kiran madala wrote:
Did you configure the agreement to use SSL? Error 91 means some sort of connection problem, or invalid argument to the LDAP API e.g. you are attempting to use LDAP on the secure port instead of LDAPS.Sorry here is the error log for DS server [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.)It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine.
You can verify that TLS/SSL is working by using ldapsearch from the command line. On the directory server machine: /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*"
Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
----------------------------------------Date: Wed, 9 Jan 2008 11:09:54 -0700 From: rmeggins@xxxxxxxxxx To: fedora-directory-users@xxxxxxxxxx Subject: Re: Windows Active Directory sync Help! kiran madala wrote:I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?.Actually, this is the error log for the admin server. The error log for the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance is your instance name.The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 <snip<The console might be failing to connect to AD because the console has a separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need to add the CA cert in this directory too:certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc----------------------------------------Date: Wed, 9 Jan 2008 10:52:05 -0700 From: rmeggins@xxxxxxxxxx To: fedora-directory-users@xxxxxxxxxx Subject: Re: Windows Active Directory sync Help! kiran madala wrote:As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. The DS server is unable to connect to my AD.What error messages are you getting? Check the error log.You can also try using ldapsearch. Are you using Fedora DS 1.1 or 1.0.4? What OS?You don't need to use cert based client auth. You can use regular username/password auth over TLS/SSL.I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine?My currents certificates are as follows. DS has its own server certificate AD has its own server certificate ALL 3 servers AS,DS and AD have the same CA root certificate ----------------------------------------From: kirankmadala@xxxxxxxxxxx To: fedora-directory-users@xxxxxxxxxx Date: Wed, 9 Jan 2008 10:35:00 -0400 Subject: Windows Active Directory sync Help! Hello, I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. Thanks in advance _________________________________________________________________ Exercise your brain! Try Flexicon! http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig_________________________________________________________________ Use fowl language with Chicktionary. Click here to start playing! http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users_________________________________________________________________ Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! http://asksantaclaus.spaces.live.com/ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users_________________________________________________________________ Introducing the City @ Live! Take a tour! http://getyourliveid.ca/?icid=LIVEIDENCA006 -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
