Thanks - we will definitely take your advice. Curious if switching the order within the nsswitch.conf would do the trick. Joe >From: Richard Megginson <rmeggins at redhat.com> >Reply-To: "General discussion list for the Fedora Directory server >project." <fedora-directory-users at redhat.com> >To: "General discussion list for the Fedora Directory server project." ><fedora-directory-users at redhat.com> >Subject: Re: LDAP Error >Date: Fri, 04 Aug 2006 15:26:21 -0600 > >Joe Sheehan wrote: >>google(ing) for this - it basically says the same thing as you've stated. >>Is there a way to fix this by hand >Fix your DNS and reverse DNS set up. Are you also using NIS for hostname >resolution? You may have to make sure NIS and DNS hosts resolve to the >same IP addresses. >>or is LDAP corrupted beyond fixing unless you >>uninstall and re-install. >This has nothing to do with ldap corruption. Although, once you fix your >DNS and reverse DNS, you will need to re install from scratch. This is >unfortunately the easiest way to ensure proper Admin Server set up. >> >>Joe >> >> >>>From: Richard Megginson <rmeggins at redhat.com> >>>Reply-To: "General discussion list for the Fedora Directory server >>>project." <fedora-directory-users at redhat.com> >>>To: "General discussion list for the Fedora Directory server project." >>><fedora-directory-users at redhat.com> >>>Subject: Re: LDAP Error >>>Date: Fri, 04 Aug 2006 14:04:23 -0600 >>> >>>Joe Sheehan wrote: >>>>Has anyone seen this before? Possible causes? Thanks Joe >>>> >>>> >>>>Start Slapd Server Config >>>> >>>>FATAL Slapd ERROR LDAP authentication failed for url: >>>>ldap://nodename.my.nis:1389 Netscaperoot user id admin (151: >>>>unknown error) >>>This usually indicates a problem with DNS or reverse DNS setup. >>>> >>>>Fatal slapd did not add directory server information into configuration >>>>server >>>> >>>>... >>>> >>>> >>>> >>>> >>>>>From: Richard Megginson <rmeggins at redhat.com> >>>>>Reply-To: "General discussion list for the Fedora Directory server >>>>>project." <fedora-directory-users at redhat.com> >>>>>To: "General discussion list for the Fedora Directory server project." >>>>><fedora-directory-users at redhat.com> >>>>>Subject: Re: Error at work of the utility >>>>>ldapsearch. >>>>>Date: Fri, 04 Aug 2006 09:45:37 -0600 >>>>> >>>>>One problem may be that you have to specify some additional option when >>>>>creating the MS CA cert or server certs issued by this CA. Is this a >>>>>root CA or did you get a CA certificate from somewhere else? >>>>> >>>>>Do this: >>>>>cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P >>>>>slapd-asterisk1- -L -n ad-cert >>>>> >>>>>Safonov Alexey wrote: >>>>>>Thanks Richard! >>>>>> >>>>>>In my opinion it the certificate of the CA. Certificates you can see >>>>>>details >>>>>>of reception of it on a screenshot (see the attached file) >>>>>> >>>>>>Safonov Alexey >>>>>> >>>>>>-----Original Message----- >>>>>>From: fedora-directory-users-bounces at redhat.com >>>>>>[mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard >>>>>>Megginson >>>>>>Sent: Friday, July 28, 2006 5:45 PM >>>>>>To: General discussion list for the Fedora Directory server project. >>>>>>Subject: Re: Error at work of the utility >>>>>>ldapsearch. >>>>>> >>>>>> >>>>>>Safonov Alexey wrote: >>>>>> >>>>>>>Thanks Richard! >>>>>>> >>>>>>>Now I start so: >>>>>>>[root at asterisk1 bin]# ./ldapsearch -Z -P >>>>>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K >>>>>>>/opt/fedora-ds/alias/slapd-asterisk1-key3.db -h >>>>>>>rv-vm1.mup-example.vrn.ru -p 636 -D >>>>>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s >>>>>>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v >>>>>>> >>>>>>>Also I receive a error: >>>>>>> >>>>>>>ldapsearch: started Fri Jul 28 16:21:39 2006 >>>>>>> >>>>>>>ldap_init( srv-vm1.mup-example.vrn.ru, 636 ) >>>>>>>ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db >>>>>>>ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db >>>>>>>ldaptool_getmodpath -- (null) >>>>>>>ldaptool_getdonglefilename -- (null) >>>>>>>ldap_simple_bind: Can't contact LDAP server >>>>>>> SSL error -8156 (Issuer certificate is invalid.) >>>>>>> >>>>>>>Though the certificate ad-cert (from Windows DC) is established. The >>>>>>> >>>>>>utility >>>>>> >>>>>>>certutil and Fedora Management Console (Manage Certificates) shows >>>>>>>it. >>>>>>>[root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P >>>>>>>slapd-asterisk1- >>>>>>>CA certificate CTu,u,u >>>>>>>server-cert u,u,u >>>>>>>Server-Cert u,u,u >>>>>>>ad-cert CT,C,C >>>>>>> >>>>>>>Help my! >>>>>>> >>>>>>> >>>>>>Is ad-cert the certificate of the AD server or the certificate of the >>>>>>CA >>>>>>that issued the AD cert? An SSL client only needs to trust the CA >>>>>>cert >>>>>>of the issuer of the server certs it wants to use. >>>>>> >>>>>>>Safonov Alexey >>>>>>> >>>>>>>-----Original Message----- >>>>>>>From: fedora-directory-users-bounces at redhat.com >>>>>>>[mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of >>>>>>>Richard >>>>>>>Megginson >>>>>>>Sent: Thursday, July 27, 2006 7:36 PM >>>>>>>To: General discussion list for the Fedora Directory server project. >>>>>>>Subject: Re: Error at work of the utility >>>>>>>ldapsearch. >>>>>>> >>>>>>> >>>>>>>Safonov Alexey wrote: >>>>>>> >>>>>>> >>>>>>>>Hi ! >>>>>>>> >>>>>>>>I ask to help to solve a problem with the utility ldapsearch. >>>>>>>> >>>>>>>>is a problem to carry out synchronization between FDS and AD. Has >>>>>>>>made >>>>>>>> >>>>>>the >>>>>> >>>>>>>>following: >>>>>>>>1) Install FDS >>>>>>>>2) Configuring SSL Enabled FDS. For this purpose has started script >>>>>>>>setupssl.sh >>>>>>>>(http://directory.fedora.redhat.com/download/setupssl.sh) >>>>>>>> >>>>>>from >>>>>> >>>>>>>>HOWTO "Howto:SSL" >>>>>>>>(http://directory.fedora.redhat.com/wiki/Howto:SSL) >>>>>>>>3) Restart FDS. >>>>>>>> netstat -atupn | grep ns- >>>>>>>>tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd >>>>>>>>tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd >>>>>>>>4) Enable SSL on AD. >>>>>>>>Install Certificate Service >>>>>>>>Check util ldp.exe: >>>>>>>>Connected param: Server- srv-vm1.mup-example.vrn.ru >>>>>>>> Port - 636 >>>>>>>> Checkbox "SSL" >>>>>>>>ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); >>>>>>>>Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, >>>>>>>>LDAP_VERSION3); >>>>>>>>Error <0x0> = ldap_connect(hLdap, NULL); >>>>>>>>Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); >>>>>>>>Host supports SSL, SSL cipher strength = 128 bits >>>>>>>>Established connection to srv-vm1.mup-example.vrn.ru. >>>>>>>>Retrieving base DSA information... >>>>>>>>..... >>>>>>>>5) Import AD CA certificate in DER mode. >>>>>>>>6) Copy, convert (PEM) and install AD CA certificate in FDS. Check: >>>>>>>>[root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . >>>>>>>>-P >>>>>>>>slapd-asterisk1- >>>>>>>>CA certificate CTu,u,u >>>>>>>>server-cert u,u,u >>>>>>>>Server-Cert u,u,u >>>>>>>>ad-cert CT,C,C <- install this >>>>>>>> >>>>>>>>6) [root at asterisk1 alias]# ldapsearch -Z -P >>>>>>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h >>>>>>>>rv-vm1.mup-example.vrn.ru -p 636 -D >>>>>>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 >>>>>>>>-s >>>>>>>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses >>>>>>>openssl for crypto, which is completely different than NSS. You need >>>>>>>to >>>>>>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g. >>>>>>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... >>>>>>> >>>>>>> >>>>>>>>Error: >>>>>>>>ldapsearch: unabel to parse protocol version >>>>>>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >>>>>>>> >>>>>>>>Help my! >>>>>>>>Thanks >>>>>>>> >>>>>>>>------------------------------------------------------ >>>>>>>>My Setup: >>>>>>>> >>>>>>>>Fedora Core 5 (i386) >>>>>>>>Fedora Directory Server 1.0.2 >>>>>>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >>>>>>>>------------------------------------------------------ >>>>>>>> >>>>>>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g. >>>>>>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... >>>>>>> >>>>>>> >>>>>>>>Error: >>>>>>>>ldapsearch: unabel to parse protocol version >>>>>>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >>>>>>>> >>>>>>>>Help my! >>>>>>>>Thanks >>>>>>>> >>>>>>>>------------------------------------------------------ >>>>>>>>My Setup: >>>>>>>> >>>>>>>>Fedora Core 5 (i386) >>>>>>>>Fedora Directory Server 1.0.2 >>>>>>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >>>>>>>>------------------------------------------------------ >>>>>>>> >>>>>> >>>>>> >>>>>> >>>>>>------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> >>>>>>------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> >>>>>>-- >>>>>>Fedora-directory-users mailing list >>>>>>Fedora-directory-users at redhat.com >>>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>> >>>> >>>>><< smime.p7s >> >>>> >>>> >>>> >>>> >>>>>-- >>>>>Fedora-directory-users mailing list >>>>>Fedora-directory-users at redhat.com >>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>><< smime.p7s >> >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users
