google(ing) for this - it basically says the same thing as you've stated.
Is there a way to fix this by hand or is LDAP corrupted beyond fixing unless
you
uninstall and re-install.
Joe
From: Richard Megginson <rmeggins@xxxxxxxxxx>
Reply-To: "General discussion list for the Fedora Directory server
project." <fedora-directory-users@xxxxxxxxxx>
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users@xxxxxxxxxx>
Subject: Re: LDAP Error
Date: Fri, 04 Aug 2006 14:04:23 -0600
Joe Sheehan wrote:
Has anyone seen this before? Possible causes? Thanks Joe
Start Slapd Server Config
FATAL Slapd ERROR LDAP authentication failed for url:
ldap://nodename.my.nis:1389 Netscaperoot user id admin (151:
unknown error)
This usually indicates a problem with DNS or reverse DNS setup.
Fatal slapd did not add directory server information into configuration
server
...
From: Richard Megginson <rmeggins@xxxxxxxxxx>
Reply-To: "General discussion list for the Fedora Directory server
project." <fedora-directory-users@xxxxxxxxxx>
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users@xxxxxxxxxx>
Subject: Re: Error at work of the utility
ldapsearch.
Date: Fri, 04 Aug 2006 09:45:37 -0600
One problem may be that you have to specify some additional option when
creating the MS CA cert or server certs issued by this CA. Is this a
root CA or did you get a CA certificate from somewhere else?
Do this:
cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P slapd-asterisk1-
-L -n ad-cert
Safonov Alexey wrote:
Thanks Richard!
In my opinion it the certificate of the CA. Certificates you can see
details
of reception of it on a screenshot (see the attached file)
Safonov Alexey
-----Original Message-----
From: fedora-directory-users-bounces@xxxxxxxxxx
[mailto:fedora-directory-users-bounces@xxxxxxxxxx]On Behalf Of Richard
Megginson
Sent: Friday, July 28, 2006 5:45 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: Error at work of the utility
ldapsearch.
Safonov Alexey wrote:
Thanks Richard!
Now I start so:
[root@asterisk1 bin]# ./ldapsearch -Z -P
/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
/opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
rv-vm1.mup-example.vrn.ru -p 636 -D
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v
Also I receive a error:
ldapsearch: started Fri Jul 28 16:21:39 2006
ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
ldaptool_getmodpath -- (null)
ldaptool_getdonglefilename -- (null)
ldap_simple_bind: Can't contact LDAP server
SSL error -8156 (Issuer certificate is invalid.)
Though the certificate ad-cert (from Windows DC) is established. The
utility
certutil and Fedora Management Console (Manage Certificates) shows it.
[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
slapd-asterisk1-
CA certificate CTu,u,u
server-cert u,u,u
Server-Cert u,u,u
ad-cert CT,C,C
Help my!
Is ad-cert the certificate of the AD server or the certificate of the CA
that issued the AD cert? An SSL client only needs to trust the CA cert
of the issuer of the server certs it wants to use.
Safonov Alexey
-----Original Message-----
From: fedora-directory-users-bounces@xxxxxxxxxx
[mailto:fedora-directory-users-bounces@xxxxxxxxxx]On Behalf Of Richard
Megginson
Sent: Thursday, July 27, 2006 7:36 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: Error at work of the utility
ldapsearch.
Safonov Alexey wrote:
Hi !
I ask to help to solve a problem with the utility ldapsearch.
is a problem to carry out synchronization between FDS and AD. Has made
the
following:
1) Install FDS
2) Configuring SSL Enabled FDS. For this purpose has started script
setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh)
from
HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL)
3) Restart FDS.
netstat -atupn | grep ns-
tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
4) Enable SSL on AD.
Install Certificate Service
Check util ldp.exe:
Connected param: Server- srv-vm1.mup-example.vrn.ru
Port - 636
Checkbox "SSL"
ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
LDAP_VERSION3);
Error <0x0> = ldap_connect(hLdap, NULL);
Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to srv-vm1.mup-example.vrn.ru.
Retrieving base DSA information...
.....
5) Import AD CA certificate in DER mode.
6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
slapd-asterisk1-
CA certificate CTu,u,u
server-cert u,u,u
Server-Cert u,u,u
ad-cert CT,C,C <- install this
6) [root@asterisk1 alias]# ldapsearch -Z -P
/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
rv-vm1.mup-example.vrn.ru -p 636 -D
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
openssl for crypto, which is completely different than NSS. You need
to
use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
Error:
ldapsearch: unabel to parse protocol version
"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
Help my!
Thanks
------------------------------------------------------
My Setup:
Fedora Core 5 (i386)
Fedora Directory Server 1.0.2
Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
------------------------------------------------------
use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
Error:
ldapsearch: unabel to parse protocol version
"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
Help my!
Thanks
------------------------------------------------------
My Setup:
Fedora Core 5 (i386)
Fedora Directory Server 1.0.2
Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
------------------------------------------------------
------------------------------------------------------------------------
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
<< smime.p7s >>
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
<< smime.p7s >>
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
