Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   win sync error (http://www.linux-archive.org/fedora-directory/542072-win-sync-error.html)

solarflow99 06-20-2011 08:47 PM

win sync error
 
I have setup a windows sync agreement, and have followed the instructions, however I am seeing this error, even when I do an ldapsearch command from the 389 server:


ldap_simple_bind: Can't contact LDAP server

******* SSL error -8179 (Peer's Certificate issuer is not recognized.)


I'm using self signed certs, did I miss something?



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 06-21-2011 05:06 PM

win sync error
 
On 06/20/2011 02:47 PM, solarflow99 wrote:
I have setup a windows sync agreement, and have
followed the instructions, however I am seeing this error, even
when I do an ldapsearch command from the 389 server:





ldap_simple_bind: Can't contact LDAP server

******* SSL error -8179 (Peer's Certificate issuer is not
recognized.)





I'm using self signed certs, did I miss something?


Probably.* There are many steps involved in getting winsync to use
TLS/SSL to talk to AD, and getting AD PassSync to use TLS/SSL to
talk to DS.* Which instructions did you follow?







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

solarflow99 06-21-2011 05:25 PM

win sync error
 
I'm using self signed certs, did I miss something?



Probably.* There are many steps involved in getting winsync to use
TLS/SSL to talk to AD, and getting AD PassSync to use TLS/SSL to
talk to DS.* Which
**
From the Docs listed online: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html



and I went over everything else I could possibly find too.* It seems in the case of self signed certificates, the windows CA has to exported as a .cer file, and imported in 389 with:* certutil -d . -A -n "AD Cert" -t "CTu,u,u" -i ad-cert.cer

*

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

solarflow99 06-21-2011 05:52 PM

win sync error
 
On Tue, Jun 21, 2011 at 1:39 PM, Rich Megginson <rmeggins@redhat.com> wrote:







On 06/21/2011 11:23 AM, solarflow99 wrote:


I'm using self signed certs, did I miss
something?





Probably.* There are
many steps involved in getting winsync to use TLS/SSL to
talk to AD, and getting AD PassSync to use TLS/SSL to talk
to DS.* Which






From the Docs listed online: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html





The 8.2 docs are better

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync


and I went over everything else I could possibly find
too.* It seems in the case of self signed certificates,
Are you talking about self signed certs for 389 or for AD?*
I guess that would be both.* This is all internal so no servers need real third party signed certificates, just trying to get it to work.


**

the windows CA has to exported as a .cer file, and
imported in 389 with:* certutil -d . -A -n "AD Cert" -t "CTu,u,u"
-i ad-cert.cer


Yes, that is correct.* So what's the problem?

It wasn't mentioned anywhere, so once I guessed what had to be done, now i'm getting a different error:


# /usr/lib64/mozldap/ldapsearch -v -Z -P /etc/dirsrv/slapd-ldapserver/cert8.db -h 10.10.10.210 -p 636 -D "cn=administrator" -w mypassword -b "cn=users,dc=389testdomain,dc=local" "objectclass=*"

ldapsearch: started Tue Jun 21 08:41:15 2011

ldap_init( 10.10.10.210, 636 )
ldaptool_getcertpath -- /etc/dirsrv/slapd-ldapserver/cert8.db
ldaptool_getkeypath -- /etc/dirsrv/slapd-ldapserver/cert8.db
ldaptool_getmodpath -- (null)

ldaptool_getdonglefilename -- (null)
ldap_simple_bind: Invalid credentials
ldap_simple_bind: additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 06-21-2011 06:51 PM

win sync error
 
On 06/21/2011 11:52 AM, solarflow99 wrote:
On Tue, Jun 21, 2011 at 1:39 PM, Rich Megginson <rmeggins@redhat.com>
wrote:




On 06/21/2011 11:23 AM, solarflow99 wrote:


I'm using self signed certs,
did I miss something?





Probably.*
There are many steps involved in getting winsync
to use TLS/SSL to talk to AD, and getting AD
PassSync to use TLS/SSL to talk to DS.* Which






From the Docs listed online: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html





The 8.2 docs are better

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync



and I went over everything else I
could possibly find too.* It seems in the case of self
signed certificates,

Are you talking about self signed certs for 389 or for AD?*



I guess that would be both.* This is all internal so no
servers need real third party signed certificates, just trying
to get it to work.




Ok, I'm confused.* The RHDS 8.2 Admin Guide talks about setting up
AD for TLS/SSL by installing the MS CA in Enterprise Root CA mode,
creating a cert request, and using MS CA to issue the AD server
cert.* It doesn't say anything about creating self signed certs for
AD.






**





the windows CA has to exported as
a .cer file, and imported in 389 with:* certutil -d . -A
-n "AD Cert" -t "CTu,u,u" -i ad-cert.cer



Yes, that is correct.* So what's the problem?





It wasn't mentioned anywhere, so once I guessed what had to be
done, now i'm getting a different error:





# /usr/lib64/mozldap/ldapsearch -v -Z -P
/etc/dirsrv/slapd-ldapserver/cert8.db -h 10.10.10.210 -p 636
-D "cn=administrator" -w mypassword -b
"cn=users,dc=389testdomain,dc=local" "objectclass=*"

ldapsearch: started Tue Jun 21 08:41:15 2011



ldap_init( 10.10.10.210, 636 )

ldaptool_getcertpath -- /etc/dirsrv/slapd-ldapserver/cert8.db

ldaptool_getkeypath -- /etc/dirsrv/slapd-ldapserver/cert8.db

ldaptool_getmodpath -- (null)

ldaptool_getdonglefilename -- (null)

ldap_simple_bind: Invalid credentials

ldap_simple_bind: additional info: 80090308: LdapErr:
DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e,
v1db1




-D "cn=administrator"

You have to use the full DN - something like -D
"cn=administrator,cn=users,dc=389testdomain,dc=loc al"









--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

solarflow99 06-22-2011 05:37 PM

win sync error
 
On Tue, Jun 21, 2011 at 2:51 PM, Rich Megginson <rmeggins@redhat.com> wrote:







On 06/21/2011 11:52 AM, solarflow99 wrote:
On Tue, Jun 21, 2011 at 1:39 PM, Rich Megginson <rmeggins@redhat.com>
wrote:




On 06/21/2011 11:23 AM, solarflow99 wrote:


I'm using self signed certs,
did I miss something?





Probably.*
There are many steps involved in getting winsync
to use TLS/SSL to talk to AD, and getting AD
PassSync to use TLS/SSL to talk to DS.* Which






From the Docs listed online: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html






The 8.2 docs are better

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync



and I went over everything else I
could possibly find too.* It seems in the case of self
signed certificates,

Are you talking about self signed certs for 389 or for AD?*



I guess that would be both.* This is all internal so no
servers need real third party signed certificates, just trying
to get it to work.




Ok, I'm confused.* The RHDS 8.2 Admin Guide talks about setting up
AD for TLS/SSL by installing the MS CA in Enterprise Root CA mode,
creating a cert request, and using MS CA to issue the AD server
cert.* It doesn't say anything about creating self signed certs for
AD.*
Ya, thats what I mean.* It would be nice if there was an example of getting this to work with self signed certs.* I could add that to the wiki if that would useful for anyone else.





# /usr/lib64/mozldap/ldapsearch -v -Z -P
/etc/dirsrv/slapd-ldapserver/cert8.db -h 10.10.10.210 -p 636
-D "cn=administrator" -w mypassword -b
"cn=users,dc=389testdomain,dc=local" "objectclass=*"

ldapsearch: started Tue Jun 21 08:41:15 2011



ldap_init( 10.10.10.210, 636 )

ldaptool_getcertpath -- /etc/dirsrv/slapd-ldapserver/cert8.db

ldaptool_getkeypath -- /etc/dirsrv/slapd-ldapserver/cert8.db

ldaptool_getmodpath -- (null)

ldaptool_getdonglefilename -- (null)

ldap_simple_bind: Invalid credentials

ldap_simple_bind: additional info: 80090308: LdapErr:
DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e,
v1db1





-D "cn=administrator"

You have to use the full DN - something like -D
"cn=administrator,cn=users,dc=389testdomain,dc=loc al"

Got it! thanks,
*


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 11:41 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.