Joe Sheehan wrote: > Has anyone seen this before? Possible causes? Thanks Joe > > > Start Slapd Server Config > > FATAL Slapd ERROR LDAP authentication failed for url: > ldap://nodename.my.nis:1389 Netscaperoot user id admin > (151: unknown error) This usually indicates a problem with DNS or reverse DNS setup. > > Fatal slapd did not add directory server information into > configuration server > > ... > > > > >> From: Richard Megginson <rmeggins at redhat.com> >> Reply-To: "General discussion list for the Fedora Directory server >> project." <fedora-directory-users at redhat.com> >> To: "General discussion list for the Fedora Directory server >> project." <fedora-directory-users at redhat.com> >> Subject: Re: Error at work of the utility >> ldapsearch. >> Date: Fri, 04 Aug 2006 09:45:37 -0600 >> >> One problem may be that you have to specify some additional option >> when creating the MS CA cert or server certs issued by this CA. Is >> this a root CA or did you get a CA certificate from somewhere else? >> >> Do this: >> cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P >> slapd-asterisk1- -L -n ad-cert >> >> Safonov Alexey wrote: >>> Thanks Richard! >>> >>> In my opinion it the certificate of the CA. Certificates you can see >>> details >>> of reception of it on a screenshot (see the attached file) >>> >>> Safonov Alexey >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard >>> Megginson >>> Sent: Friday, July 28, 2006 5:45 PM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: Re: Error at work of the utility >>> ldapsearch. >>> >>> >>> Safonov Alexey wrote: >>> >>>> Thanks Richard! >>>> >>>> Now I start so: >>>> [root at asterisk1 bin]# ./ldapsearch -Z -P >>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K >>>> /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h >>>> rv-vm1.mup-example.vrn.ru -p 636 -D >>>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s >>>> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v >>>> >>>> Also I receive a error: >>>> >>>> ldapsearch: started Fri Jul 28 16:21:39 2006 >>>> >>>> ldap_init( srv-vm1.mup-example.vrn.ru, 636 ) >>>> ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db >>>> ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db >>>> ldaptool_getmodpath -- (null) >>>> ldaptool_getdonglefilename -- (null) >>>> ldap_simple_bind: Can't contact LDAP server >>>> SSL error -8156 (Issuer certificate is invalid.) >>>> >>>> Though the certificate ad-cert (from Windows DC) is established. The >>>> >>> utility >>> >>>> certutil and Fedora Management Console (Manage Certificates) shows it. >>>> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P >>>> slapd-asterisk1- >>>> CA certificate CTu,u,u >>>> server-cert u,u,u >>>> Server-Cert u,u,u >>>> ad-cert CT,C,C >>>> >>>> Help my! >>>> >>>> >>> Is ad-cert the certificate of the AD server or the certificate of >>> the CA >>> that issued the AD cert? An SSL client only needs to trust the CA cert >>> of the issuer of the server certs it wants to use. >>> >>>> Safonov Alexey >>>> >>>> -----Original Message----- >>>> From: fedora-directory-users-bounces at redhat.com >>>> [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard >>>> Megginson >>>> Sent: Thursday, July 27, 2006 7:36 PM >>>> To: General discussion list for the Fedora Directory server project. >>>> Subject: Re: Error at work of the utility >>>> ldapsearch. >>>> >>>> >>>> Safonov Alexey wrote: >>>> >>>> >>>>> Hi ! >>>>> >>>>> I ask to help to solve a problem with the utility ldapsearch. >>>>> >>>>> is a problem to carry out synchronization between FDS and AD. Has >>>>> made >>>>> >>> the >>> >>>>> following: >>>>> 1) Install FDS >>>>> 2) Configuring SSL Enabled FDS. For this purpose has started script >>>>> setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) >>>>> >>> from >>> >>>>> HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL) >>>>> 3) Restart FDS. >>>>> netstat -atupn | grep ns- >>>>> tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd >>>>> tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd >>>>> 4) Enable SSL on AD. >>>>> Install Certificate Service >>>>> Check util ldp.exe: >>>>> Connected param: Server- srv-vm1.mup-example.vrn.ru >>>>> Port - 636 >>>>> Checkbox "SSL" >>>>> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); >>>>> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, >>>>> LDAP_VERSION3); >>>>> Error <0x0> = ldap_connect(hLdap, NULL); >>>>> Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); >>>>> Host supports SSL, SSL cipher strength = 128 bits >>>>> Established connection to srv-vm1.mup-example.vrn.ru. >>>>> Retrieving base DSA information... >>>>> ..... >>>>> 5) Import AD CA certificate in DER mode. >>>>> 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check: >>>>> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P >>>>> slapd-asterisk1- >>>>> CA certificate CTu,u,u >>>>> server-cert u,u,u >>>>> Server-Cert u,u,u >>>>> ad-cert CT,C,C <- install this >>>>> >>>>> 6) [root at asterisk1 alias]# ldapsearch -Z -P >>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h >>>>> rv-vm1.mup-example.vrn.ru -p 636 -D >>>>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s >>>>> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" >>>>> >>>>> >>>>> >>>> That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses >>>> openssl for crypto, which is completely different than NSS. You >>>> need to >>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g. >>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... >>>> >>>> >>>>> Error: >>>>> ldapsearch: unabel to parse protocol version >>>>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >>>>> >>>>> Help my! >>>>> Thanks >>>>> >>>>> ------------------------------------------------------ >>>>> My Setup: >>>>> >>>>> Fedora Core 5 (i386) >>>>> Fedora Directory Server 1.0.2 >>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >>>>> ------------------------------------------------------ >>>>> >>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g. >>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... >>>> >>>> >>>>> Error: >>>>> ldapsearch: unabel to parse protocol version >>>>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >>>>> >>>>> Help my! >>>>> Thanks >>>>> >>>>> ------------------------------------------------------ >>>>> My Setup: >>>>> >>>>> Fedora Core 5 (i386) >>>>> Fedora Directory Server 1.0.2 >>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >>>>> ------------------------------------------------------ >>>>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> > > >> << smime.p7s >> > > > > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060804/1c1db493/attachment.bin
