hosts 
>> resolve to the same IP addresses.
>>> or is LDAP corrupted beyond fixing unless you
>>> uninstall and re-install.
>> This has nothing to do with ldap corruption.  Although, once you fix 
>> your DNS and reverse DNS, you will need to re install from scratch.  
>> This is unfortunately the easiest way to ensure proper Admin Server 
>> set up.
>>>
>>> Joe
>>>
>>>
>>>> From: Richard Megginson <rmeggins at redhat.com>
>>>> Reply-To: "General discussion list for the Fedora Directory server 
>>>> project." <fedora-directory-users at redhat.com>
>>>> To: "General discussion list for the Fedora Directory server 
>>>> project." <fedora-directory-users at redhat.com>
>>>> Subject: Re: [Fedora-directory-users] LDAP Error
>>>> Date: Fri, 04 Aug 2006 14:04:23 -0600
>>>>
>>>> Joe Sheehan wrote:
>>>>> Has anyone seen this before? Possible causes? Thanks Joe
>>>>>
>>>>>
>>>>> Start Slapd Server Config
>>>>>
>>>>> FATAL Slapd ERROR LDAP authentication failed for url: 
>>>>> ldap://nodename.my.nis:1389             Netscaperoot user id admin 
>>>>> (151: unknown error)
>>>> This usually indicates a problem with DNS or reverse DNS setup.
>>>>>
>>>>> Fatal slapd did not add directory server information into 
>>>>> configuration server
>>>>>
>>>>> ...
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> From: Richard Megginson <rmeggins at redhat.com>
>>>>>> Reply-To: "General discussion list for the Fedora Directory 
>>>>>> server project." <fedora-directory-users at redhat.com>
>>>>>> To: "General discussion list for the Fedora Directory server 
>>>>>> project." <fedora-directory-users at redhat.com>
>>>>>> Subject: Re: [Fedora-directory-users] Error at work of the 
>>>>>> utility ldapsearch.
>>>>>> Date: Fri, 04 Aug 2006 09:45:37 -0600
>>>>>>
>>>>>> One problem may be that you have to specify some additional 
>>>>>> option when creating the MS CA cert or server certs issued by 
>>>>>> this CA.  Is this a root CA or did you get a CA certificate from 
>>>>>> somewhere else?
>>>>>>
>>>>>> Do this:
>>>>>> cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P 
>>>>>> slapd-asterisk1- -L -n ad-cert
>>>>>>
>>>>>> Safonov Alexey wrote:
>>>>>>> Thanks Richard!
>>>>>>>
>>>>>>> In my opinion it the certificate of the CA. Certificates you can 
>>>>>>> see details
>>>>>>> of reception of it on a screenshot (see the attached file)
>>>>>>>
>>>>>>> Safonov Alexey
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: fedora-directory-users-bounces at redhat.com
>>>>>>> [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of 
>>>>>>> Richard
>>>>>>> Megginson
>>>>>>> Sent: Friday, July 28, 2006 5:45 PM
>>>>>>> To: General discussion list for the Fedora Directory server 
>>>>>>> project.
>>>>>>> Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>>>>> ldapsearch.
>>>>>>>
>>>>>>>
>>>>>>> Safonov Alexey wrote:
>>>>>>>
>>>>>>>> Thanks Richard!
>>>>>>>>
>>>>>>>> Now I start so:
>>>>>>>> [root at asterisk1 bin]# ./ldapsearch -Z -P
>>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
>>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-key3.db  -h
>>>>>>>> rv-vm1.mup-example.vrn.ru  -p 636 -D
>>>>>>>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w 
>>>>>>>> secret01 -s
>>>>>>>> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v
>>>>>>>>
>>>>>>>> Also I receive a error:
>>>>>>>>
>>>>>>>> ldapsearch: started Fri Jul 28 16:21:39 2006
>>>>>>>>
>>>>>>>> ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
>>>>>>>> ldaptool_getcertpath -- 
>>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
>>>>>>>> ldaptool_getkeypath -- 
>>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-key3.db
>>>>>>>> ldaptool_getmodpath -- (null)
>>>>>>>> ldaptool_getdonglefilename -- (null)
>>>>>>>> ldap_simple_bind: Can't contact LDAP server
>>>>>>>>         SSL error -8156 (Issuer certificate is invalid.)
>>>>>>>>
>>>>>>>> Though the certificate ad-cert (from Windows DC) is 
>>>>>>>> established. The
>>>>>>>>
>>>>>>> utility
>>>>>>>
>>>>>>>> certutil and Fedora Management Console (Manage Certificates) 
>>>>>>>> shows it.
>>>>>>>> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L 
>>>>>>>> -d . -P
>>>>>>>> slapd-asterisk1-
>>>>>>>> CA certificate                 CTu,u,u
>>>>>>>> server-cert                    u,u,u
>>>>>>>> Server-Cert                    u,u,u
>>>>>>>> ad-cert                        CT,C,C
>>>>>>>>
>>>>>>>> Help my!
>>>>>>>>
>>>>>>>>
>>>>>>> Is ad-cert the certificate of the AD server or the certificate 
>>>>>>> of the CA
>>>>>>> that issued the AD cert?  An SSL client only needs to trust the 
>>>>>>> CA cert
>>>>>>> of the issuer of the server certs it wants to use.
>>>>>>>
>>>>>>>> Safonov Alexey
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: fedora-directory-users-bounces at redhat.com
>>>>>>>> [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of 
>>>>>>>> Richard
>>>>>>>> Megginson
>>>>>>>> Sent: Thursday, July 27, 2006 7:36 PM
>>>>>>>> To: General discussion list for the Fedora Directory server 
>>>>>>>> project.
>>>>>>>> Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>>>>>> ldapsearch.
>>>>>>>>
>>>>>>>>
>>>>>>>> Safonov Alexey wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi !
>>>>>>>>>
>>>>>>>>> I ask to help to solve a problem with the utility ldapsearch.
>>>>>>>>>
>>>>>>>>> is a problem to carry out synchronization between FDS and AD. 
>>>>>>>>> Has made
>>>>>>>>>
>>>>>>> the
>>>>>>>
>>>>>>>>> following:
>>>>>>>>> 1) Install FDS
>>>>>>>>> 2) Configuring SSL Enabled FDS. For this purpose has started 
>>>>>>>>> script
>>>>>>>>> setupssl.sh 
>>>>>>>>> (http://directory.fedora.redhat.com/download/setupssl.sh)
>>>>>>>>>
>>>>>>> from
>>>>>>>
>>>>>>>>> HOWTO "Howto:SSL" 
>>>>>>>>> (http://directory.fedora.redhat.com/wiki/Howto:SSL)
>>>>>>>>> 3) Restart FDS.
>>>>>>>>>    netstat -atupn | grep ns-
>>>>>>>>> tcp  0      0 :::389         :::*       LISTEN      6039/ns-slapd
>>>>>>>>> tcp  0      0 :::636         :::*       LISTEN      6039/ns-slapd
>>>>>>>>> 4) Enable SSL on AD.
>>>>>>>>> Install Certificate Service
>>>>>>>>> Check util ldp.exe:
>>>>>>>>> Connected param: Server- srv-vm1.mup-example.vrn.ru
>>>>>>>>>                  Port  - 636
>>>>>>>>>                  Checkbox "SSL"
>>>>>>>>> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
>>>>>>>>> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
>>>>>>>>> LDAP_VERSION3);
>>>>>>>>> Error <0x0> = ldap_connect(hLdap, NULL);
>>>>>>>>> Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>>>>>>>>> Host supports SSL, SSL cipher strength = 128 bits
>>>>>>>>> Established connection to srv-vm1.mup-example.vrn.ru.
>>>>>>>>> Retrieving base DSA information...
>>>>>>>>> .....
>>>>>>>>> 5) Import AD CA certificate in DER mode.
>>>>>>>>> 6) Copy, convert (PEM) and install AD CA certificate in FDS. 
>>>>>>>>> Check:
>>>>>>>>> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L 
>>>>>>>>> -d . -P
>>>>>>>>> slapd-asterisk1-
>>>>>>>>> CA certificate                         CTu,u,u
>>>>>>>>> server-cert                            u,u,u
>>>>>>>>> Server-Cert                            u,u,u
>>>>>>>>> ad-cert                                CT,C,C <- install this
>>>>>>>>>
>>>>>>>>> 6) [root at asterisk1 alias]# ldapsearch -Z -P
>>>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>>>>>>>>> rv-vm1.mup-example.vrn.ru  -p 636 -D
>>>>>>>>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w 
>>>>>>>>> secret01 -s
>>>>>>>>> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> That's /usr/bin/ldapsearch, which is openldap ldapsearch, which 
>>>>>>>> uses
>>>>>>>> openssl for crypto, which is completely different than NSS.  
>>>>>>>> You need to
>>>>>>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>>>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>>>>>
>>>>>>>>
>>>>>>>>> Error:
>>>>>>>>> ldapsearch: unabel to parse protocol version
>>>>>>>>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>>>>>
>>>>>>>>> Help my!
>>>>>>>>> Thanks
>>>>>>>>>
>>>>>>>>> ------------------------------------------------------
>>>>>>>>> My Setup:
>>>>>>>>>
>>>>>>>>> Fedora Core 5 (i386)
>>>>>>>>> Fedora Directory Server 1.0.2
>>>>>>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>>>>> ------------------------------------------------------
>>>>>>>>>
>>>>>>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>>>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>>>>>
>>>>>>>>
>>>>>>>>> Error:
>>>>>>>>> ldapsearch: unabel to parse protocol version
>>>>>>>>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>>>>>
>>>>>>>>> Help my!
>>>>>>>>> Thanks
>>>>>>>>>
>>>>>>>>> ------------------------------------------------------
>>>>>>>>> My Setup:
>>>>>>>>>
>>>>>>>>> Fedora Core 5 (i386)
>>>>>>>>> Fedora Directory Server 1.0.2
>>>>>>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>>>>> ------------------------------------------------------
>>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------ 
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------ 
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
>>>>>
>>>>>
>>>>>> << smime.p7s >>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>> << smime.p7s >>
>>>
>>>
>>>
>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>> << smime.p7s >>
>
>
>
>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060804/a1da0409/attachment.bin>

More information about the Fedora-directory-users mailing list