Has anyone seen this before? Possible causes? Thanks Joe Start Slapd Server Config FATAL Slapd ERROR LDAP authentication failed for url: ldap://nodename.my.nis:1389 Netscaperoot user id admin (151: unknown error) Fatal slapd did not add directory server information into configuration server ... >From: Richard Megginson <rmeggins at redhat.com> >Reply-To: "General discussion list for the Fedora Directory server >project." <fedora-directory-users at redhat.com> >To: "General discussion list for the Fedora Directory server project." ><fedora-directory-users at redhat.com> >Subject: Re: Error at work of the utility >ldapsearch. >Date: Fri, 04 Aug 2006 09:45:37 -0600 > >One problem may be that you have to specify some additional option when >creating the MS CA cert or server certs issued by this CA. Is this a root >CA or did you get a CA certificate from somewhere else? > >Do this: >cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P slapd-asterisk1- >-L -n ad-cert > >Safonov Alexey wrote: >>Thanks Richard! >> >>In my opinion it the certificate of the CA. Certificates you can see >>details >>of reception of it on a screenshot (see the attached file) >> >>Safonov Alexey >> >>-----Original Message----- >>From: fedora-directory-users-bounces at redhat.com >>[mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard >>Megginson >>Sent: Friday, July 28, 2006 5:45 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: Error at work of the utility >>ldapsearch. >> >> >>Safonov Alexey wrote: >> >>>Thanks Richard! >>> >>>Now I start so: >>>[root at asterisk1 bin]# ./ldapsearch -Z -P >>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K >>>/opt/fedora-ds/alias/slapd-asterisk1-key3.db -h >>>rv-vm1.mup-example.vrn.ru -p 636 -D >>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s >>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v >>> >>>Also I receive a error: >>> >>>ldapsearch: started Fri Jul 28 16:21:39 2006 >>> >>>ldap_init( srv-vm1.mup-example.vrn.ru, 636 ) >>>ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db >>>ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db >>>ldaptool_getmodpath -- (null) >>>ldaptool_getdonglefilename -- (null) >>>ldap_simple_bind: Can't contact LDAP server >>> SSL error -8156 (Issuer certificate is invalid.) >>> >>>Though the certificate ad-cert (from Windows DC) is established. The >>> >>utility >> >>>certutil and Fedora Management Console (Manage Certificates) shows it. >>>[root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P >>>slapd-asterisk1- >>>CA certificate CTu,u,u >>>server-cert u,u,u >>>Server-Cert u,u,u >>>ad-cert CT,C,C >>> >>>Help my! >>> >>> >>Is ad-cert the certificate of the AD server or the certificate of the CA >>that issued the AD cert? An SSL client only needs to trust the CA cert >>of the issuer of the server certs it wants to use. >> >>>Safonov Alexey >>> >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard >>>Megginson >>>Sent: Thursday, July 27, 2006 7:36 PM >>>To: General discussion list for the Fedora Directory server project. >>>Subject: Re: Error at work of the utility >>>ldapsearch. >>> >>> >>>Safonov Alexey wrote: >>> >>> >>>>Hi ! >>>> >>>>I ask to help to solve a problem with the utility ldapsearch. >>>> >>>>is a problem to carry out synchronization between FDS and AD. Has made >>>> >>the >> >>>>following: >>>>1) Install FDS >>>>2) Configuring SSL Enabled FDS. For this purpose has started script >>>>setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) >>>> >>from >> >>>>HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL) >>>>3) Restart FDS. >>>> netstat -atupn | grep ns- >>>>tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd >>>>tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd >>>>4) Enable SSL on AD. >>>>Install Certificate Service >>>>Check util ldp.exe: >>>>Connected param: Server- srv-vm1.mup-example.vrn.ru >>>> Port - 636 >>>> Checkbox "SSL" >>>>ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); >>>>Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, >>>>LDAP_VERSION3); >>>>Error <0x0> = ldap_connect(hLdap, NULL); >>>>Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); >>>>Host supports SSL, SSL cipher strength = 128 bits >>>>Established connection to srv-vm1.mup-example.vrn.ru. >>>>Retrieving base DSA information... >>>>..... >>>>5) Import AD CA certificate in DER mode. >>>>6) Copy, convert (PEM) and install AD CA certificate in FDS. Check: >>>>[root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P >>>>slapd-asterisk1- >>>>CA certificate CTu,u,u >>>>server-cert u,u,u >>>>Server-Cert u,u,u >>>>ad-cert CT,C,C <- install this >>>> >>>>6) [root at asterisk1 alias]# ldapsearch -Z -P >>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h >>>>rv-vm1.mup-example.vrn.ru -p 636 -D >>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s >>>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" >>>> >>>> >>>> >>>That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses >>>openssl for crypto, which is completely different than NSS. You need to >>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g. >>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... >>> >>> >>>>Error: >>>>ldapsearch: unabel to parse protocol version >>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >>>> >>>>Help my! >>>>Thanks >>>> >>>>------------------------------------------------------ >>>>My Setup: >>>> >>>>Fedora Core 5 (i386) >>>>Fedora Directory Server 1.0.2 >>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >>>>------------------------------------------------------ >>>> >>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g. >>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... >>> >>> >>>>Error: >>>>ldapsearch: unabel to parse protocol version >>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >>>> >>>>Help my! >>>>Thanks >>>> >>>>------------------------------------------------------ >>>>My Setup: >>>> >>>>Fedora Core 5 (i386) >>>>Fedora Directory Server 1.0.2 >>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >>>>------------------------------------------------------ >>>> >> >> >> >>------------------------------------------------------------------------ >> >>------------------------------------------------------------------------ >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users
