[Fedora-directory-users] Error at work of the utility ldapsearch.

Richard Megginson rmeggins at redhat.com
Fri Aug 4 15:45:37 UTC 2006 

One problem may be that you have to specify some additional option when 
creating the MS CA cert or server certs issued by this CA.  Is this a 
root CA or did you get a CA certificate from somewhere else?

Do this:
cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P 
slapd-asterisk1- -L -n ad-cert

Safonov Alexey wrote:
> Thanks Richard!
>
> In my opinion it the certificate of the CA. Certificates you can see details
> of reception of it on a screenshot (see the attached file)
>
> Safonov Alexey
>
> -----Original Message-----
> From: fedora-directory-users-bounces at redhat.com
> [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard
> Megginson
> Sent: Friday, July 28, 2006 5:45 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] Error at work of the utility
> ldapsearch.
>
>
> Safonov Alexey wrote:
>   
>> Thanks Richard!
>>
>> Now I start so:
>> [root at asterisk1 bin]# ./ldapsearch -Z -P
>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
>> /opt/fedora-ds/alias/slapd-asterisk1-key3.db  -h
>> rv-vm1.mup-example.vrn.ru  -p 636 -D
>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
>> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v
>>
>> Also I receive a error:
>>
>> ldapsearch: started Fri Jul 28 16:21:39 2006
>>
>> ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
>> ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
>> ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
>> ldaptool_getmodpath -- (null)
>> ldaptool_getdonglefilename -- (null)
>> ldap_simple_bind: Can't contact LDAP server
>>         SSL error -8156 (Issuer certificate is invalid.)
>>
>> Though the certificate ad-cert (from Windows DC) is established. The
>>     
> utility
>   
>> certutil and Fedora Management Console (Manage Certificates) shows it.
>> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>> slapd-asterisk1-
>> CA certificate                 CTu,u,u
>> server-cert                    u,u,u
>> Server-Cert                    u,u,u
>> ad-cert                        CT,C,C
>>
>> Help my!
>>
>>     
> Is ad-cert the certificate of the AD server or the certificate of the CA
> that issued the AD cert?  An SSL client only needs to trust the CA cert
> of the issuer of the server certs it wants to use.
>   
>> Safonov Alexey
>>
>> -----Original Message-----
>> From: fedora-directory-users-bounces at redhat.com
>> [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard
>> Megginson
>> Sent: Thursday, July 27, 2006 7:36 PM
>> To: General discussion list for the Fedora Directory server project.
>> Subject: Re: [Fedora-directory-users] Error at work of the utility
>> ldapsearch.
>>
>>
>> Safonov Alexey wrote:
>>
>>     
>>> Hi !
>>>
>>> I ask to help to solve a problem with the utility ldapsearch.
>>>
>>> is a problem to carry out synchronization between FDS and AD. Has made
>>>       
> the
>   
>>> following:
>>> 1) Install FDS
>>> 2) Configuring SSL Enabled FDS. For this purpose has started script
>>> setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh)
>>>       
> from
>   
>>> HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL)
>>> 3) Restart FDS.
>>>    netstat -atupn | grep ns-
>>> tcp  0      0 :::389         :::*       LISTEN      6039/ns-slapd
>>> tcp  0      0 :::636         :::*       LISTEN      6039/ns-slapd
>>> 4) Enable SSL on AD.
>>> Install Certificate Service
>>> Check util ldp.exe:
>>> Connected param: Server- srv-vm1.mup-example.vrn.ru
>>>                  Port  - 636
>>>                  Checkbox "SSL"
>>> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
>>> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
>>> LDAP_VERSION3);
>>> Error <0x0> = ldap_connect(hLdap, NULL);
>>> Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>>> Host supports SSL, SSL cipher strength = 128 bits
>>> Established connection to srv-vm1.mup-example.vrn.ru.
>>> Retrieving base DSA information...
>>> .....
>>> 5) Import AD CA certificate in DER mode.
>>> 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
>>> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>>> slapd-asterisk1-
>>> CA certificate                         CTu,u,u
>>> server-cert                            u,u,u
>>> Server-Cert                            u,u,u
>>> ad-cert                                CT,C,C <- install this
>>>
>>> 6) [root at asterisk1 alias]# ldapsearch -Z -P
>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>>> rv-vm1.mup-example.vrn.ru  -p 636 -D
>>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
>>> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
>>>
>>>
>>>       
>> That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
>> openssl for crypto, which is completely different than NSS.  You need to
>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>
>>     
>>> Error:
>>> ldapsearch: unabel to parse protocol version
>>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>
>>> Help my!
>>> Thanks
>>>
>>> ------------------------------------------------------
>>> My Setup:
>>>
>>> Fedora Core 5 (i386)
>>> Fedora Directory Server 1.0.2
>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>> ------------------------------------------------------
>>>       
>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>
>>     
>>> Error:
>>> ldapsearch: unabel to parse protocol version
>>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>
>>> Help my!
>>> Thanks
>>>
>>> ------------------------------------------------------
>>> My Setup:
>>>
>>> Fedora Core 5 (i386)
>>> Fedora Directory Server 1.0.2
>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>> ------------------------------------------------------
>>>       
>
>   
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060804/1d7aaa57/attachment.bin>

More information about the 389-users mailing list