Joe Sheehan wrote: > Thanks - we will definitely take your advice. > Curious if switching the order within the nsswitch.conf would do the > trick. It might. > > Joe > > >> From: Richard Megginson <rmeggins at redhat.com> >> Reply-To: "General discussion list for the Fedora Directory server >> project." <fedora-directory-users at redhat.com> >> To: "General discussion list for the Fedora Directory server >> project." <fedora-directory-users at redhat.com> >> Subject: Re: LDAP Error >> Date: Fri, 04 Aug 2006 15:26:21 -0600 >> >> Joe Sheehan wrote: >>> google(ing) for this - it basically says the same thing as you've >>> stated. >>> Is there a way to fix this by hand >> Fix your DNS and reverse DNS set up. Are you also using NIS for >> hostname resolution? You may have to make sure NIS and DNS hosts >> resolve to the same IP addresses. >>> or is LDAP corrupted beyond fixing unless you >>> uninstall and re-install. >> This has nothing to do with ldap corruption. Although, once you fix >> your DNS and reverse DNS, you will need to re install from scratch. >> This is unfortunately the easiest way to ensure proper Admin Server >> set up. >>> >>> Joe >>> >>> >>>> From: Richard Megginson <rmeggins at redhat.com> >>>> Reply-To: "General discussion list for the Fedora Directory server >>>> project." <fedora-directory-users at redhat.com> >>>> To: "General discussion list for the Fedora Directory server >>>> project." <fedora-directory-users at redhat.com> >>>> Subject: Re: LDAP Error >>>> Date: Fri, 04 Aug 2006 14:04:23 -0600 >>>> >>>> Joe Sheehan wrote: >>>>> Has anyone seen this before? Possible causes? Thanks Joe >>>>> >>>>> >>>>> Start Slapd Server Config >>>>> >>>>> FATAL Slapd ERROR LDAP authentication failed for url: >>>>> ldap://nodename.my.nis:1389 Netscaperoot user id admin >>>>> (151: unknown error) >>>> This usually indicates a problem with DNS or reverse DNS setup. >>>>> >>>>> Fatal slapd did not add directory server information into >>>>> configuration server >>>>> >>>>> ... >>>>> >>>>> >>>>> >>>>> >>>>>> From: Richard Megginson <rmeggins at redhat.com> >>>>>> Reply-To: "General discussion list for the Fedora Directory >>>>>> server project." <fedora-directory-users at redhat.com> >>>>>> To: "General discussion list for the Fedora Directory server >>>>>> project." <fedora-directory-users at redhat.com> >>>>>> Subject: Re: Error at work of the >>>>>> utility ldapsearch. >>>>>> Date: Fri, 04 Aug 2006 09:45:37 -0600 >>>>>> >>>>>> One problem may be that you have to specify some additional >>>>>> option when creating the MS CA cert or server certs issued by >>>>>> this CA. Is this a root CA or did you get a CA certificate from >>>>>> somewhere else? >>>>>> >>>>>> Do this: >>>>>> cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P >>>>>> slapd-asterisk1- -L -n ad-cert >>>>>> >>>>>> Safonov Alexey wrote: >>>>>>> Thanks Richard! >>>>>>> >>>>>>> In my opinion it the certificate of the CA. Certificates you can >>>>>>> see details >>>>>>> of reception of it on a screenshot (see the attached file) >>>>>>> >>>>>>> Safonov Alexey >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: fedora-directory-users-bounces at redhat.com >>>>>>> [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of >>>>>>> Richard >>>>>>> Megginson >>>>>>> Sent: Friday, July 28, 2006 5:45 PM >>>>>>> To: General discussion list for the Fedora Directory server >>>>>>> project. >>>>>>> Subject: Re: Error at work of the utility >>>>>>> ldapsearch. >>>>>>> >>>>>>> >>>>>>> Safonov Alexey wrote: >>>>>>> >>>>>>>> Thanks Richard! >>>>>>>> >>>>>>>> Now I start so: >>>>>>>> [root at asterisk1 bin]# ./ldapsearch -Z -P >>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K >>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h >>>>>>>> rv-vm1.mup-example.vrn.ru -p 636 -D >>>>>>>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w >>>>>>>> secret01 -s >>>>>>>> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v >>>>>>>> >>>>>>>> Also I receive a error: >>>>>>>> >>>>>>>> ldapsearch: started Fri Jul 28 16:21:39 2006 >>>>>>>> >>>>>>>> ldap_init( srv-vm1.mup-example.vrn.ru, 636 ) >>>>>>>> ldaptool_getcertpath -- >>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db >>>>>>>> ldaptool_getkeypath -- >>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-key3.db >>>>>>>> ldaptool_getmodpath -- (null) >>>>>>>> ldaptool_getdonglefilename -- (null) >>>>>>>> ldap_simple_bind: Can't contact LDAP server >>>>>>>> SSL error -8156 (Issuer certificate is invalid.) >>>>>>>> >>>>>>>> Though the certificate ad-cert (from Windows DC) is >>>>>>>> established. The >>>>>>>> >>>>>>> utility >>>>>>> >>>>>>>> certutil and Fedora Management Console (Manage Certificates) >>>>>>>> shows it. >>>>>>>> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L >>>>>>>> -d . -P >>>>>>>> slapd-asterisk1- >>>>>>>> CA certificate CTu,u,u >>>>>>>> server-cert u,u,u >>>>>>>> Server-Cert u,u,u >>>>>>>> ad-cert CT,C,C >>>>>>>> >>>>>>>> Help my! >>>>>>>> >>>>>>>> >>>>>>> Is ad-cert the certificate of the AD server or the certificate >>>>>>> of the CA >>>>>>> that issued the AD cert? An SSL client only needs to trust the >>>>>>> CA cert >>>>>>> of the issuer of the server certs it wants to use. >>>>>>> >>>>>>>> Safonov Alexey >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: fedora-directory-users-bounces at redhat.com >>>>>>>> [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of >>>>>>>> Richard >>>>>>>> Megginson >>>>>>>> Sent: Thursday, July 27, 2006 7:36 PM >>>>>>>> To: General discussion list for the Fedora Directory server >>>>>>>> project. >>>>>>>> Subject: Re: Error at work of the utility >>>>>>>> ldapsearch. >>>>>>>> >>>>>>>> >>>>>>>> Safonov Alexey wrote: >>>>>>>> >>>>>>>> >>>>>>>>> Hi ! >>>>>>>>> >>>>>>>>> I ask to help to solve a problem with the utility ldapsearch. >>>>>>>>> >>>>>>>>> is a problem to carry out synchronization between FDS and AD. >>>>>>>>> Has made >>>>>>>>> >>>>>>> the >>>>>>> >>>>>>>>> following: >>>>>>>>> 1) Install FDS >>>>>>>>> 2) Configuring SSL Enabled FDS. For this purpose has started >>>>>>>>> script >>>>>>>>> setupssl.sh >>>>>>>>> (http://directory.fedora.redhat.com/download/setupssl.sh) >>>>>>>>> >>>>>>> from >>>>>>> >>>>>>>>> HOWTO "Howto:SSL" >>>>>>>>> (http://directory.fedora.redhat.com/wiki/Howto:SSL) >>>>>>>>> 3) Restart FDS. >>>>>>>>> netstat -atupn | grep ns- >>>>>>>>> tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd >>>>>>>>> tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd >>>>>>>>> 4) Enable SSL on AD. >>>>>>>>> Install Certificate Service >>>>>>>>> Check util ldp.exe: >>>>>>>>> Connected param: Server- srv-vm1.mup-example.vrn.ru >>>>>>>>> Port - 636 >>>>>>>>> Checkbox "SSL" >>>>>>>>> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); >>>>>>>>> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, >>>>>>>>> LDAP_VERSION3); >>>>>>>>> Error <0x0> = ldap_connect(hLdap, NULL); >>>>>>>>> Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); >>>>>>>>> Host supports SSL, SSL cipher strength = 128 bits >>>>>>>>> Established connection to srv-vm1.mup-example.vrn.ru. >>>>>>>>> Retrieving base DSA information... >>>>>>>>> ..... >>>>>>>>> 5) Import AD CA certificate in DER mode. >>>>>>>>> 6) Copy, convert (PEM) and install AD CA certificate in FDS. >>>>>>>>> Check: >>>>>>>>> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L >>>>>>>>> -d . -P >>>>>>>>> slapd-asterisk1- >>>>>>>>> CA certificate CTu,u,u >>>>>>>>> server-cert u,u,u >>>>>>>>> Server-Cert u,u,u >>>>>>>>> ad-cert CT,C,C <- install this >>>>>>>>> >>>>>>>>> 6) [root at asterisk1 alias]# ldapsearch -Z -P >>>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h >>>>>>>>> rv-vm1.mup-example.vrn.ru -p 636 -D >>>>>>>>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w >>>>>>>>> secret01 -s >>>>>>>>> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> That's /usr/bin/ldapsearch, which is openldap ldapsearch, which >>>>>>>> uses >>>>>>>> openssl for crypto, which is completely different than NSS. >>>>>>>> You need to >>>>>>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g. >>>>>>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... >>>>>>>> >>>>>>>> >>>>>>>>> Error: >>>>>>>>> ldapsearch: unabel to parse protocol version >>>>>>>>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >>>>>>>>> >>>>>>>>> Help my! >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> ------------------------------------------------------ >>>>>>>>> My Setup: >>>>>>>>> >>>>>>>>> Fedora Core 5 (i386) >>>>>>>>> Fedora Directory Server 1.0.2 >>>>>>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >>>>>>>>> ------------------------------------------------------ >>>>>>>>> >>>>>>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g. >>>>>>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... >>>>>>>> >>>>>>>> >>>>>>>>> Error: >>>>>>>>> ldapsearch: unabel to parse protocol version >>>>>>>>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" >>>>>>>>> >>>>>>>>> Help my! >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> ------------------------------------------------------ >>>>>>>>> My Setup: >>>>>>>>> >>>>>>>>> Fedora Core 5 (i386) >>>>>>>>> Fedora Directory Server 1.0.2 >>>>>>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) >>>>>>>>> ------------------------------------------------------ >>>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>> >>>>> >>>>>> << smime.p7s >> >>>>> >>>>> >>>>> >>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>>> << smime.p7s >> >>> >>> >>> >>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >> << smime.p7s >> > > > > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060804/a1da0409/attachment.bin
