[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] IPA+AD sync error



Shan Kumaraswamy wrote:
Rich,
Please find the below out put of the command:
[root saprhds001 ~]# certutil -d /etc/dirsrv/slapd-XXXX-COM -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Imported CA                                                  CT,,C
CA certificate                                               CTu,u,Cu
Server-Cert                                                  u,u,u
I'm assuming "Imported CA" is the MS AD CA.  Do this:
certutil -d /etc/dirsrv/slapd-XXXX-COM -L -n "Imported CA"


On Tue, Aug 17, 2010 at 6:35 PM, Rich Megginson <rmeggins redhat com <mailto:rmeggins redhat com>> wrote:

    Shan Kumaraswamy wrote:

        After this error, I have triyed your the following steps:
         /usr/lib64/mozldap/ldapsearch -h windows.test.ad
        <http://windows.test.ad/> <http://windows.test.ad
        <http://windows.test.ad/>> -D
        "CN=administrator,CN=users,DC=test,DC=ad" -w "xxxx" -s base -b
        "" "objectclass=*"

         Then I got output like this:
version: 1
        dn:
        currentTime: 20100817220245.0Z
        subschemaSubentry:
        CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
        dsServiceName: CN=NTDS
        Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
         me,CN=Sites,CN=Configuration,DC=test,DC=ad
        namingContexts: DC=test,DC=ad
        namingContexts: CN=Configuration,DC=test,DC=ad
        namingContexts: CN=Schema,CN=Configuration,DC=test,DC=ad
        namingContexts: DC=DomainDnsZones,DC=test,DC=ad
        namingContexts: DC=ForestDnsZones,DC=test,DC=ad
        defaultNamingContext: DC=test,DC=ad
        schemaNamingContext: CN=Schema,CN=Configuration,DC=test,DC=ad
        configurationNamingContext: CN=Configuration,DC=test,DC=ad
        rootDomainNamingContext: DC=test,DC=ad
        supportedControl: 1.2.840.113556.1.4.319
        supportedControl: 1.2.840.113556.1.4.801
        supportedControl: 1.2.840.113556.1.4.473
        supportedControl: 1.2.840.113556.1.4.528
        supportedControl: 1.2.840.113556.1.4.417
        supportedControl: 1.2.840.113556.1.4.619
        supportedControl: 1.2.840.113556.1.4.841
        supportedControl: 1.2.840.113556.1.4.529
        supportedControl: 1.2.840.113556.1.4.805
        supportedControl: 1.2.840.113556.1.4.521
        supportedControl: 1.2.840.113556.1.4.970
        supportedControl: 1.2.840.113556.1.4.1338
        supportedControl: 1.2.840.113556.1.4.474
        supportedControl: 1.2.840.113556.1.4.1339
        supportedControl: 1.2.840.113556.1.4.1340
        supportedControl: 1.2.840.113556.1.4.1413
        supportedControl: 2.16.840.1.113730.3.4.9
        supportedControl: 2.16.840.1.113730.3.4.10
        supportedControl: 1.2.840.113556.1.4.1504
        supportedControl: 1.2.840.113556.1.4.1852
        supportedControl: 1.2.840.113556.1.4.802
        supportedControl: 1.2.840.113556.1.4.1907
        supportedControl: 1.2.840.113556.1.4.1948
        supportedControl: 1.2.840.113556.1.4.1974
        supportedControl: 1.2.840.113556.1.4.1341
        supportedControl: 1.2.840.113556.1.4.2026
        supportedControl: 1.2.840.113556.1.4.2064
        supportedControl: 1.2.840.113556.1.4.2065
        supportedLDAPVersion: 3
        supportedLDAPVersion: 2
        supportedLDAPPolicies: MaxPoolThreads
        supportedLDAPPolicies: MaxDatagramRecv
        supportedLDAPPolicies: MaxReceiveBuffer
        supportedLDAPPolicies: InitRecvTimeout
        supportedLDAPPolicies: MaxConnections
        supportedLDAPPolicies: MaxConnIdleTime
        supportedLDAPPolicies: MaxPageSize
        supportedLDAPPolicies: MaxQueryDuration
        supportedLDAPPolicies: MaxTempTableSize
        supportedLDAPPolicies: MaxResultSetSize
        supportedLDAPPolicies: MinResultSets
        supportedLDAPPolicies: MaxResultSetsPerConn
        supportedLDAPPolicies: MaxNotificationPerConn
        supportedLDAPPolicies: MaxValRange
        highestCommittedUSN: 73772
        supportedSASLMechanisms: GSSAPI
        supportedSASLMechanisms: GSS-SPNEGO
        supportedSASLMechanisms: EXTERNAL
        supportedSASLMechanisms: DIGEST-MD5
        dnsHostName: Windows.test.ad <http://windows.test.ad/>
        <http://Windows.test.ad <http://windows.test.ad/>>
        ldapServiceName: test.ad:windows$ TEST AD <http://test.ad/>
        <http://TEST.AD <http://test.ad/>>

        serverName:
        CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
         guration,DC=test,DC=ad
        supportedCapabilities: 1.2.840.113556.1.4.800
        supportedCapabilities: 1.2.840.113556.1.4.1670
        supportedCapabilities: 1.2.840.113556.1.4.1791
        supportedCapabilities: 1.2.840.113556.1.4.1935
        supportedCapabilities: 1.2.840.113556.1.4.2080
        isSynchronized: TRUE
        isGlobalCatalogReady: TRUE
        domainFunctionality: 4
        forestFunctionality: 4
        domainControllerFunctionality: 4

        Then I tried next step:
         /usr/lib64/mozldap/ldapsearch -ZZ -P
        /etc/dirsrv/slapd-XXXX-COM/cert8.db -h windows.test.ad
        <http://windows.test.ad/> <http://windows.test.ad
        <http://windows.test.ad/>> -D
        "CN=administrator,CN=users,DC=test,DC=ad" -w "xxxxx" -s base
        -b "" "objectclass=*"

        ldap_simple_bind: Can't contact LDAP server
               TLS/SSL error -8179 (Peer's Certificate issuer is not
        recognized.)
         Please help me to fix this.....

    This usually means the SSL server's CA cert is not recognized.
     What does this say:
    certutil -d /etc/dirsrv/slapd-XXXX-COM -L
    ?


         On Tue, Aug 17, 2010 at 2:02 PM, Shan Kumaraswamy
        <shan sysadm gmail com <mailto:shan sysadm gmail com>
        <mailto:shan sysadm gmail com <mailto:shan sysadm gmail com>>>
        wrote:

           Hi Rich,
           After I did all the steps, I am getting this error:
                     INFO:root:Added CA certificate
           /etc/dirsrv/slapd-XXXX-COM/adcert.cer to certificate
        database for
           tesipa001.test.com <http://tesipa001.test.com/>
        <http://tesipa001.test.com/>

           INFO:root:Restarted directory server tesipa001.test.com
        <http://tesipa001.test.com/>
           <http://tesipa001.test.com/>

           INFO:root:Could not validate connection to remote server
           windows.test.ad:636 <http://windows.test.ad:636/>
        <http://windows.test.ad:636/> - continuing

           INFO:root:The error was: {'info': 'error:14090086:SSL
           routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
        failed',
           'desc': "Can't contact LDAP server"}
           The user for the Windows PassSync service is
           uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
           Windows PassSync entry exists, not resetting password
           INFO:root:Added new sync agreement, waiting for it to
        become ready
           . . .
           INFO:root:Replication Update in progress: FALSE: status: 81  -
           LDAP error: Can't contact LDAP server: start: 0: end: 0
           INFO:root:Agreement is ready, starting replication . . .
           Starting replication, please wait until this has completed.
           [saprhds001.bmibank.com <http://saprhds001.bmibank.com/>
        <http://saprhds001.bmibank.com/>] reports:

           Update failed! Status: [81  - LDAP error: Can't contact
        LDAP server]
           INFO:root:Added agreement for other host windows.test.ad
        <http://windows.test.ad/>
           <http://windows.test.ad/>


           Please help me to fix this issue.
                The syntex I used: ipa-replica-manage add --winsync
        --binddn
           CN=Administrator,CN=Users,DC=test,DC=com --bindpw "password"
           --cacert /etc/dirsrv/slapd-TEST-COM/adcert.cer
        windows.test.ad <http://windows.test.ad/>
           <http://windows.test.ad/> -v --passsync "password"

On Mon, Aug 16, 2010 at 6:06 PM, Rich Megginson
           <rmeggins redhat com <mailto:rmeggins redhat com>
        <mailto:rmeggins redhat com <mailto:rmeggins redhat com>>> wrote:

               Shan Kumaraswamy wrote:

                   Rich,
                    While installing IPA its creates its won CA cert
        right?
                   (cacert.p12),

               Right.

                   and also I done the setep of export this CA file as
        dsca.crt.

               Right.  You have to do that so that AD can be an SSL
        client to
               the IPA SSL server.

                   Please let me know steps to generate the IPA CA and
        server
                   cert?

               The other part is that you have to install the AD CA
        cert in
               IPA so that IPA can be the SSL client to the AD SSL server.

On Mon, Aug 16, 2010 at 5:41 PM, Rich Megginson
                   <rmeggins redhat com <mailto:rmeggins redhat com>
        <mailto:rmeggins redhat com <mailto:rmeggins redhat com>>
                   <mailto:rmeggins redhat com
        <mailto:rmeggins redhat com> <mailto:rmeggins redhat com
        <mailto:rmeggins redhat com>>>>

                   wrote:

                      Shan Kumaraswamy wrote:


                          Hi,

                          I have deployed FreeIPA 1.2.1 in RHEL 5.5 and I
                   want to sync
                          with Active Directory (windows 2008 R2). Can
        please
                   anyone
                          have step-by-step configuration doc and
        share to me?
                          Previously I have done the same exercise,
        but now
                   that is not
                          working for me and I am facing lot of
        challenges to
                   make this
                          happen.

                          Please find the steps what exactly I done so
        for:

                          1.       Installed RHDS 8.1 and FreeIPA
        1.2.1 and
                   configured
                          properly and tested its working fine

                          2.       In AD side, installed Active Directory
                   certificate
                          Server as a Enterprise Root

                          3.       Copy the “cacert.p12” file and
        imported under
                          Certificates –Service (Active Directory Domain
                   service) on
                          Local Computer using MMC.

                          4.       Installed PasSync.msi file and
        given all
                   the required
                          information

                          5.       Run the command “certutil -d . -L
        -n "CA
                   certificate"
                          -a > dsca.crt” from IPA server and copied
        the .crt
                   file in to
                          AD server and ran this command from “cd
        "C:\Program
                   Files\Red
                          Hat Directory Password Synchronization"

                          6.       certutil.exe -d . -N

                          7.       certutil.exe -d . -A -n "DS CA cert" -t
                   CT,, -a -i
                          \path\to\dsca.crt

                          8.       certutil.exe -d . -L -n "DS CA
        cert" and
                   rebooted the
                          AD server.

                          After this steps, when try to create sync
        agreement
                   from IPA
                          server I am getting  this error:

                                   ldap_simple_bind: Can't contact
        LDAP server

                                 SSL error -8179 (Peer's Certificate
        issuer
                   is not
                          recognized.)

                          Please share the steps to configure AD Sync with
                   IPA server.

http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html

                      But it looks as though there is a step missing.
         If you
                   use MS AD
                      CA to generate the AD cert, and use IPA to
        generate the
                   IPA CA and
                      server cert, then you have to import the MS AD
        CA cert
                   into IPA.


-- Thanks & Regards
                          Shan Kumaraswamy





                   --             Thanks & Regards
                   Shan Kumaraswamy





           --     Thanks & Regards
           Shan Kumaraswamy




-- Thanks & Regards
        Shan Kumaraswamy





--
Thanks & Regards
Shan Kumaraswamy



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]