[Fedora-directory-users] LDAP Error

Joe Sheehan triswimjoe at hotmail.com
Fri Aug 4 18:43:20 UTC 2006 

Has anyone seen this before? Possible causes? Thanks Joe


Start Slapd Server Config

FATAL Slapd ERROR LDAP authentication failed for url: 
ldap://nodename.my.nis:1389             Netscaperoot user id admin (151: 
unknown error)

Fatal slapd did not add directory server information into configuration 
server

...




>From: Richard Megginson <rmeggins at redhat.com>
>Reply-To: "General discussion list for the Fedora Directory server 
>project." <fedora-directory-users at redhat.com>
>To: "General discussion list for the Fedora Directory server project." 
><fedora-directory-users at redhat.com>
>Subject: Re: [Fedora-directory-users] Error at work of the utility 
>ldapsearch.
>Date: Fri, 04 Aug 2006 09:45:37 -0600
>
>One problem may be that you have to specify some additional option when 
>creating the MS CA cert or server certs issued by this CA.  Is this a root 
>CA or did you get a CA certificate from somewhere else?
>
>Do this:
>cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P slapd-asterisk1- 
>-L -n ad-cert
>
>Safonov Alexey wrote:
>>Thanks Richard!
>>
>>In my opinion it the certificate of the CA. Certificates you can see 
>>details
>>of reception of it on a screenshot (see the attached file)
>>
>>Safonov Alexey
>>
>>-----Original Message-----
>>From: fedora-directory-users-bounces at redhat.com
>>[mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard
>>Megginson
>>Sent: Friday, July 28, 2006 5:45 PM
>>To: General discussion list for the Fedora Directory server project.
>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>ldapsearch.
>>
>>
>>Safonov Alexey wrote:
>>
>>>Thanks Richard!
>>>
>>>Now I start so:
>>>[root at asterisk1 bin]# ./ldapsearch -Z -P
>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
>>>/opt/fedora-ds/alias/slapd-asterisk1-key3.db  -h
>>>rv-vm1.mup-example.vrn.ru  -p 636 -D
>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
>>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v
>>>
>>>Also I receive a error:
>>>
>>>ldapsearch: started Fri Jul 28 16:21:39 2006
>>>
>>>ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
>>>ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
>>>ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
>>>ldaptool_getmodpath -- (null)
>>>ldaptool_getdonglefilename -- (null)
>>>ldap_simple_bind: Can't contact LDAP server
>>>         SSL error -8156 (Issuer certificate is invalid.)
>>>
>>>Though the certificate ad-cert (from Windows DC) is established. The
>>>
>>utility
>>
>>>certutil and Fedora Management Console (Manage Certificates) shows it.
>>>[root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>>>slapd-asterisk1-
>>>CA certificate                 CTu,u,u
>>>server-cert                    u,u,u
>>>Server-Cert                    u,u,u
>>>ad-cert                        CT,C,C
>>>
>>>Help my!
>>>
>>>
>>Is ad-cert the certificate of the AD server or the certificate of the CA
>>that issued the AD cert?  An SSL client only needs to trust the CA cert
>>of the issuer of the server certs it wants to use.
>>
>>>Safonov Alexey
>>>
>>>-----Original Message-----
>>>From: fedora-directory-users-bounces at redhat.com
>>>[mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard
>>>Megginson
>>>Sent: Thursday, July 27, 2006 7:36 PM
>>>To: General discussion list for the Fedora Directory server project.
>>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>ldapsearch.
>>>
>>>
>>>Safonov Alexey wrote:
>>>
>>>
>>>>Hi !
>>>>
>>>>I ask to help to solve a problem with the utility ldapsearch.
>>>>
>>>>is a problem to carry out synchronization between FDS and AD. Has made
>>>>
>>the
>>
>>>>following:
>>>>1) Install FDS
>>>>2) Configuring SSL Enabled FDS. For this purpose has started script
>>>>setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh)
>>>>
>>from
>>
>>>>HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL)
>>>>3) Restart FDS.
>>>>    netstat -atupn | grep ns-
>>>>tcp  0      0 :::389         :::*       LISTEN      6039/ns-slapd
>>>>tcp  0      0 :::636         :::*       LISTEN      6039/ns-slapd
>>>>4) Enable SSL on AD.
>>>>Install Certificate Service
>>>>Check util ldp.exe:
>>>>Connected param: Server- srv-vm1.mup-example.vrn.ru
>>>>                  Port  - 636
>>>>                  Checkbox "SSL"
>>>>ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
>>>>Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
>>>>LDAP_VERSION3);
>>>>Error <0x0> = ldap_connect(hLdap, NULL);
>>>>Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>>>>Host supports SSL, SSL cipher strength = 128 bits
>>>>Established connection to srv-vm1.mup-example.vrn.ru.
>>>>Retrieving base DSA information...
>>>>.....
>>>>5) Import AD CA certificate in DER mode.
>>>>6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
>>>>[root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>>>>slapd-asterisk1-
>>>>CA certificate                         CTu,u,u
>>>>server-cert                            u,u,u
>>>>Server-Cert                            u,u,u
>>>>ad-cert                                CT,C,C <- install this
>>>>
>>>>6) [root at asterisk1 alias]# ldapsearch -Z -P
>>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>>>>rv-vm1.mup-example.vrn.ru  -p 636 -D
>>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
>>>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
>>>>
>>>>
>>>>
>>>That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
>>>openssl for crypto, which is completely different than NSS.  You need to
>>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>
>>>
>>>>Error:
>>>>ldapsearch: unabel to parse protocol version
>>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>
>>>>Help my!
>>>>Thanks
>>>>
>>>>------------------------------------------------------
>>>>My Setup:
>>>>
>>>>Fedora Core 5 (i386)
>>>>Fedora Directory Server 1.0.2
>>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>------------------------------------------------------
>>>>
>>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>
>>>
>>>>Error:
>>>>ldapsearch: unabel to parse protocol version
>>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>
>>>>Help my!
>>>>Thanks
>>>>
>>>>------------------------------------------------------
>>>>My Setup:
>>>>
>>>>Fedora Core 5 (i386)
>>>>Fedora Directory Server 1.0.2
>>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>------------------------------------------------------
>>>>
>>
>>
>>
>>------------------------------------------------------------------------
>>
>>------------------------------------------------------------------------
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>


><< smime.p7s >>




>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the 389-users mailing list