[Fedora-directory-users] LDAP Error
Richard Megginson
rmeggins at redhat.com
Fri Aug 4 21:26:21 UTC 2006
Joe Sheehan wrote:
> google(ing) for this - it basically says the same thing as you've stated.
> Is there a way to fix this by hand
Fix your DNS and reverse DNS set up. Are you also using NIS for
hostname resolution? You may have to make sure NIS and DNS hosts
resolve to the same IP addresses.
> or is LDAP corrupted beyond fixing unless you
> uninstall and re-install.
This has nothing to do with ldap corruption. Although, once you fix
your DNS and reverse DNS, you will need to re install from scratch.
This is unfortunately the easiest way to ensure proper Admin Server set up.
>
> Joe
>
>
>> From: Richard Megginson <rmeggins at redhat.com>
>> Reply-To: "General discussion list for the Fedora Directory server
>> project." <fedora-directory-users at redhat.com>
>> To: "General discussion list for the Fedora Directory server
>> project." <fedora-directory-users at redhat.com>
>> Subject: Re: [Fedora-directory-users] LDAP Error
>> Date: Fri, 04 Aug 2006 14:04:23 -0600
>>
>> Joe Sheehan wrote:
>>> Has anyone seen this before? Possible causes? Thanks Joe
>>>
>>>
>>> Start Slapd Server Config
>>>
>>> FATAL Slapd ERROR LDAP authentication failed for url:
>>> ldap://nodename.my.nis:1389 Netscaperoot user id admin
>>> (151: unknown error)
>> This usually indicates a problem with DNS or reverse DNS setup.
>>>
>>> Fatal slapd did not add directory server information into
>>> configuration server
>>>
>>> ...
>>>
>>>
>>>
>>>
>>>> From: Richard Megginson <rmeggins at redhat.com>
>>>> Reply-To: "General discussion list for the Fedora Directory server
>>>> project." <fedora-directory-users at redhat.com>
>>>> To: "General discussion list for the Fedora Directory server
>>>> project." <fedora-directory-users at redhat.com>
>>>> Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>> ldapsearch.
>>>> Date: Fri, 04 Aug 2006 09:45:37 -0600
>>>>
>>>> One problem may be that you have to specify some additional option
>>>> when creating the MS CA cert or server certs issued by this CA. Is
>>>> this a root CA or did you get a CA certificate from somewhere else?
>>>>
>>>> Do this:
>>>> cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P
>>>> slapd-asterisk1- -L -n ad-cert
>>>>
>>>> Safonov Alexey wrote:
>>>>> Thanks Richard!
>>>>>
>>>>> In my opinion it the certificate of the CA. Certificates you can
>>>>> see details
>>>>> of reception of it on a screenshot (see the attached file)
>>>>>
>>>>> Safonov Alexey
>>>>>
>>>>> -----Original Message-----
>>>>> From: fedora-directory-users-bounces at redhat.com
>>>>> [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of
>>>>> Richard
>>>>> Megginson
>>>>> Sent: Friday, July 28, 2006 5:45 PM
>>>>> To: General discussion list for the Fedora Directory server project.
>>>>> Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>>> ldapsearch.
>>>>>
>>>>>
>>>>> Safonov Alexey wrote:
>>>>>
>>>>>> Thanks Richard!
>>>>>>
>>>>>> Now I start so:
>>>>>> [root at asterisk1 bin]# ./ldapsearch -Z -P
>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
>>>>>> rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w
>>>>>> secret01 -s
>>>>>> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v
>>>>>>
>>>>>> Also I receive a error:
>>>>>>
>>>>>> ldapsearch: started Fri Jul 28 16:21:39 2006
>>>>>>
>>>>>> ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
>>>>>> ldaptool_getcertpath --
>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
>>>>>> ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
>>>>>> ldaptool_getmodpath -- (null)
>>>>>> ldaptool_getdonglefilename -- (null)
>>>>>> ldap_simple_bind: Can't contact LDAP server
>>>>>> SSL error -8156 (Issuer certificate is invalid.)
>>>>>>
>>>>>> Though the certificate ad-cert (from Windows DC) is established. The
>>>>>>
>>>>> utility
>>>>>
>>>>>> certutil and Fedora Management Console (Manage Certificates)
>>>>>> shows it.
>>>>>> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d
>>>>>> . -P
>>>>>> slapd-asterisk1-
>>>>>> CA certificate CTu,u,u
>>>>>> server-cert u,u,u
>>>>>> Server-Cert u,u,u
>>>>>> ad-cert CT,C,C
>>>>>>
>>>>>> Help my!
>>>>>>
>>>>>>
>>>>> Is ad-cert the certificate of the AD server or the certificate of
>>>>> the CA
>>>>> that issued the AD cert? An SSL client only needs to trust the CA
>>>>> cert
>>>>> of the issuer of the server certs it wants to use.
>>>>>
>>>>>> Safonov Alexey
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: fedora-directory-users-bounces at redhat.com
>>>>>> [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of
>>>>>> Richard
>>>>>> Megginson
>>>>>> Sent: Thursday, July 27, 2006 7:36 PM
>>>>>> To: General discussion list for the Fedora Directory server project.
>>>>>> Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>>>> ldapsearch.
>>>>>>
>>>>>>
>>>>>> Safonov Alexey wrote:
>>>>>>
>>>>>>
>>>>>>> Hi !
>>>>>>>
>>>>>>> I ask to help to solve a problem with the utility ldapsearch.
>>>>>>>
>>>>>>> is a problem to carry out synchronization between FDS and AD.
>>>>>>> Has made
>>>>>>>
>>>>> the
>>>>>
>>>>>>> following:
>>>>>>> 1) Install FDS
>>>>>>> 2) Configuring SSL Enabled FDS. For this purpose has started script
>>>>>>> setupssl.sh
>>>>>>> (http://directory.fedora.redhat.com/download/setupssl.sh)
>>>>>>>
>>>>> from
>>>>>
>>>>>>> HOWTO "Howto:SSL"
>>>>>>> (http://directory.fedora.redhat.com/wiki/Howto:SSL)
>>>>>>> 3) Restart FDS.
>>>>>>> netstat -atupn | grep ns-
>>>>>>> tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
>>>>>>> tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
>>>>>>> 4) Enable SSL on AD.
>>>>>>> Install Certificate Service
>>>>>>> Check util ldp.exe:
>>>>>>> Connected param: Server- srv-vm1.mup-example.vrn.ru
>>>>>>> Port - 636
>>>>>>> Checkbox "SSL"
>>>>>>> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
>>>>>>> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
>>>>>>> LDAP_VERSION3);
>>>>>>> Error <0x0> = ldap_connect(hLdap, NULL);
>>>>>>> Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>>>>>>> Host supports SSL, SSL cipher strength = 128 bits
>>>>>>> Established connection to srv-vm1.mup-example.vrn.ru.
>>>>>>> Retrieving base DSA information...
>>>>>>> .....
>>>>>>> 5) Import AD CA certificate in DER mode.
>>>>>>> 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
>>>>>>> [root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d
>>>>>>> . -P
>>>>>>> slapd-asterisk1-
>>>>>>> CA certificate CTu,u,u
>>>>>>> server-cert u,u,u
>>>>>>> Server-Cert u,u,u
>>>>>>> ad-cert CT,C,C <- install this
>>>>>>>
>>>>>>> 6) [root at asterisk1 alias]# ldapsearch -Z -P
>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>>>>>>> rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>>>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w
>>>>>>> secret01 -s
>>>>>>> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
>>>>>> openssl for crypto, which is completely different than NSS. You
>>>>>> need to
>>>>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>>>
>>>>>>
>>>>>>> Error:
>>>>>>> ldapsearch: unabel to parse protocol version
>>>>>>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>>>
>>>>>>> Help my!
>>>>>>> Thanks
>>>>>>>
>>>>>>> ------------------------------------------------------
>>>>>>> My Setup:
>>>>>>>
>>>>>>> Fedora Core 5 (i386)
>>>>>>> Fedora Directory Server 1.0.2
>>>>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>>> ------------------------------------------------------
>>>>>>>
>>>>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>>>
>>>>>>
>>>>>>> Error:
>>>>>>> ldapsearch: unabel to parse protocol version
>>>>>>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>>>
>>>>>>> Help my!
>>>>>>> Thanks
>>>>>>>
>>>>>>> ------------------------------------------------------
>>>>>>> My Setup:
>>>>>>>
>>>>>>> Fedora Core 5 (i386)
>>>>>>> Fedora Directory Server 1.0.2
>>>>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>>> ------------------------------------------------------
>>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>
>>>
>>>> << smime.p7s >>
>>>
>>>
>>>
>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>> << smime.p7s >>
>
>
>
>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060804/5fcdd065/attachment.bin>
More information about the 389-users
mailing list