Has anyone seen this before? Possible causes? Thanks Joe
Start Slapd Server Config
FATAL Slapd ERROR LDAP authentication failed for url:
ldap://nodename.my.nis:1389 Netscaperoot user id admin (151:
unknown error)
Fatal slapd did not add directory server information into configuration
server
...
From: Richard Megginson <rmeggins(a)redhat.com>
Reply-To: "General discussion list for the Fedora Directory server
project." <fedora-directory-users(a)redhat.com>
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users(a)redhat.com>
Subject: Re: [Fedora-directory-users] Error at work of the utility
ldapsearch.
Date: Fri, 04 Aug 2006 09:45:37 -0600
One problem may be that you have to specify some additional option when
creating the MS CA cert or server certs issued by this CA. Is this a root
CA or did you get a CA certificate from somewhere else?
Do this:
cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P slapd-asterisk1-
-L -n ad-cert
Safonov Alexey wrote:
>Thanks Richard!
>
>In my opinion it the certificate of the CA. Certificates you can see
>details
>of reception of it on a screenshot (see the attached file)
>
>Safonov Alexey
>
>-----Original Message-----
>From: fedora-directory-users-bounces(a)redhat.com
>[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
>Megginson
>Sent: Friday, July 28, 2006 5:45 PM
>To: General discussion list for the Fedora Directory server project.
>Subject: Re: [Fedora-directory-users] Error at work of the utility
>ldapsearch.
>
>
>Safonov Alexey wrote:
>
>>Thanks Richard!
>>
>>Now I start so:
>>[root@asterisk1 bin]# ./ldapsearch -Z -P
>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
>>/opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
>>rv-vm1.mup-example.vrn.ru -p 636 -D
>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v
>>
>>Also I receive a error:
>>
>>ldapsearch: started Fri Jul 28 16:21:39 2006
>>
>>ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
>>ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
>>ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
>>ldaptool_getmodpath -- (null)
>>ldaptool_getdonglefilename -- (null)
>>ldap_simple_bind: Can't contact LDAP server
>> SSL error -8156 (Issuer certificate is invalid.)
>>
>>Though the certificate ad-cert (from Windows DC) is established. The
>>
>utility
>
>>certutil and Fedora Management Console (Manage Certificates) shows it.
>>[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>>slapd-asterisk1-
>>CA certificate CTu,u,u
>>server-cert u,u,u
>>Server-Cert u,u,u
>>ad-cert CT,C,C
>>
>>Help my!
>>
>>
>Is ad-cert the certificate of the AD server or the certificate of the CA
>that issued the AD cert? An SSL client only needs to trust the CA cert
>of the issuer of the server certs it wants to use.
>
>>Safonov Alexey
>>
>>-----Original Message-----
>>From: fedora-directory-users-bounces(a)redhat.com
>>[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
>>Megginson
>>Sent: Thursday, July 27, 2006 7:36 PM
>>To: General discussion list for the Fedora Directory server project.
>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>ldapsearch.
>>
>>
>>Safonov Alexey wrote:
>>
>>
>>>Hi !
>>>
>>>I ask to help to solve a problem with the utility ldapsearch.
>>>
>>>is a problem to carry out synchronization between FDS and AD. Has made
>>>
>the
>
>>>following:
>>>1) Install FDS
>>>2) Configuring SSL Enabled FDS. For this purpose has started script
>>>setupssl.sh (
http://directory.fedora.redhat.com/download/setupssl.sh)
>>>
>from
>
>>>HOWTO "Howto:SSL"
(
http://directory.fedora.redhat.com/wiki/Howto:SSL)
>>>3) Restart FDS.
>>> netstat -atupn | grep ns-
>>>tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
>>>tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
>>>4) Enable SSL on AD.
>>>Install Certificate Service
>>>Check util ldp.exe:
>>>Connected param: Server- srv-vm1.mup-example.vrn.ru
>>> Port - 636
>>> Checkbox "SSL"
>>>ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
>>>Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
>>>LDAP_VERSION3);
>>>Error <0x0> = ldap_connect(hLdap, NULL);
>>>Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>>>Host supports SSL, SSL cipher strength = 128 bits
>>>Established connection to srv-vm1.mup-example.vrn.ru.
>>>Retrieving base DSA information...
>>>.....
>>>5) Import AD CA certificate in DER mode.
>>>6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
>>>[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>>>slapd-asterisk1-
>>>CA certificate CTu,u,u
>>>server-cert u,u,u
>>>Server-Cert u,u,u
>>>ad-cert CT,C,C <- install this
>>>
>>>6) [root@asterisk1 alias]# ldapsearch -Z -P
>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>>>rv-vm1.mup-example.vrn.ru -p 636 -D
>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01
-s
>>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
>>>
>>>
>>>
>>That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
>>openssl for crypto, which is completely different than NSS. You need to
>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>
>>
>>>Error:
>>>ldapsearch: unabel to parse protocol version
>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>
>>>Help my!
>>>Thanks
>>>
>>>------------------------------------------------------
>>>My Setup:
>>>
>>>Fedora Core 5 (i386)
>>>Fedora Directory Server 1.0.2
>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>------------------------------------------------------
>>>
>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>
>>
>>>Error:
>>>ldapsearch: unabel to parse protocol version
>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>
>>>Help my!
>>>Thanks
>>>
>>>------------------------------------------------------
>>>My Setup:
>>>
>>>Fedora Core 5 (i386)
>>>Fedora Directory Server 1.0.2
>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>------------------------------------------------------
>>>
>
>
>
>------------------------------------------------------------------------
>
>------------------------------------------------------------------------
>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users >
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users