[Fedora-directory-users] Windows Active Directory sync Help!

kiran madala kirankmadala at hotmail.com
Wed Jan 9 21:03:18 UTC 2008 

I keep getting these errors when trying to initiate sync 

[09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function argument.)
[09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL client authentication failed: LDAP error -1 (Unknown error)

The LDAP search is not installed on my machine so i could not do a search
----------------------------------------
> Date: Wed, 9 Jan 2008 11:43:49 -0700
> From: rmeggins at redhat.com
> To: fedora-directory-users at redhat.com
> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
> 
> kiran madala wrote:
>> Sorry here is the error log for DS server
>>
>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.)
>>
>> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. 
>>   
> Did you configure the agreement to use SSL?  Error 91 means some sort of 
> connection problem, or invalid argument to the LDAP API e.g. you are 
> attempting to use LDAP on the secure port instead of LDAPS.
> 
> You can verify that TLS/SSL is working by using ldapsearch from the 
> command line.  On the directory server machine:
> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P 
> /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*"
> 
> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>>
>> ----------------------------------------
>>   
>>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>>> From: rmeggins at redhat.com
>>> To: fedora-directory-users at redhat.com
>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>>>
>>> kiran madala wrote:
>>>     
>>>> I am using  Fedora 1.1 on Fedora 6 x86 machine.  When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?".  Also in the domain controller host field can I specify the IP address of the machine?. 
>>>>
>>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am  runnign the remote DS console.
>>>>
>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
>>>> <snip<
>>>>   
>>>>       
>>> Actually, this is the error log for the admin server.  The error log for 
>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance 
>>> is your instance name.
>>>
>>> The console might be failing to connect to AD because the console has a 
>>> separate key/cert db under ~/.fedora-idm-console (in 1.1).  You may need 
>>> to add the CA cert in this directory too:
>>>
>>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc
>>>
>>>     
>>>> ----------------------------------------
>>>>   
>>>>       
>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>>> From: rmeggins at redhat.com
>>>>> To: fedora-directory-users at redhat.com
>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>>>>>
>>>>> kiran madala wrote:
>>>>>     
>>>>>         
>>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges.  But I have other issues now.
>>>>>>
>>>>>> The DS server is unable to connect to my AD.
>>>>>>       
>>>>>>           
>>>>> What error messages are you getting?  Check the error log.
>>>>>
>>>>> You can also try using ldapsearch.  Are you using Fedora DS 1.1 or 
>>>>> 1.0.4?  What OS?
>>>>>     
>>>>>         
>>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine?
>>>>>>   
>>>>>>       
>>>>>>           
>>>>> You don't need to use cert based client auth.  You can use regular 
>>>>> username/password auth over TLS/SSL.
>>>>>     
>>>>>         
>>>>>> My currents certificates are as follows.
>>>>>>
>>>>>> DS has its own server certificate
>>>>>> AD has its own server  certificate
>>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----------------------------------------
>>>>>>   
>>>>>>       
>>>>>>           
>>>>>>> From: kirankmadala at hotmail.com
>>>>>>> To: fedora-directory-users at redhat.com
>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help!
>>>>>>>
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions.
>>>>>>>
>>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL?
>>>>>>>
>>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD?
>>>>>>>
>>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS?
>>>>>>>
>>>>>>>
>>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell.
>>>>>>>
>>>>>>> Thanks in advance
>>>>>>> _________________________________________________________________
>>>>>>> Exercise your brain! Try Flexicon!
>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>     
>>>>>>>         
>>>>>>>             
>>>>>> _________________________________________________________________
>>>>>> Use fowl language with Chicktionary. Click here to start playing!
>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>>       
>>>>>>           
>>>> _________________________________________________________________
>>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com!
>>>> http://asksantaclaus.spaces.live.com/
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>>       
>>
>> _________________________________________________________________
>> Introducing the City @ Live! Take a tour!
>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
> 

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

More information about the Fedora-directory-users mailing list