One problem may be that you have to specify some additional option when creating the MS CA cert or server certs issued by this CA. Is this a root CA or did you get a CA certificate from somewhere else? Do this: cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P slapd-asterisk1- -L -n ad-cert Safonov Alexey wrote: > Thanks Richard! > > In my opinion it the certificate of the CA. Certificates you can see details > of reception of it on a screenshot (see the attached file) > > Safonov Alexey > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard > Megginson > Sent: Friday, July 28, 2006 5:45 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: Error at work of the utility > ldapsearch. > > > Safonov Alexey wrote: > >> Thanks Richard! >> >> Now I start so: >> [root at asterisk1 bin]# ./ldapsearch -Z -P >> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K >> /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h >> rv-vm1.mup-example.vrn.ru -p 636 -D >> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s >> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v >> >> Also I receive a error: >> >> ldapsearch: started Fri Jul 28 16:21:39 2006 >> >> ldap_init( srv-vm1.mup-example.vrn.ru, 636 ) >> ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db >> ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db >> ldaptool_getmodpath -- (null) >> ldaptool_getdonglefilename -- (null) >> ldap_simple_bind: Can't contact LDAP server >> SSL error -8156 (Issuer certificate is invalid.) >> >> Though the certificate ad-cert (from Windows DC) is established. The >> > utility > >> certutil and Fedora Management Console (Manage Certificates) shows it. >> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P >> slapd-asterisk1- >> CA certificate CTu,u,u >> server-cert u,u,u >> Server-Cert u,u,u >> ad-cert CT,C,C >> >> Help my! >> >> > Is ad-cert the certificate of the AD server or the certificate of the CA > that issued the AD cert? An SSL client only needs to trust the CA cert > of the issuer of the server certs it wants to use. > >> Safonov Alexey >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard >> Megginson >> Sent: Thursday, July 27, 2006 7:36 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: Error at work of the utility >> ldapsearch. >> >> >> Safonov Alexey wrote: >> >> >>> Hi ! >>> >>> I ask to help to solve a problem with the utility ldapsearch. >>> >>> is a problem to carry out synchronization between FDS and AD. Has made >>> > the > >>> following: >>> 1) Install FDS >>> 2) Configuring SSL Enabled FDS. For this purpose has started script >>> setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) >>> > from > >>> HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL) >>> 3) Restart FDS. >>> netstat -atupn | grep ns- >>> tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd >>> tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd >>> 4) Enable SSL on AD. >>> Install Certificate Service >>> Check util ldp.exe: >>> Connected param: Server- srv-vm1.mup-example.vrn.ru >>> Port - 636 >>> Checkbox "SSL" >>> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); >>> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, >>> LDAP_VERSION3); >>> Error <0x0> = ldap_connect(hLdap, NULL); >>> Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); >>> Host supports SSL, SSL cipher strength = 128 bits >>> Established connection to srv-vm1.mup-example.vrn.ru. >>> Retrieving base DSA information... >>> ..... >>> 5) Import AD CA certificate in DER mode. >>> 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check: >>> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P >>> slapd-asterisk1- >>> CA certificate CTu,u,u >>> server-cert u,u,u >>> Server-Cert u,u,u >>> ad-cert CT,C,C <- install this >>> >>> 6) [root at asterisk1 alias]# ldapsearch -Z -P >>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h >>> rv-vm1.mup-example.vrn.ru -p 636 -D >>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s >>> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" >>> >>> >>> >> That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses >> openssl for crypto, which is completely different than NSS. You need to >> use the ldapsearch in /opt/fedora-ds/shared/bin e.g. >> cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... >> >> >>> Error: >>> ldapsearch: unabel to parse protocol version >>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >>> >>> Help my! >>> Thanks >>> >>> ------------------------------------------------------ >>> My Setup: >>> >>> Fedora Core 5 (i386) >>> Fedora Directory Server 1.0.2 >>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >>> ------------------------------------------------------ >>> >> use the ldapsearch in /opt/fedora-ds/shared/bin e.g. >> cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... >> >> >>> Error: >>> ldapsearch: unabel to parse protocol version >>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >>> >>> Help my! >>> Thanks >>> >>> ------------------------------------------------------ >>> My Setup: >>> >>> Fedora Core 5 (i386) >>> Fedora Directory Server 1.0.2 >>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >>> ------------------------------------------------------ >>> > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060804/1d7aaa57/attachment.bin
