Do this:cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P slapd-asterisk1- -L -n ad-cert
Safonov Alexey wrote:
Thanks Richard! In my opinion it the certificate of the CA. Certificates you can see details of reception of it on a screenshot (see the attached file) Safonov Alexey -----Original Message----- From: fedora-directory-users-bounces@xxxxxxxxxx [mailto:fedora-directory-users-bounces@xxxxxxxxxx]On Behalf Of Richard Megginson Sent: Friday, July 28, 2006 5:45 PM To: General discussion list for the Fedora Directory server project. Subject: Re: Error at work of the utility ldapsearch. Safonov Alexey wrote:Thanks Richard! Now I start so: [root@asterisk1 bin]# ./ldapsearch -Z -P /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h rv-vm1.mup-example.vrn.ru -p 636 -D "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v Also I receive a error: ldapsearch: started Fri Jul 28 16:21:39 2006 ldap_init( srv-vm1.mup-example.vrn.ru, 636 ) ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db ldaptool_getmodpath -- (null) ldaptool_getdonglefilename -- (null) ldap_simple_bind: Can't contact LDAP server SSL error -8156 (Issuer certificate is invalid.) Though the certificate ad-cert (from Windows DC) is established. Theutilitycertutil and Fedora Management Console (Manage Certificates) shows it. [root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P slapd-asterisk1- CA certificate CTu,u,u server-cert u,u,u Server-Cert u,u,u ad-cert CT,C,C Help my!Is ad-cert the certificate of the AD server or the certificate of the CA that issued the AD cert? An SSL client only needs to trust the CA cert of the issuer of the server certs it wants to use.Safonov Alexey -----Original Message----- From: fedora-directory-users-bounces@xxxxxxxxxx [mailto:fedora-directory-users-bounces@xxxxxxxxxx]On Behalf Of Richard Megginson Sent: Thursday, July 27, 2006 7:36 PM To: General discussion list for the Fedora Directory server project. Subject: Re: Error at work of the utility ldapsearch. Safonov Alexey wrote:Hi ! I ask to help to solve a problem with the utility ldapsearch. is a problem to carry out synchronization between FDS and AD. Has madethefollowing: 1) Install FDS 2) Configuring SSL Enabled FDS. For this purpose has started script setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh)fromHOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL) 3) Restart FDS. netstat -atupn | grep ns- tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd 4) Enable SSL on AD. Install Certificate Service Check util ldp.exe: Connected param: Server- srv-vm1.mup-example.vrn.ru Port - 636 Checkbox "SSL" ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3); Error <0x0> = ldap_connect(hLdap, NULL); Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); Host supports SSL, SSL cipher strength = 128 bits Established connection to srv-vm1.mup-example.vrn.ru. Retrieving base DSA information... ..... 5) Import AD CA certificate in DER mode. 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check: [root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P slapd-asterisk1- CA certificate CTu,u,u server-cert u,u,u Server-Cert u,u,u ad-cert CT,C,C <- install this 6) [root@asterisk1 alias]# ldapsearch -Z -P /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h rv-vm1.mup-example.vrn.ru -p 636 -D "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses openssl for crypto, which is completely different than NSS. You need to use the ldapsearch in /opt/fedora-ds/shared/bin e.g. cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....Error: ldapsearch: unabel to parse protocol version "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" Help my! Thanks ------------------------------------------------------ My Setup: Fedora Core 5 (i386) Fedora Directory Server 1.0.2 Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) ------------------------------------------------------use the ldapsearch in /opt/fedora-ds/shared/bin e.g. cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....Error: ldapsearch: unabel to parse protocol version "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" Help my! Thanks ------------------------------------------------------ My Setup: Fedora Core 5 (i386) Fedora Directory Server 1.0.2 Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) ------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users