[Freeipa-users] AD Sync Error

Rich Megginson rmeggins at redhat.com
Mon Mar 8 15:30:59 UTC 2010 

Shan Kumaraswamy wrote:
> Hi Rich,
>
> Sorry for the delay replay, after I executed your command I am getting 
> the following error from my directory server. Please help me to 
> resolve this error.
>
> [root at sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h 
> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com> -p 636 -Z -P 
> /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D 
> CN=administrator,CN=users,DC=bmitest,DC=com -w "secretpw" -s base -b 
> "" "objectclass=*"
> ldap_simple_bind: Can't contact LDAP server
>         SSL error -5961 (TCP connection reset by peer.)
Is sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com> the real, 
registered DNS address for the Active Directory server?  On both the 
linux machine and the windows machine?
Does a reverse DNS lookup on the IP address return that hostname?
Is Active Directory configured to use/listen to SSL?
Does the cert db /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain the CA 
cert of the windows CA?
certutil -L -d /etc/dirsrv/slapd-BMITEST-COM
>  
>
>
>
>  
> On Wed, Feb 24, 2010 at 6:20 PM, Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     Shan Kumaraswamy wrote:
>
>         Dear All,
>         I am facing the AD Sync issue with FreeIPA to Active
>         Directory, and as per the redhat-ds doc I have done all the
>         settings from AD front. please help me to resolve this issue.
>         And find the below error message:
>          [root at sbttipa001 ~]# ipa-replica-manage add --winsync
>         --binddn CN=ipaadmin,CN=users,DC=bmitest,DC=com --bindpw
>         secretpw --ca cert /etc/dirsrv/slapd-BMITEST-COM/adsync.cer
>         sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
>         <http://sbtaddc001.bmitest.com
>         <http://sbtaddc001.bmitest.com/>> -v --passsync bmi.123
>
>         Directory Manager password:
>         INFO:root:Shutting down dirsrv:
>            BMITEST-COM...                                         [  OK  ]
>         INFO:root:
>         INFO:root:
>         INFO:root:
>         INFO:root:Starting dirsrv:
>            BMITEST-COM...                                         [  OK  ]
>         INFO:root:
>         INFO:root:Added CA certificate
>         /etc/dirsrv/slapd-BMITEST-COM/adsync.cer to certificate
>         database for sbttipa001.bmitest.com
>         <http://sbttipa001.bmitest.com/>
>         <http://sbttipa001.bmitest.com <http://sbttipa001.bmitest.com/>>
>         INFO:root:Restarted directory server sbttipa001.bmitest.com
>         <http://sbttipa001.bmitest.com/>
>         <http://sbttipa001.bmitest.com <http://sbttipa001.bmitest.com/>>
>         INFO:root:Could not validate connection to remote server
>         sbtaddc001.bmitest.com:636
>         <http://sbtaddc001.bmitest.com:636/>
>         <http://sbtaddc001.bmitest.com:636
>         <http://sbtaddc001.bmitest.com:636/>> - continuing
>
>         INFO:root:The error was: {'info': 'error:14090086:SSL
>         routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>         failed', 'desc ': "Can't contact LDAP server"}
>         The user for the Windows PassSync service is
>         uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com
>         Windows PassSync entry exists, not resetting password
>         INFO:root:Added new sync agreement, waiting for it to become
>         ready . . .
>         INFO:root:Replication Update in progress: FALSE: status: 49  -
>         LDAP error: Invalid credentials: start: 0: end: 0
>         INFO:root:Agreement is ready, starting replication . . .
>         Starting replication, please wait until this has completed.
>         [sbttipa001.bmitest.com <http://sbttipa001.bmitest.com/>
>         <http://sbttipa001.bmitest.com
>         <http://sbttipa001.bmitest.com/>>] reports: Update failed!
>         Status: [49  - LDAP error: Invalid credentials]
>         INFO:root:Added agreement for other host
>         sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
>         <http://sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>>
>
>     Error 49 usually means the password is not correct.  You can use
>     mozldap ldapsearch to test the connection like this:
>
>     /usr/lib/mozldap/ldapsearch -h dchost -p 636 -Z -P
>     /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
>     CN=ipaadmin,CN=users,DC=bmitest,DC=com -w "secretpw" -s base -b ""
>     "objectclass=*"
>
>          
>         -- 
>         Thanks & Regards
>         Shan Kumaraswamy
>
>         ------------------------------------------------------------------------
>
>         _______________________________________________
>         Freeipa-users mailing list
>         Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>         https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> -- 
> Thanks & Regards
> Shan Kumaraswamy
>

More information about the Freeipa-users mailing list