FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory
Reload this Page win sync error

 
 
LinkBack Thread Tools
 
Old 06-20-2011, 08:47 PM
solarflow99
 
Default win sync error
I have setup a windows sync agreement, and have followed the instructions, however I am seeing this error, even when I do an ldapsearch command from the 389 server:


ldap_simple_bind: Can't contact LDAP server

******* SSL error -8179 (Peer's Certificate issuer is not recognized.)


I'm using self signed certs, did I miss something?



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-21-2011, 05:06 PM
Rich Megginson
 
Default win sync error
On 06/20/2011 02:47 PM, solarflow99 wrote:
I have setup a windows sync agreement, and have
followed the instructions, however I am seeing this error, even
when I do an ldapsearch command from the 389 server:





ldap_simple_bind: Can't contact LDAP server

******* SSL error -8179 (Peer's Certificate issuer is not
recognized.)





I'm using self signed certs, did I miss something?


Probably.* There are many steps involved in getting winsync to use
TLS/SSL to talk to AD, and getting AD PassSync to use TLS/SSL to
talk to DS.* Which instructions did you follow?







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-21-2011, 05:25 PM
solarflow99
 
Default win sync error
I'm using self signed certs, did I miss something?



Probably.* There are many steps involved in getting winsync to use
TLS/SSL to talk to AD, and getting AD PassSync to use TLS/SSL to
talk to DS.* Which
**
From the Docs listed online: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html



and I went over everything else I could possibly find too.* It seems in the case of self signed certificates, the windows CA has to exported as a .cer file, and imported in 389 with:* certutil -d . -A -n "AD Cert" -t "CTu,u,u" -i ad-cert.cer

*

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-21-2011, 05:52 PM
solarflow99
 
Default win sync error
On Tue, Jun 21, 2011 at 1:39 PM, Rich Megginson <rmeggins@redhat.com> wrote:







On 06/21/2011 11:23 AM, solarflow99 wrote:


I'm using self signed certs, did I miss
something?





Probably.* There are
many steps involved in getting winsync to use TLS/SSL to
talk to AD, and getting AD PassSync to use TLS/SSL to talk
to DS.* Which






From the Docs listed online: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html





The 8.2 docs are better

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync


and I went over everything else I could possibly find
too.* It seems in the case of self signed certificates,
Are you talking about self signed certs for 389 or for AD?*
I guess that would be both.* This is all internal so no servers need real third party signed certificates, just trying to get it to work.


**

the windows CA has to exported as a .cer file, and
imported in 389 with:* certutil -d . -A -n "AD Cert" -t "CTu,u,u"
-i ad-cert.cer


Yes, that is correct.* So what's the problem?

It wasn't mentioned anywhere, so once I guessed what had to be done, now i'm getting a different error:


# /usr/lib64/mozldap/ldapsearch -v -Z -P /etc/dirsrv/slapd-ldapserver/cert8.db -h 10.10.10.210 -p 636 -D "cn=administrator" -w mypassword -b "cn=users,dc=389testdomain,dc=local" "objectclass=*"

ldapsearch: started Tue Jun 21 08:41:15 2011

ldap_init( 10.10.10.210, 636 )
ldaptool_getcertpath -- /etc/dirsrv/slapd-ldapserver/cert8.db
ldaptool_getkeypath -- /etc/dirsrv/slapd-ldapserver/cert8.db
ldaptool_getmodpath -- (null)

ldaptool_getdonglefilename -- (null)
ldap_simple_bind: Invalid credentials
ldap_simple_bind: additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-21-2011, 06:51 PM
Rich Megginson
 
Default win sync error
On 06/21/2011 11:52 AM, solarflow99 wrote:
On Tue, Jun 21, 2011 at 1:39 PM, Rich Megginson <rmeggins@redhat.com>
wrote:




On 06/21/2011 11:23 AM, solarflow99 wrote:


I'm using self signed certs,
did I miss something?





Probably.*
There are many steps involved in getting winsync
to use TLS/SSL to talk to AD, and getting AD
PassSync to use TLS/SSL to talk to DS.* Which






From the Docs listed online: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html





The 8.2 docs are better

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync



and I went over everything else I
could possibly find too.* It seems in the case of self
signed certificates,

Are you talking about self signed certs for 389 or for AD?*



I guess that would be both.* This is all internal so no
servers need real third party signed certificates, just trying
to get it to work.




Ok, I'm confused.* The RHDS 8.2 Admin Guide talks about setting up
AD for TLS/SSL by installing the MS CA in Enterprise Root CA mode,
creating a cert request, and using MS CA to issue the AD server
cert.* It doesn't say anything about creating self signed certs for
AD.






**





the windows CA has to exported as
a .cer file, and imported in 389 with:* certutil -d . -A
-n "AD Cert" -t "CTu,u,u" -i ad-cert.cer



Yes, that is correct.* So what's the problem?





It wasn't mentioned anywhere, so once I guessed what had to be
done, now i'm getting a different error:





# /usr/lib64/mozldap/ldapsearch -v -Z -P
/etc/dirsrv/slapd-ldapserver/cert8.db -h 10.10.10.210 -p 636
-D "cn=administrator" -w mypassword -b
"cn=users,dc=389testdomain,dc=local" "objectclass=*"

ldapsearch: started Tue Jun 21 08:41:15 2011



ldap_init( 10.10.10.210, 636 )

ldaptool_getcertpath -- /etc/dirsrv/slapd-ldapserver/cert8.db

ldaptool_getkeypath -- /etc/dirsrv/slapd-ldapserver/cert8.db

ldaptool_getmodpath -- (null)

ldaptool_getdonglefilename -- (null)

ldap_simple_bind: Invalid credentials

ldap_simple_bind: additional info: 80090308: LdapErr:
DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e,
v1db1




-D "cn=administrator"

You have to use the full DN - something like -D
"cn=administrator,cn=users,dc=389testdomain,dc=loc al"









--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-22-2011, 05:37 PM
solarflow99
 
Default win sync error
On Tue, Jun 21, 2011 at 2:51 PM, Rich Megginson <rmeggins@redhat.com> wrote:







On 06/21/2011 11:52 AM, solarflow99 wrote:
On Tue, Jun 21, 2011 at 1:39 PM, Rich Megginson <rmeggins@redhat.com>
wrote:




On 06/21/2011 11:23 AM, solarflow99 wrote:


I'm using self signed certs,
did I miss something?





Probably.*
There are many steps involved in getting winsync
to use TLS/SSL to talk to AD, and getting AD
PassSync to use TLS/SSL to talk to DS.* Which






From the Docs listed online: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html






The 8.2 docs are better

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync-About_Windows_Sync



and I went over everything else I
could possibly find too.* It seems in the case of self
signed certificates,

Are you talking about self signed certs for 389 or for AD?*



I guess that would be both.* This is all internal so no
servers need real third party signed certificates, just trying
to get it to work.




Ok, I'm confused.* The RHDS 8.2 Admin Guide talks about setting up
AD for TLS/SSL by installing the MS CA in Enterprise Root CA mode,
creating a cert request, and using MS CA to issue the AD server
cert.* It doesn't say anything about creating self signed certs for
AD.*
Ya, thats what I mean.* It would be nice if there was an example of getting this to work with self signed certs.* I could add that to the wiki if that would useful for anyone else.





# /usr/lib64/mozldap/ldapsearch -v -Z -P
/etc/dirsrv/slapd-ldapserver/cert8.db -h 10.10.10.210 -p 636
-D "cn=administrator" -w mypassword -b
"cn=users,dc=389testdomain,dc=local" "objectclass=*"

ldapsearch: started Tue Jun 21 08:41:15 2011



ldap_init( 10.10.10.210, 636 )

ldaptool_getcertpath -- /etc/dirsrv/slapd-ldapserver/cert8.db

ldaptool_getkeypath -- /etc/dirsrv/slapd-ldapserver/cert8.db

ldaptool_getmodpath -- (null)

ldaptool_getdonglefilename -- (null)

ldap_simple_bind: Invalid credentials

ldap_simple_bind: additional info: 80090308: LdapErr:
DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e,
v1db1





-D "cn=administrator"

You have to use the full DN - something like -D
"cn=administrator,cn=users,dc=389testdomain,dc=loc al"

Got it! thanks,
*


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 01:35 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org

Contact Us - Linux Archive - Archive - Top -