[Freeipa-users] certificate verify failed - WinSync strangeness - ipa-server-1.2.2-0

dont at killbrad.com dont at killbrad.com
Tue Jan 11 15:54:51 UTC 2011 

Hi all,

  It seems something broke somewhere along the lines when I was trying to
set up Windows Sync.  Please take a look at the following outputs.  I can
connect both directions manually via SSL, but the actual ipa-replica-manage
script seems to be pulling certs from somewhere else.  The current sync
between ipaserver-01 & ipaserver-02 is working fine.  If anyone has any
suggestions, I would be open to them.  Thanks!

example.local = active directory domain
example.com = ipa realm
-----

[root at ipaserver-01 ~]# certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

DigiCertCA                                                   CT,,C
AD CA cert                                                   CT,,C
ipaserver-01                                                 u,u,u

#-----
# everything looks right
#-----

[root at ipaserver-01 ~]#
[root at ipaserver-01 ~]# /usr/lib64/mozldap/ldapsearch -h
adserver-01.example.local -p 636 -Z -P
/etc/dirsrv/slapd-EXAMPLE-COM/cert8.db -D "passsync at example.local" -w
'notrealpassword' -s base -b "" "objectclass=*"
version: 1
dn:
currentTime: 20110111153848.0Z
...
...
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
...
...
dnsHostName: adserver-01.example.local
ldapServiceName: example.local:adserver-01$@example.local
...
...
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 3
forestFunctionality: 3
domainControllerFunctionality: 3
[root at ipaserver-01 ~]#

#-----
# good valid results for the query [reduced for clarity]
#-----


[root at ipaserver-01 ~]# ipa-replica-manage list
Directory Manager password:
unexpected error: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
"Can't contact LDAP server"}
[root at ipaserver-01 ~]#

#-----
# welp, it looks like something is broken somewhere..
#-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110111/2d4037d5/attachment.htm>

More information about the Freeipa-users mailing list