[Fedora-directory-users] LDAP Error
Joe Sheehan
triswimjoe at hotmail.com
Fri Aug 4 21:42:24 UTC 2006
Thanks - we will definitely take your advice.
Curious if switching the order within the nsswitch.conf would do the trick.
Joe
>From: Richard Megginson <rmeggins at redhat.com>
>Reply-To: "General discussion list for the Fedora Directory server
>project." <fedora-directory-users at redhat.com>
>To: "General discussion list for the Fedora Directory server project."
><fedora-directory-users at redhat.com>
>Subject: Re: [Fedora-directory-users] LDAP Error
>Date: Fri, 04 Aug 2006 15:26:21 -0600
>
>Joe Sheehan wrote:
>>google(ing) for this - it basically says the same thing as you've stated.
>>Is there a way to fix this by hand
>Fix your DNS and reverse DNS set up. Are you also using NIS for hostname
>resolution? You may have to make sure NIS and DNS hosts resolve to the
>same IP addresses.
>>or is LDAP corrupted beyond fixing unless you
>>uninstall and re-install.
>This has nothing to do with ldap corruption. Although, once you fix your
>DNS and reverse DNS, you will need to re install from scratch. This is
>unfortunately the easiest way to ensure proper Admin Server set up.
>>
>>Joe
>>
>>
>>>From: Richard Megginson <rmeggins at redhat.com>
>>>Reply-To: "General discussion list for the Fedora Directory server
>>>project." <fedora-directory-users at redhat.com>
>>>To: "General discussion list for the Fedora Directory server project."
>>><fedora-directory-users at redhat.com>
>>>Subject: Re: [Fedora-directory-users] LDAP Error
>>>Date: Fri, 04 Aug 2006 14:04:23 -0600
>>>
>>>Joe Sheehan wrote:
>>>>Has anyone seen this before? Possible causes? Thanks Joe
>>>>
>>>>
>>>>Start Slapd Server Config
>>>>
>>>>FATAL Slapd ERROR LDAP authentication failed for url:
>>>>ldap://nodename.my.nis:1389 Netscaperoot user id admin (151:
>>>>unknown error)
>>>This usually indicates a problem with DNS or reverse DNS setup.
>>>>
>>>>Fatal slapd did not add directory server information into configuration
>>>>server
>>>>
>>>>...
>>>>
>>>>
>>>>
>>>>
>>>>>From: Richard Megginson <rmeggins at redhat.com>
>>>>>Reply-To: "General discussion list for the Fedora Directory server
>>>>>project." <fedora-directory-users at redhat.com>
>>>>>To: "General discussion list for the Fedora Directory server project."
>>>>><fedora-directory-users at redhat.com>
>>>>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>>>ldapsearch.
>>>>>Date: Fri, 04 Aug 2006 09:45:37 -0600
>>>>>
>>>>>One problem may be that you have to specify some additional option when
>>>>>creating the MS CA cert or server certs issued by this CA. Is this a
>>>>>root CA or did you get a CA certificate from somewhere else?
>>>>>
>>>>>Do this:
>>>>>cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P
>>>>>slapd-asterisk1- -L -n ad-cert
>>>>>
>>>>>Safonov Alexey wrote:
>>>>>>Thanks Richard!
>>>>>>
>>>>>>In my opinion it the certificate of the CA. Certificates you can see
>>>>>>details
>>>>>>of reception of it on a screenshot (see the attached file)
>>>>>>
>>>>>>Safonov Alexey
>>>>>>
>>>>>>-----Original Message-----
>>>>>>From: fedora-directory-users-bounces at redhat.com
>>>>>>[mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Richard
>>>>>>Megginson
>>>>>>Sent: Friday, July 28, 2006 5:45 PM
>>>>>>To: General discussion list for the Fedora Directory server project.
>>>>>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>>>>ldapsearch.
>>>>>>
>>>>>>
>>>>>>Safonov Alexey wrote:
>>>>>>
>>>>>>>Thanks Richard!
>>>>>>>
>>>>>>>Now I start so:
>>>>>>>[root at asterisk1 bin]# ./ldapsearch -Z -P
>>>>>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
>>>>>>>/opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
>>>>>>>rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
>>>>>>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v
>>>>>>>
>>>>>>>Also I receive a error:
>>>>>>>
>>>>>>>ldapsearch: started Fri Jul 28 16:21:39 2006
>>>>>>>
>>>>>>>ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
>>>>>>>ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
>>>>>>>ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
>>>>>>>ldaptool_getmodpath -- (null)
>>>>>>>ldaptool_getdonglefilename -- (null)
>>>>>>>ldap_simple_bind: Can't contact LDAP server
>>>>>>> SSL error -8156 (Issuer certificate is invalid.)
>>>>>>>
>>>>>>>Though the certificate ad-cert (from Windows DC) is established. The
>>>>>>>
>>>>>>utility
>>>>>>
>>>>>>>certutil and Fedora Management Console (Manage Certificates) shows
>>>>>>>it.
>>>>>>>[root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>>>>>>>slapd-asterisk1-
>>>>>>>CA certificate CTu,u,u
>>>>>>>server-cert u,u,u
>>>>>>>Server-Cert u,u,u
>>>>>>>ad-cert CT,C,C
>>>>>>>
>>>>>>>Help my!
>>>>>>>
>>>>>>>
>>>>>>Is ad-cert the certificate of the AD server or the certificate of the
>>>>>>CA
>>>>>>that issued the AD cert? An SSL client only needs to trust the CA
>>>>>>cert
>>>>>>of the issuer of the server certs it wants to use.
>>>>>>
>>>>>>>Safonov Alexey
>>>>>>>
>>>>>>>-----Original Message-----
>>>>>>>From: fedora-directory-users-bounces at redhat.com
>>>>>>>[mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of
>>>>>>>Richard
>>>>>>>Megginson
>>>>>>>Sent: Thursday, July 27, 2006 7:36 PM
>>>>>>>To: General discussion list for the Fedora Directory server project.
>>>>>>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>>>>>ldapsearch.
>>>>>>>
>>>>>>>
>>>>>>>Safonov Alexey wrote:
>>>>>>>
>>>>>>>
>>>>>>>>Hi !
>>>>>>>>
>>>>>>>>I ask to help to solve a problem with the utility ldapsearch.
>>>>>>>>
>>>>>>>>is a problem to carry out synchronization between FDS and AD. Has
>>>>>>>>made
>>>>>>>>
>>>>>>the
>>>>>>
>>>>>>>>following:
>>>>>>>>1) Install FDS
>>>>>>>>2) Configuring SSL Enabled FDS. For this purpose has started script
>>>>>>>>setupssl.sh
>>>>>>>>(http://directory.fedora.redhat.com/download/setupssl.sh)
>>>>>>>>
>>>>>>from
>>>>>>
>>>>>>>>HOWTO "Howto:SSL"
>>>>>>>>(http://directory.fedora.redhat.com/wiki/Howto:SSL)
>>>>>>>>3) Restart FDS.
>>>>>>>> netstat -atupn | grep ns-
>>>>>>>>tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
>>>>>>>>tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
>>>>>>>>4) Enable SSL on AD.
>>>>>>>>Install Certificate Service
>>>>>>>>Check util ldp.exe:
>>>>>>>>Connected param: Server- srv-vm1.mup-example.vrn.ru
>>>>>>>> Port - 636
>>>>>>>> Checkbox "SSL"
>>>>>>>>ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
>>>>>>>>Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
>>>>>>>>LDAP_VERSION3);
>>>>>>>>Error <0x0> = ldap_connect(hLdap, NULL);
>>>>>>>>Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>>>>>>>>Host supports SSL, SSL cipher strength = 128 bits
>>>>>>>>Established connection to srv-vm1.mup-example.vrn.ru.
>>>>>>>>Retrieving base DSA information...
>>>>>>>>.....
>>>>>>>>5) Import AD CA certificate in DER mode.
>>>>>>>>6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
>>>>>>>>[root at asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d .
>>>>>>>>-P
>>>>>>>>slapd-asterisk1-
>>>>>>>>CA certificate CTu,u,u
>>>>>>>>server-cert u,u,u
>>>>>>>>Server-Cert u,u,u
>>>>>>>>ad-cert CT,C,C <- install this
>>>>>>>>
>>>>>>>>6) [root at asterisk1 alias]# ldapsearch -Z -P
>>>>>>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>>>>>>>>rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>>>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01
>>>>>>>>-s
>>>>>>>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
>>>>>>>openssl for crypto, which is completely different than NSS. You need
>>>>>>>to
>>>>>>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>>>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>>>>
>>>>>>>
>>>>>>>>Error:
>>>>>>>>ldapsearch: unabel to parse protocol version
>>>>>>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>>>>
>>>>>>>>Help my!
>>>>>>>>Thanks
>>>>>>>>
>>>>>>>>------------------------------------------------------
>>>>>>>>My Setup:
>>>>>>>>
>>>>>>>>Fedora Core 5 (i386)
>>>>>>>>Fedora Directory Server 1.0.2
>>>>>>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>>>>------------------------------------------------------
>>>>>>>>
>>>>>>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>>>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>>>>
>>>>>>>
>>>>>>>>Error:
>>>>>>>>ldapsearch: unabel to parse protocol version
>>>>>>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>>>>
>>>>>>>>Help my!
>>>>>>>>Thanks
>>>>>>>>
>>>>>>>>------------------------------------------------------
>>>>>>>>My Setup:
>>>>>>>>
>>>>>>>>Fedora Core 5 (i386)
>>>>>>>>Fedora Directory Server 1.0.2
>>>>>>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>>>>------------------------------------------------------
>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>--
>>>>>>Fedora-directory-users mailing list
>>>>>>Fedora-directory-users at redhat.com
>>>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>
>>>>
>>>>><< smime.p7s >>
>>>>
>>>>
>>>>
>>>>
>>>>>--
>>>>>Fedora-directory-users mailing list
>>>>>Fedora-directory-users at redhat.com
>>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>>>--
>>>>Fedora-directory-users mailing list
>>>>Fedora-directory-users at redhat.com
>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>><< smime.p7s >>
>>
>>
>>
>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users at redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
><< smime.p7s >>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
More information about the 389-users
mailing list