[Freeipa-users] IPA+AD sync error
Rich Megginson
rmeggins at redhat.com
Wed Aug 18 16:53:19 UTC 2010
Shan Kumaraswamy wrote:
> Rich,
> When I try to open redhat-idm-console using directory server, I am
> getting this error:
>
> The certificate this server present is either untrusted or unkown. The
> server only communicate through a secure connection involving a
> certivicate. Do you wihs to accept this certificate anyway?
>
> As per this message even I say yes to proceed, but fail to open.
> Please advice.
The use of the console is not supported with IPA.
The console keeps its cert database in ~/.redhat-idm-console - unless
you have previously installed the CA cert there, the console will prompt
you if you want to trust the server.
I'm not sure why the console will not open, except that the console does
not generally work with IPA. You can use redhat-idm-console -D 9 -f
console.log to get detailed trace information from the console.
>
> On Wed, Aug 18, 2010 at 5:28 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Sorry, I was deleted the copyied cert file.... :(
>
> If you want to get the CA cert out of the certdb and into
> ascii/pem format:
> certutil -d /etc/dirsrv/slapd-instancename -L -n "Imported CA" -a
> > msadca.crt
>
> If you want to get the CA cert directly from MS CA:
> on your AD box, open a web browser
> go to http://<servername>/certsrv
> There should be an option there to view or download the CA cert.
> You want to download it in ascii/pem/base64 format (I think
> Windows uses the term Base64 encoded cert for PEM). Then you'll
> have to copy that file to your IPA box.
>
>
>
> On Wed, Aug 18, 2010 at 5:09 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Ok sure, I will do the test and can please let me know
> command
> to import AD CA in to dirsrv cert db?
>
> It is already in there? This is the certificate called
> "Imported
> CA" with Subject: "CN=test-WINDOWS-CA,DC=test,DC=ad" and
> Issuer:
> "CN=test-WINDOWS-CA,DC=test,DC=ad"
>
> Or are you asking because you don't know how it got in there in
> the first place, or forgot?
>
>
> On Wed, Aug 18, 2010 at 4:44 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> Can I know command to trust IPA genearated CA
> cert file?
>
> See below
>
> So I don't think that is the problem here. If that
> were the
> problem, I would expect a different error message.
> I think
> you're
> just going to have to use something like openssl
> s_client to
> examine the server cert used by AD.
>
> On Tue, Aug 17, 2010 at 7:26 PM,
> Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
>
> 46:90:cd:94:c6:53:d4:ae:44:a6:df:e2:6b:24:15:56
> Signature Algorithm: PKCS #1 SHA-1
> With RSA
> Encryption
> Issuer:
> "CN=test-WINDOWS-CA,DC=test,DC=ad"
> Validity:
> Not Before: Tue Aug 17
> 01:39:07 2010
> Not After : Mon Aug 17
> 01:49:05 2015
> Subject:
> "CN=test-WINDOWS-CA,DC=test,DC=ad"
> Subject Public Key Info:
> Public Key Algorithm: PKCS #1 RSA
> Encryption
> RSA Public Key:
> Modulus:
>
> a9:6e:1a:54:c2:70:1c:d7:dc:06:b4:d3:09:0f:8d:25:
>
> e5:8f:9f:1f:f6:f9:ee:fb:9c:6b:9c:84:c3:01:f7:45:
>
> f1:8e:43:d3:ed:ad:01:e6:92:6c:52:f4:d7:03:03:19:
>
> 0a:93:84:18:42:92:2b:6b:74:3d:77:8c:31:b9:bf:75:
>
> 84:cb:a0:8c:a5:df:c2:5a:d6:cb:a3:78:a2:1a:6d:a6:
>
> e1:b4:81:ea:22:e7:83:bb:1f:0d:70:f8:44:29:24:96:
>
> f3:f0:01:12:49:7a:59:b8:f7:1a:84:e4:e4:a4:0d:60:
>
> 58:db:d9:9c:b4:51:7a:21:f2:a2:f9:ed:ee:92:6f:c0:
>
> 00:39:dc:26:9f:c5:0b:e3:e1:72:62:5d:9f:8e:4a:79:
>
> f3:95:56:a0:37:63:9a:d1:53:af:74:0b:c9:88:b7:43:
>
> ff:11:cb:91:02:4a:5c:8c:35:41:cb:39:4e:fb:8c:a4:
>
> 2d:a6:88:7b:dc:29:04:7a:f0:0a:89:25:24:76:b1:34:
>
> 57:1e:c2:3f:48:79:21:47:f0:f1:1a:70:15:d8:b5:9b:
>
> cb:bc:a2:3c:42:f6:da:91:a7:24:5b:fa:08:ec:41:8b:
>
> c5:82:7c:81:76:3c:ef:84:58:93:cd:92:36:5d:96:55:
>
> 40:72:21:5e:14:7c:fe:78:cf:35:69:97:4a:49:35:81
> Exponent: 65537 (0x10001)
> Signed Extensions:
> Name: Microsoft Enrollment
> Cert Type
> Extension
> Data: "CA"
>
> Name: Certificate Key Usage
> Critical: True
> Usages: Digital Signature
> Certificate Signing
> CRL Signing
>
> Name: Certificate Basic
> Constraints
> Critical: True
> Data: Is a CA with no maximum path
> length.
>
> Name: Certificate Subject Key ID
> Data:
>
> a9:7a:6e:7c:dd:dd:4f:9e:75:78:86:6a:ff:f1:b4:06:
> e6:fb:3a:6d
>
> Name: Microsoft CertServ CA
> version
> Data: 0 (0x0)
>
> Signature Algorithm: PKCS #1 SHA-1
> With RSA
> Encryption
> Signature:
>
> 02:50:bd:c6:3a:80:85:9d:46:16:94:8c:e2:e8:2f:0d:
>
> 35:09:d7:af:e1:ce:c0:23:94:19:ef:a7:df:de:56:17:
>
> c8:9e:d5:a0:80:7e:31:46:1d:c0:c1:5a:e9:7d:fe:c3:
>
> bb:08:c0:6d:35:3a:f2:43:c2:b7:2f:44:2b:89:7f:f1:
>
> ad:e8:9e:51:fa:98:12:d9:2b:2d:08:00:80:c3:78:93:
>
> e7:bc:ee:17:ae:a3:07:81:6b:63:ac:bf:65:d5:e9:a8:
>
> e9:81:42:56:24:fc:2f:b8:d1:76:5b:72:c0:8f:62:66:
>
> cc:4d:5b:84:85:fb:63:06:6c:0a:54:a0:55:08:bf:11:
>
> 4b:30:ab:ba:49:19:39:ee:4f:57:3c:7b:0b:d3:8d:fe:
>
> 10:d8:18:63:ee:86:e9:cb:89:1e:ea:7e:0a:68:8c:f8:
>
> da:40:69:ca:2c:bc:5d:24:18:bc:2b:d7:ce:08:ca:d7:
>
> e8:aa:4b:d8:cb:ee:17:f3:4f:18:29:fc:48:59:ae:98:
>
> 18:37:f0:a7:cd:42:1f:5d:79:cd:a1:0f:30:41:7f:97:
>
> 81:43:68:8b:74:0c:d8:21:b6:eb:76:14:bf:44:14:13:
>
> dd:07:ee:ce:68:95:29:b1:14:f6:93:81:90:b5:e6:6a:
>
> 2b:38:6a:f0:4c:20:3f:fc:88:84:3f:43:5e:5f:6e:ed
> Fingerprint (MD5):
>
> 4B:AE:EB:7D:D0:B6:C8:D3:15:1B:08:ED:39:A0:68:6C
> Fingerprint (SHA1):
>
> 84:17:7E:EE:93:B2:A3:4F:D9:7B:72:C6:ED:D6:61:9E:0E:82:51:BC
>
> Certificate Trust Flags:
> SSL Flags:
> Valid CA
> Trusted CA
> Trusted Client CA
> Email Flags:
> Object Signing Flags:
> Valid CA
> Trusted CA
>
> This looks ok. So is it possible the AD
> server cert
> was not
> issued by this CA? I suppose you could use
> an SSL
> test program
> like /usr/bin/ssltap
> or openssl s_client like this:
> openssl s_client -connect windows.test.ad:636
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/> -CAfile
> /path/to/msadcacert.asc
>
> You can also add -verify 3 and -showcerts and
> -debug
> see "man s_client" for more information
>
>
>
>
> On Tue, Aug 17, 2010 at 7:04 PM, Shan
> Kumaraswamy
> <shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>
> wrote:
>
> done, and it came the output also, can
> plz let me
> know the
> next step.
>
>
> On Tue, Aug 17, 2010 at 7:00 PM, Rich
> Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> Please find the below out put
> of the
> command:
> [root at saprhds001 ~]# certutil -d
> /etc/dirsrv/slapd-XXXX-COM -L
> Certificate Nickname
>
> Trust Attributes
>
>
> SSL,S/MIME,JAR/XPI
> Imported CA
>
> CT,,C
> CA certificate
>
> CTu,u,Cu
>
> The CT means the CA is trusted for SSL client and
> server certs.
> certutil -H
> ...
> trustargs is of the form x,y,z
> where x is
> for SSL, y is for S/MIME,
> ...
> c valid CA
> T trusted CA to issue
> client certs
> (implies c)
> C trusted CA to issue
> server certs
> (implies c)
>
> Server-Cert
>
> u,u,u
>
> I'm assuming "Imported CA" is the
> MS AD
> CA. Do
> this:
> certutil -d
> /etc/dirsrv/slapd-XXXX-COM -L -n
> "Imported CA"
>
>
>
> On Tue, Aug 17, 2010 at 6:35
> PM, Rich
> Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>
> wrote:
>
> Shan Kumaraswamy wrote:
>
> After this error, I have
> triyed your the
> following
> steps:
>
> /usr/lib64/mozldap/ldapsearch -h
> windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
>
> <http://windows.test.ad/>> -D
>
> "CN=administrator,CN=users,DC=test,DC=ad" -w
> "xxxx"
> -s base -b
> "" "objectclass=*"
>
> Then I got output like
> this:
> version: 1
> dn:
> currentTime:
> 20100817220245.0Z
> subschemaSubentry:
>
> CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
> dsServiceName: CN=NTDS
>
> Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
>
> me,CN=Sites,CN=Configuration,DC=test,DC=ad
> namingContexts:
> DC=test,DC=ad
> namingContexts:
> CN=Configuration,DC=test,DC=ad
> namingContexts:
>
> CN=Schema,CN=Configuration,DC=test,DC=ad
> namingContexts:
> DC=DomainDnsZones,DC=test,DC=ad
> namingContexts:
> DC=ForestDnsZones,DC=test,DC=ad
> defaultNamingContext:
> DC=test,DC=ad
> schemaNamingContext:
>
> CN=Schema,CN=Configuration,DC=test,DC=ad
> configurationNamingContext:
> CN=Configuration,DC=test,DC=ad
> rootDomainNamingContext:
> DC=test,DC=ad
> supportedControl:
> 1.2.840.113556.1.4.319
> supportedControl:
> 1.2.840.113556.1.4.801
> supportedControl:
> 1.2.840.113556.1.4.473
> supportedControl:
> 1.2.840.113556.1.4.528
> supportedControl:
> 1.2.840.113556.1.4.417
> supportedControl:
> 1.2.840.113556.1.4.619
> supportedControl:
> 1.2.840.113556.1.4.841
> supportedControl:
> 1.2.840.113556.1.4.529
> supportedControl:
> 1.2.840.113556.1.4.805
> supportedControl:
> 1.2.840.113556.1.4.521
> supportedControl:
> 1.2.840.113556.1.4.970
> supportedControl:
> 1.2.840.113556.1.4.1338
> supportedControl:
> 1.2.840.113556.1.4.474
> supportedControl:
> 1.2.840.113556.1.4.1339
> supportedControl:
> 1.2.840.113556.1.4.1340
> supportedControl:
> 1.2.840.113556.1.4.1413
> supportedControl:
> 2.16.840.1.113730.3.4.9
> supportedControl:
> 2.16.840.1.113730.3.4.10
> supportedControl:
> 1.2.840.113556.1.4.1504
> supportedControl:
> 1.2.840.113556.1.4.1852
> supportedControl:
> 1.2.840.113556.1.4.802
> supportedControl:
> 1.2.840.113556.1.4.1907
> supportedControl:
> 1.2.840.113556.1.4.1948
> supportedControl:
> 1.2.840.113556.1.4.1974
> supportedControl:
> 1.2.840.113556.1.4.1341
> supportedControl:
> 1.2.840.113556.1.4.2026
> supportedControl:
> 1.2.840.113556.1.4.2064
> supportedControl:
> 1.2.840.113556.1.4.2065
> supportedLDAPVersion: 3
> supportedLDAPVersion: 2
> supportedLDAPPolicies:
> MaxPoolThreads
> supportedLDAPPolicies:
> MaxDatagramRecv
> supportedLDAPPolicies:
> MaxReceiveBuffer
> supportedLDAPPolicies:
> InitRecvTimeout
> supportedLDAPPolicies:
> MaxConnections
> supportedLDAPPolicies:
> MaxConnIdleTime
> supportedLDAPPolicies:
> MaxPageSize
> supportedLDAPPolicies:
> MaxQueryDuration
> supportedLDAPPolicies:
> MaxTempTableSize
> supportedLDAPPolicies:
> MaxResultSetSize
> supportedLDAPPolicies:
> MinResultSets
> supportedLDAPPolicies:
> MaxResultSetsPerConn
> supportedLDAPPolicies:
> MaxNotificationPerConn
> supportedLDAPPolicies:
> MaxValRange
> highestCommittedUSN: 73772
>
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms:
> GSS-SPNEGO
>
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms:
> DIGEST-MD5
> dnsHostName:
> Windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://Windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>>
> ldapServiceName:
> test.ad:windows$@TEST.AD <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/>
> <http://TEST.AD
> <http://test.ad/>
> <http://test.ad/> <http://test.ad/>
> <http://test.ad/>
> <http://test.ad/> <http://test.ad/>>
>
>
>
> serverName:
>
>
> CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=test,DC=ad
> supportedCapabilities:
> 1.2.840.113556.1.4.800
> supportedCapabilities:
> 1.2.840.113556.1.4.1670
> supportedCapabilities:
> 1.2.840.113556.1.4.1791
> supportedCapabilities:
> 1.2.840.113556.1.4.1935
> supportedCapabilities:
> 1.2.840.113556.1.4.2080
> isSynchronized: TRUE
> isGlobalCatalogReady: TRUE
> domainFunctionality: 4
> forestFunctionality: 4
>
> domainControllerFunctionality: 4
>
> Then I tried next step:
>
> /usr/lib64/mozldap/ldapsearch
> -ZZ -P
>
> /etc/dirsrv/slapd-XXXX-COM/cert8.db -h
> windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
>
> <http://windows.test.ad/>> -D
>
> "CN=administrator,CN=users,DC=test,DC=ad" -w
> "xxxxx" -s base
> -b "" "objectclass=*"
>
> ldap_simple_bind: Can't
> contact LDAP
> server
> TLS/SSL error
> -8179 (Peer's
> Certificate
> issuer is not
> recognized.)
> Please help me to fix
> this.....
>
> This usually means the SSL
> server's CA
> cert is not
> recognized.
> What does this say:
> certutil -d
> /etc/dirsrv/slapd-XXXX-COM -L
> ?
>
>
> On Tue, Aug 17, 2010
> at 2:02
> PM, Shan
> Kumaraswamy
> <shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>
>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>>>>
>
> wrote:
>
> Hi Rich,
> After I did all the
> steps, I am
> getting
> this error:
>
> INFO:root:Added CA
> certificate
>
> /etc/dirsrv/slapd-XXXX-COM/adcert.cer to
> certificate
> database for
> tesipa001.test.com
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
>
> <http://tesipa001.test.com/>
>
> INFO:root:Restarted
> directory server
> tesipa001.test.com
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
>
> <http://tesipa001.test.com/>
>
> <http://tesipa001.test.com/>
>
> INFO:root:Could not
> validate
> connection to
> remote server
> windows.test.ad:636
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
>
> <http://windows.test.ad:636/> -
> continuing
>
> INFO:root:The error was:
> {'info':
> 'error:14090086:SSL
>
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify
> failed',
> 'desc': "Can't
> contact LDAP
> server"}
> The user for the Windows
> PassSync
> service is
>
> uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
> Windows PassSync entry
> exists, not
> resetting
> password
> INFO:root:Added new sync
> agreement,
> waiting for
> it to
> become ready
> . . .
>
> INFO:root:Replication Update in
> progress:
> FALSE:
> status: 81 -
> LDAP error: Can't
> contact
> LDAP server:
> start: 0:
> end: 0
> INFO:root:Agreement is
> ready, starting
> replication . . .
> Starting replication,
> please wait
> until
> this has
> completed.
>
> [saprhds001.bmibank.com <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
>
> <http://saprhds001.bmibank.com/>]
> reports:
>
> Update failed!
> Status: [81
> - LDAP
> error:
> Can't
> contact
> LDAP server]
> INFO:root:Added
> agreement for
> other host
> windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>
>
>
> Please help me to
> fix this
> issue.
> The syntex I used:
> ipa-replica-manage add
> --winsync
> --binddn
>
> CN=Administrator,CN=Users,DC=test,DC=com
> --bindpw "password"
> --cacert
> /etc/dirsrv/slapd-TEST-COM/adcert.cer
> windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/> -v
> --passsync
> "password"
>
> On
> Mon, Aug 16,
> 2010 at
> 6:06 PM,
> Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>> wrote:
>
> Shan Kumaraswamy
> wrote:
>
> Rich,
> While
> installing
> IPA its
> creates its
> won CA cert
> right?
> (cacert.p12),
>
> Right.
>
> and also I
> done the
> setep of
> export this
> CA file as
> dsca.crt.
>
> Right. You have
> to do
> that so
> that
> AD can
> be an SSL
> client to
> the IPA SSL server.
>
> Please let
> me know
> steps to
> generate the
> IPA CA and
> server
> cert?
>
> The other part
> is that
> you have to
> install
> the AD CA
> cert in
> IPA so that IPA
> can be
> the SSL
> client
> to the
> AD SSL server.
>
>
> On
> Mon, Aug
> 16, 2010
> at 5:41 PM, Rich Megginson
>
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>
>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>>>>
>
> wrote:
>
> Shan
> Kumaraswamy
> wrote:
>
>
> Hi,
>
> I have
> deployed FreeIPA
> 1.2.1 in
> RHEL 5.5 and I
> want to sync
> with
> Active
> Directory (windows
> 2008 R2). Can
> please
> anyone
> have
> step-by-step
> configuration
> doc and
> share to me?
>
> Previously I
> have
> done the
> same
> exercise,
> but now
> that is not
>
> working for
> me and I am
> facing lot of
> challenges to
> make this
> happen.
>
>
> Please find the
> steps what
> exactly I done so
> for:
>
> 1.
> Installed RHDS
> 8.1 and
> FreeIPA
> 1.2.1 and
> configured
>
> properly and
> tested its
> working fine
>
> 2.
> In AD
> side, installed
> Active Directory
> certificate
>
> Server as a
> Enterprise Root
>
> 3.
> Copy the
> “cacert.p12”
> file and
> imported under
>
> Certificates
> –Service (Active
> Directory Domain
> service) on
> Local
> Computer
> using MMC.
>
> 4.
> Installed
> PasSync.msi
> file and
> given all
> the required
>
> information
>
> 5.
> Run the
> command
> “certutil -d . -L
> -n "CA
> certificate"
> -a >
> dsca.crt” from
> IPA server
> and copied
> the .crt
> file in to
> AD server
> and ran
> this command
> from “cd
> "C:\Program
> Files\Red
> Hat
> Directory Password
> Synchronization"
>
> 6.
> certutil.exe -d . -N
>
> 7.
> certutil.exe -d .
> -A -n
> "DS CA cert" -t
> CT,, -a -i
>
> \path\to\dsca.crt
>
> 8.
> certutil.exe -d .
> -L -n
> "DS CA
> cert" and
> rebooted the
> AD
> server.
>
> After
> this
> steps,
> when try to
> create sync
> agreement
> from IPA
>
> server I am
> getting
> this
> error:
>
>
> ldap_simple_bind:
> Can't
> contact
> LDAP server
>
>
> SSL error
> -8179 (Peer's
> Certificate
> issuer
> is not
>
> recognized.)
>
>
> Please share the
> steps to
> configure AD Sync with
> IPA server.
>
>
>
> http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html
>
> But it
> looks as
> though
> there is a
> step missing.
> If you
> use MS AD
> CA to
> generate
> the AD cert,
> and use
> IPA to
> generate the
> IPA CA and
> server cert,
> then you
> have to
> import
> the MS AD
> CA cert
> into IPA.
>
>
>
> --
> Thanks & Regards
> Shan
> Kumaraswamy
>
>
>
>
>
> --
> Thanks &
> Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
More information about the Freeipa-users
mailing list