[Freeipa-users] openldap to ipa
Johnathan Phan
john at ox-consulting.com
Mon Jan 14 09:19:06 UTC 2013
Hi Aquino,
thanks for the input, however. There is a CRT in there already and it was
set to allow on both the IPA server and the target openldap server.
the core of the issue seems to be that IPA does not accept the cert either
locally or remotely as it does not trust it.
anyone know how I can troubleshot this. I have reviewed the dirsrv logs for
ldap and I can't spot anything/.
Regards
John
On Fri, Jan 11, 2013 at 5:55 PM, JR Aquino <JR.Aquino at citrix.com> wrote:
> Try editing /etc/openldap/ldap.conf:
>
> TLS_CACERT /etc/ipa/ca.crt
> TLS_REQCERT allow
>
>
> See if that helps
>
> "Keeping your head in the cloud"
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jr Aquino | Sr. Information Security Specialist
> GIAC Exploit Researcher and Advanced Penetration Tester |
> GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
> Citrix Online | 7408 Hollister Avenue | Goleta, CA
> 93117<x-apple-data-detectors://0/0>
> T: +1 805.690.3478<tel:+1%C2%A0805.690.3478>
> C: +1 805.717.0365<tel:+1%20805.717.0365>
> jr.aquino at citrix.com<mailto:jr.aquino at citrixonline.com>
> http://www.citrixonline.com<http://www.citrixonline.com/>
>
> On Jan 11, 2013, at 8:05 AM, Johnathan Phan <john at ox-consulting.com
> <mailto:john at ox-consulting.com>> wrote:
>
> Hi There,
>
> This is driving me up the wall.
>
> I have two servers. 1 is a live openldap/kerberous AAA server running on
> RHEL6. The LDAP service has SSL/TS support. The second server is a test
> environment running on fedora and has 3.1 IPA installed.
>
> As a last step of my POC I need to migrate the users and passwords from
> the LDAP server to IPA server.
>
> I ran this command perfectly fine.
>
> ipa config-mod --enable-migration=TRUE
>
> However the next step was where my issues began.
>
> In the end after a lot of IRC communication and troubleshooting I now run
> the following command.
>
> ipa migrate-ds --bind-dn="cn=admin,dc=example,dc=com"
> --user-container="ou=users,ou=live,dc=example,dc=com"
> --group-container="ou=groups,ou=live,dc=example,dc=com" ldaps://
> ldap1.live.example.com<http://ldap1.live.example.com/>
>
> I get the following error.
>
> ipa: DEBUG: Caught fault 4203 from server
> http://fedoraipaserver.test.example.com/ipa/xml: Can't contact LDAP
> server: TLS error -8179:Peer's Certificate issuer is not recognized.
> ipa: DEBUG: Destroyed connection context.xmlclient
> ipa: ERROR: Can't contact LDAP server: TLS error -8179:Peer's Certificate
> issuer is not recognized.
>
> I have summarized that the IPA server does not trust the cert served by
> the openldap or the other way around. Does anyone know how to get around
> this? Or allow me to finish the migration of user data.
>
> Regards
>
> John
>
> --
> Johnathan Phan
>
> T: +44 (0)784 118 7080
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Johnathan Phan
ox-consulting
T: +44 (0)784 118 7080
john at ox-consulting.com
www.ox-consulting.com
OX CONSULTING Ltd is registered in England & Wales, number: 07113039,
registered address as above.
The information contained in this email message may be privileged,
confidential or exempt from disclosure under applicable law. If you are not
the intended recipient, you are hereby notified that any use,
dissemination, distribution or copying of this transmission is strictly
prohibited. If you have received this communication in error, or if any
problems occur with transmission, please notify the sender immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130114/eb4ee2ae/attachment.htm>
More information about the Freeipa-users
mailing list