[Freeipa-users] AD Sync Error

Rich Megginson rmeggins at redhat.com
Tue Mar 9 15:16:44 UTC 2010 

Please keep replies on list

Shan Kumaraswamy wrote:
> Rich,
>  
>  
> Does a reverse DNS lookup on the IP address return that hostname? -Yes
>  
> Is Active Directory configured to use/listen to SSL? -Yes, Active 
> Directory Cert Auth installed and exported the and verifityed.
>
>  
> Does the cert db /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain the CA 
> cert of the windows CA? -yes "Imported CA cert"
>
> certutil -L -d /etc/dirsrv/slapd-BMITEST-COM- Its listing installed cert
> I am trying to creating syn agreement from IPA server using following 
> syntex:
>  
> ipa-replica-manage add --winsync --binddn 
> CN=Administrator,CN=Users,CN=Accounts,DC=bmitest,DC=com --bindpw 
> secretpw --cacert /etc/dirsrv/slapd-BMITEST-COM/dsca.cer 
> sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com> -v
>  
> Please corret me where I am doing worng?
ldap_simple_bind: Can't contact LDAP server
       SSL error -5961 (TCP connection reset by peer.)

This usually indicates some low level error.  Let's try this:
/usr/lib64/mozldap/ldapsearch -h sbtaddc001.bmitest.com -D 
"CN=administrator,CN=users,DC=bmitest,DC=com" -w "secretpw" -s base -b 
"" "objectclass=*"

Does that work?
>  
>  
>
>
>
> On Mon, Mar 8, 2010 at 6:30 PM, Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     Shan Kumaraswamy wrote:
>
>         Hi Rich,
>
>         Sorry for the delay replay, after I executed your command I am
>         getting the following error from my directory server. Please
>         help me to resolve this error.
>
>         [root at sbttipa001 ~]# /usr/lib64/mozldap/ldapsearch -h
>         sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
>         <http://sbtaddc001.bmitest.com
>         <http://sbtaddc001.bmitest.com/>> -p 636 -Z -P
>         /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
>         CN=administrator,CN=users,DC=bmitest,DC=com -w "secretpw" -s
>         base -b "" "objectclass=*"
>
>         ldap_simple_bind: Can't contact LDAP server
>                SSL error -5961 (TCP connection reset by peer.)
>
>     Is sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
>     <http://sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>>
>     the real, registered DNS address for the Active Directory server?
>      On both the linux machine and the windows machine?
>     Does a reverse DNS lookup on the IP address return that hostname?
>     Is Active Directory configured to use/listen to SSL?
>     Does the cert db /etc/dirsrv/slapd-BMITEST-COM/cert8.db contain
>     the CA cert of the windows CA?
>     certutil -L -d /etc/dirsrv/slapd-BMITEST-COM
>
>          
>
>
>          On Wed, Feb 24, 2010 at 6:20 PM, Rich Megginson
>         <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
>         <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote:
>
>            Shan Kumaraswamy wrote:
>
>                Dear All,
>                I am facing the AD Sync issue with FreeIPA to Active
>                Directory, and as per the redhat-ds doc I have done all the
>                settings from AD front. please help me to resolve this
>         issue.
>                And find the below error message:
>                 [root at sbttipa001 ~]# ipa-replica-manage add --winsync
>                --binddn CN=ipaadmin,CN=users,DC=bmitest,DC=com --bindpw
>                secretpw --ca cert /etc/dirsrv/slapd-BMITEST-COM/adsync.cer
>                sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
>         <http://sbtaddc001.bmitest.com/>
>                <http://sbtaddc001.bmitest.com
>         <http://sbtaddc001.bmitest.com/>
>
>                <http://sbtaddc001.bmitest.com/>> -v --passsync bmi.123
>
>                Directory Manager password:
>                INFO:root:Shutting down dirsrv:
>                   BMITEST-COM...                                      
>           [  OK  ]
>                INFO:root:
>                INFO:root:
>                INFO:root:
>                INFO:root:Starting dirsrv:
>                   BMITEST-COM...                                      
>           [  OK  ]
>                INFO:root:
>                INFO:root:Added CA certificate
>                /etc/dirsrv/slapd-BMITEST-COM/adsync.cer to certificate
>                database for sbttipa001.bmitest.com
>         <http://sbttipa001.bmitest.com/>
>                <http://sbttipa001.bmitest.com/>
>                <http://sbttipa001.bmitest.com
>         <http://sbttipa001.bmitest.com/>
>         <http://sbttipa001.bmitest.com/>>
>
>                INFO:root:Restarted directory server
>         sbttipa001.bmitest.com <http://sbttipa001.bmitest.com/>
>                <http://sbttipa001.bmitest.com/>
>                <http://sbttipa001.bmitest.com
>         <http://sbttipa001.bmitest.com/>
>         <http://sbttipa001.bmitest.com/>>
>
>                INFO:root:Could not validate connection to remote server
>                sbtaddc001.bmitest.com:636
>         <http://sbtaddc001.bmitest.com:636/>
>                <http://sbtaddc001.bmitest.com:636/>
>
>                <http://sbtaddc001.bmitest.com:636
>         <http://sbtaddc001.bmitest.com:636/>
>                <http://sbtaddc001.bmitest.com:636/>> - continuing
>
>                INFO:root:The error was: {'info': 'error:14090086:SSL
>                routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>                failed', 'desc ': "Can't contact LDAP server"}
>                The user for the Windows PassSync service is
>                uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com
>                Windows PassSync entry exists, not resetting password
>                INFO:root:Added new sync agreement, waiting for it to
>         become
>                ready . . .
>                INFO:root:Replication Update in progress: FALSE:
>         status: 49  -
>                LDAP error: Invalid credentials: start: 0: end: 0
>                INFO:root:Agreement is ready, starting replication . . .
>                Starting replication, please wait until this has completed.
>                [sbttipa001.bmitest.com
>         <http://sbttipa001.bmitest.com/> <http://sbttipa001.bmitest.com/>
>                <http://sbttipa001.bmitest.com
>         <http://sbttipa001.bmitest.com/>
>
>                <http://sbttipa001.bmitest.com/>>] reports: Update failed!
>                Status: [49  - LDAP error: Invalid credentials]
>                INFO:root:Added agreement for other host
>                sbtaddc001.bmitest.com <http://sbtaddc001.bmitest.com/>
>         <http://sbtaddc001.bmitest.com/>
>                <http://sbtaddc001.bmitest.com
>         <http://sbtaddc001.bmitest.com/>
>         <http://sbtaddc001.bmitest.com/>>
>
>
>            Error 49 usually means the password is not correct.  You
>         can use
>            mozldap ldapsearch to test the connection like this:
>
>            /usr/lib/mozldap/ldapsearch -h dchost -p 636 -Z -P
>            /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D
>            CN=ipaadmin,CN=users,DC=bmitest,DC=com -w "secretpw" -s
>         base -b ""
>            "objectclass=*"
>
>                         --         Thanks & Regards
>                Shan Kumaraswamy
>
>              
>          ------------------------------------------------------------------------
>
>                _______________________________________________
>                Freeipa-users mailing list
>                Freeipa-users at redhat.com
>         <mailto:Freeipa-users at redhat.com>
>         <mailto:Freeipa-users at redhat.com
>         <mailto:Freeipa-users at redhat.com>>
>
>                https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>         -- 
>         Thanks & Regards
>         Shan Kumaraswamy
>
>
>
>
>
> -- 
> Thanks & Regards
> Shan Kumaraswamy
>

More information about the Freeipa-users mailing list