google(ing) for this - it basically says the same thing as you've stated. Is there a way to fix this by hand or is LDAP corrupted beyond fixing unless you uninstall and re-install. Joe >From: Richard Megginson <rmeggins at redhat.com> >Reply-To: "General discussion list for the Fedora Directory server >project." <fedora-directory-users at redhat.com> >To: "General discussion list for the Fedora Directory server project." ><fedora-directory-users at redhat.com> >Subject: Re: LDAP Error >Date: Fri, 04 Aug 2006 14:04:23 -0600 > >Joe Sheehan wrote: >>Has anyone seen this before? Possible causes? Thanks Joe >> >> >>Start Slapd Server Config >> >>FATAL Slapd ERROR LDAP authentication failed for url: >>ldap://nodename.my.nis:1389 Netscaperoot user id admin (151: >>unknown error) >This usually indicates a problem with DNS or reverse DNS setup. >> >>Fatal slapd did not add directory server information into configuration >>server >> >>... >> >> >> >> >>>From: Richard Megginson <rmeggins at redhat.com> >>>Reply-To: "General discussion list for the Fedora Directory server >>>project." <fedora-directory-users at redhat.com> >>>To: "General discussion list for the Fedora Directory server project." >>><fedora-directory-users at redhat.com> >>>Subject: Re: Error at work of the utility >>>ldapsearch. >>>Date: Fri, 04 Aug 2006 09:45:37 -0600 >>> >>>One problem may be that you have to specify some additional option when >>>creating the MS CA cert or server certs issued by this CA. Is this a >>>root CA or did you get a CA certificate from somewhere else? >>> >>>Do this: >>>cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P slapd-asterisk1- >>>-L -n ad-cert >>> >>>Safonov Alexey wrote: >>>>Thanks Richard! >>>> >>>>In my opinion it the certificate of the CA. Certificates you can see >>>>details >>>>of reception of it on a screenshot (see the attached file) >>>> >>>>Safonov Alexey >>>> >>>>-----Original Message----- >>>>From: fedora-directory-users-bounces at redhat.com >>>>[mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard >>>>Megginson >>>>Sent: Friday, July 28, 2006 5:45 PM >>>>To: General discussion list for the Fedora Directory server project. >>>>Subject: Re: Error at work of the utility >>>>ldapsearch. >>>> >>>> >>>>Safonov Alexey wrote: >>>> >>>>>Thanks Richard! >>>>> >>>>>Now I start so: >>>>>[root at asterisk1 bin]# ./ldapsearch -Z -P >>>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K >>>>>/opt/fedora-ds/alias/slapd-asterisk1-key3.db -h >>>>>rv-vm1.mup-example.vrn.ru -p 636 -D >>>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s >>>>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v >>>>> >>>>>Also I receive a error: >>>>> >>>>>ldapsearch: started Fri Jul 28 16:21:39 2006 >>>>> >>>>>ldap_init( srv-vm1.mup-example.vrn.ru, 636 ) >>>>>ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db >>>>>ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db >>>>>ldaptool_getmodpath -- (null) >>>>>ldaptool_getdonglefilename -- (null) >>>>>ldap_simple_bind: Can't contact LDAP server >>>>> SSL error -8156 (Issuer certificate is invalid.) >>>>> >>>>>Though the certificate ad-cert (from Windows DC) is established. The >>>>> >>>>utility >>>> >>>>>certutil and Fedora Management Console (Manage Certificates) shows it. >>>>>[root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P >>>>>slapd-asterisk1- >>>>>CA certificate CTu,u,u >>>>>server-cert u,u,u >>>>>Server-Cert u,u,u >>>>>ad-cert CT,C,C >>>>> >>>>>Help my! >>>>> >>>>> >>>>Is ad-cert the certificate of the AD server or the certificate of the CA >>>>that issued the AD cert? An SSL client only needs to trust the CA cert >>>>of the issuer of the server certs it wants to use. >>>> >>>>>Safonov Alexey >>>>> >>>>>-----Original Message----- >>>>>From: fedora-directory-users-bounces at redhat.com >>>>>[mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard >>>>>Megginson >>>>>Sent: Thursday, July 27, 2006 7:36 PM >>>>>To: General discussion list for the Fedora Directory server project. >>>>>Subject: Re: Error at work of the utility >>>>>ldapsearch. >>>>> >>>>> >>>>>Safonov Alexey wrote: >>>>> >>>>> >>>>>>Hi ! >>>>>> >>>>>>I ask to help to solve a problem with the utility ldapsearch. >>>>>> >>>>>>is a problem to carry out synchronization between FDS and AD. Has made >>>>>> >>>>the >>>> >>>>>>following: >>>>>>1) Install FDS >>>>>>2) Configuring SSL Enabled FDS. For this purpose has started script >>>>>>setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) >>>>>> >>>>from >>>> >>>>>>HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL) >>>>>>3) Restart FDS. >>>>>> netstat -atupn | grep ns- >>>>>>tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd >>>>>>tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd >>>>>>4) Enable SSL on AD. >>>>>>Install Certificate Service >>>>>>Check util ldp.exe: >>>>>>Connected param: Server- srv-vm1.mup-example.vrn.ru >>>>>> Port - 636 >>>>>> Checkbox "SSL" >>>>>>ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); >>>>>>Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, >>>>>>LDAP_VERSION3); >>>>>>Error <0x0> = ldap_connect(hLdap, NULL); >>>>>>Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); >>>>>>Host supports SSL, SSL cipher strength = 128 bits >>>>>>Established connection to srv-vm1.mup-example.vrn.ru. >>>>>>Retrieving base DSA information... >>>>>>..... >>>>>>5) Import AD CA certificate in DER mode. >>>>>>6) Copy, convert (PEM) and install AD CA certificate in FDS. Check: >>>>>>[root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P >>>>>>slapd-asterisk1- >>>>>>CA certificate CTu,u,u >>>>>>server-cert u,u,u >>>>>>Server-Cert u,u,u >>>>>>ad-cert CT,C,C <- install this >>>>>> >>>>>>6) [root at asterisk1 alias]# ldapsearch -Z -P >>>>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h >>>>>>rv-vm1.mup-example.vrn.ru -p 636 -D >>>>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s >>>>>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" >>>>>> >>>>>> >>>>>> >>>>>That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses >>>>>openssl for crypto, which is completely different than NSS. You need >>>>>to >>>>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g. >>>>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... >>>>> >>>>> >>>>>>Error: >>>>>>ldapsearch: unabel to parse protocol version >>>>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >>>>>> >>>>>>Help my! >>>>>>Thanks >>>>>> >>>>>>------------------------------------------------------ >>>>>>My Setup: >>>>>> >>>>>>Fedora Core 5 (i386) >>>>>>Fedora Directory Server 1.0.2 >>>>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >>>>>>------------------------------------------------------ >>>>>> >>>>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g. >>>>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... >>>>> >>>>> >>>>>>Error: >>>>>>ldapsearch: unabel to parse protocol version >>>>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >>>>>> >>>>>>Help my! >>>>>>Thanks >>>>>> >>>>>>------------------------------------------------------ >>>>>>My Setup: >>>>>> >>>>>>Fedora Core 5 (i386) >>>>>>Fedora Directory Server 1.0.2 >>>>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >>>>>>------------------------------------------------------ >>>>>> >>>> >>>> >>>> >>>>------------------------------------------------------------------------ >>>> >>>> >>>>------------------------------------------------------------------------ >>>> >>>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >> >> >>><< smime.p7s >> >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users
