[Freeipa-users] IPA AD Sync error

Shan Kumaraswamy shan.sysadm at gmail.com
Tue Sep 21 08:49:21 UTC 2010 

Hi Rich,
While executing your command (ldapserch), I am getting the following output:
**
*Command:*
/usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
/etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"
**
*Output:*
ldap_search: Can't contact LDAP server
        SSL error -8179 (Peer's Certificate issuer is not recognized.)
*Command:*
LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
fqdn.of.ad.hostname -p 389 -Z -s base -b ""

*Output:*
**
[root at saprhds001 ~]#
LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer ldapsearch -d 1
-x -h sbpaddc003.corp.mydomain.ad -p 389 -Z -s base -b ""
ldap_create
ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.8.27.22:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x1aa8c6f0 msgid 1
wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout)
wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1
** ld 0x1aa8c6f0 Connections:
* host: sbpaddc003.corp.mydomain.ad  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Sep 21 10:23:41 2010
** ld 0x1aa8c6f0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x1aa8c6f0 Response Queue:
   Empty
ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1
ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
ldap_int_select
read1msg: ld 0x1aa8c6f0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x1aa8c6f0 0 new referrals
read1msg:  mark request completed, ld 0x1aa8c6f0 msgid 1
request done: ld 0x1aa8c6f0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: /CN=
SBPADDC003.Corp.MYDOMAIN.AD, issuer:
/DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS certificate verification: depth: 0, err: 27, subject: /CN=
SBPADDC003.Corp.MYDOMAIN.AD, issuer:
/DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, certificate not trusted
TLS certificate verification: depth: 0, err: 21, subject: /CN=
SBPADDC003.Corp.MYDOMAIN.AD, issuer:
/DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA
TLS certificate verification: Error, unable to verify the first certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer certificate.
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush: 14 bytes to sd 3
ldap_result ld 0x1aa8c6f0 msgid 2
wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout)
wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1
** ld 0x1aa8c6f0 Connections:
* host: sbpaddc003.corp.mydomain.ad  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Sep 21 10:23:41 2010
** ld 0x1aa8c6f0 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x1aa8c6f0 Response Queue:
   Empty
ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1
ldap_chkResponseList returns ld 0x1aa8c6f0 NULL
ldap_int_select
read1msg: ld 0x1aa8c6f0 msgid 2 all 1
ber_get_next
ldap_perror
ldap_result: Can't contact LDAP server (-1)

Please help to resolve this issue.




On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson <rmeggins at redhat.com> wrote:

> Shan Kumaraswamy wrote:
>
>> Rich,
>> I am again facing some issue with IPA+AD Sync and I tested all the levels:
>>  Windows PassSync entry exists, not resetting password
>> INFO:root:Added new sync agreement, waiting for it to become ready . . .
>> INFO:root:Replication Update in progress: FALSE: status: 81  - LDAP error:
>> Can't contact LDAP server: start: 0: end: 0
>> INFO:root:Agreement is ready, starting replication . . .
>> Starting replication, please wait until this has completed.
>> [saprhds001.bmibank.com <http://saprhds001.bmibank.com>] reports: Update
>> failed! Status: [81  - LDAP error: Can't contact LDAP server]
>>
>> I have imported right CA to IPA box and the out put is:
>>  Certificate Nickname                                         Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>> CA certificate                                               CTu,u,Cu
>> Imported CA                                                  CT,,C
>> Server-Cert                                                  u,u,u
>>  And also I done the openssl s_client option too, but no luck.
>>
> What exactly did you do? with openssl s_client?
>
> Did you try
> /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P
> /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*"
>
> LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h
> fqdn.of.ad.hostname -p 389 -Z -s base -b ""
>
> Without cert when I try ldap search its gives out put. but with cert (AD
>> CA) through error.
>>  Please help me fix this issue.
>>
>>
>> --
>> Thanks & Regards
>> Shan Kumaraswamy
>>
>>
>


-- 
Thanks & Regards
Shan Kumaraswamy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100921/3a87d9ca/attachment-0004.htm>

More information about the Freeipa-users mailing list