I keep getting these errors when trying to initiate sync [09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function argument.) [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL client authentication failed: LDAP error -1 (Unknown error) The LDAP search is not installed on my machine so i could not do a search ---------------------------------------- > Date: Wed, 9 Jan 2008 11:43:49 -0700 > From: rmeggins@xxxxxxxxxx > To: fedora-directory-users@xxxxxxxxxx > Subject: Re: Windows Active Directory sync Help! > > kiran madala wrote: >> Sorry here is the error log for DS server >> >> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.) >> >> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. >> > Did you configure the agreement to use SSL? Error 91 means some sort of > connection problem, or invalid argument to the LDAP API e.g. you are > attempting to use LDAP on the secure port instead of LDAPS. > > You can verify that TLS/SSL is working by using ldapsearch from the > command line. On the directory server machine: > /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P > /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*" > > Or use /usr/lib64/mozldap/ldapsearch on a 64bit system. >> >> ---------------------------------------- >> >>> Date: Wed, 9 Jan 2008 11:09:54 -0700 >>> From: rmeggins@xxxxxxxxxx >>> To: fedora-directory-users@xxxxxxxxxx >>> Subject: Re: Windows Active Directory sync Help! >>> >>> kiran madala wrote: >>> >>>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?. >>>> >>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. >>>> >>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 >>>> <snip< >>>> >>>> >>> Actually, this is the error log for the admin server. The error log for >>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance >>> is your instance name. >>> >>> The console might be failing to connect to AD because the console has a >>> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need >>> to add the CA cert in this directory too: >>> >>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc >>> >>> >>>> ---------------------------------------- >>>> >>>> >>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700 >>>>> From: rmeggins@xxxxxxxxxx >>>>> To: fedora-directory-users@xxxxxxxxxx >>>>> Subject: Re: Windows Active Directory sync Help! >>>>> >>>>> kiran madala wrote: >>>>> >>>>> >>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. >>>>>> >>>>>> The DS server is unable to connect to my AD. >>>>>> >>>>>> >>>>> What error messages are you getting? Check the error log. >>>>> >>>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or >>>>> 1.0.4? What OS? >>>>> >>>>> >>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? >>>>>> >>>>>> >>>>>> >>>>> You don't need to use cert based client auth. You can use regular >>>>> username/password auth over TLS/SSL. >>>>> >>>>> >>>>>> My currents certificates are as follows. >>>>>> >>>>>> DS has its own server certificate >>>>>> AD has its own server certificate >>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate >>>>>> >>>>>> >>>>>> >>>>>> ---------------------------------------- >>>>>> >>>>>> >>>>>> >>>>>>> From: kirankmadala@xxxxxxxxxxx >>>>>>> To: fedora-directory-users@xxxxxxxxxx >>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400 >>>>>>> Subject: Windows Active Directory sync Help! >>>>>>> >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >>>>>>> >>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >>>>>>> >>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >>>>>>> >>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >>>>>>> >>>>>>> >>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >>>>>>> >>>>>>> Thanks in advance >>>>>>> _________________________________________________________________ >>>>>>> Exercise your brain! Try Flexicon! >>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>> >>>>>>> >>>>>>> >>>>>> _________________________________________________________________ >>>>>> Use fowl language with Chicktionary. Click here to start playing! >>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users@xxxxxxxxxx >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>> _________________________________________________________________ >>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! >>>> http://asksantaclaus.spaces.live.com/ >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users@xxxxxxxxxx >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >> >> _________________________________________________________________ >> Introducing the City @ Live! Take a tour! >> http://getyourliveid.ca/?icid=LIVEIDENCA006 >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
