[Fedora-directory-users] Re: Hosed sync with AD

Wed Feb 1 15:01:44 UTC 2006

Thank you David. 

Anyone able to address the other questions about ssl?  I was able to use 
the system version of ldapsearch to connect securely to my domain 
controller from the FDS box.  I can also connect the same way to FDS.  I 
have read that the -81 error means that there is a problem with my 
server cert, or the ca cert that was used to create it.  I have 2 server 
certs signed by different CAs (nothing self-signed), and I have tried 
them both.  The CA certs are installed, and seem to be fine.  I even 
exported on to use on the local openldap in order to test connections to 
the domain controller without a problem.

Is FDS dependent on specific versions of libssl3.so or ?...  The thing 
that confuses me the most is that it all seems to be working fine in 
every other case.  I am still not sure there isn't a problem with my 
Win2003 domain controller...

Ack!

>Date: Tue, 31 Jan 2006 15:17:18 -0500
>From: Daniel Shackelford <dshackel at arbor.edu>
>Subject: [Fedora-directory-users] Hosed sync with AD
>To: FedoraUsers <fedora-directory-users at redhat.com>
>Message-ID: <43DFC5CE.1050909 at arbor.edu>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>Hello...
>
>Earlier this month we had an issue with one of our domain controllers 
>(Win2003) and took it down.  It was the one the directory server was 
>pointing to for synchronization.  Ever since then, no sync has occurred 
>and I am back to getting the
>
>-81 (Peer's Certificate issuer is not recognized.)
>
>I have checked the DC, and all looks well. We were merely moving the 
>logs to another volume, so it should not have an effect on ldap 
>connections. I did some fiddling and at one point I removed the native 
>java since I had installed the IBM version. Jessie depended on it, so 
>that was removed as well. I have since gotten new certs and CA certs, 
>and installed them, but still no luck on the connection. Certutil no 
>longer worked, so I installed mozilla-nss, and now it does not work
>for other reasons:
>
>NSS_Initialize failed: An I/O error occurred during security authorization.
>
>All certificate management via the console seems to work fine...
>
>So, my questions are:
>
>Is there a way to get my ssl libraries so they line up with what FDS wants?
>Was jessie even involved in this issue?
>I already have all our data in this directory, so is there a way for me 
>to get this thing syncing again without a wipe and reinstall?
>If I delete the sync agreement, and create a new one, what happens on 
>the first sync?  Will it just pick up where it left off, or will it 
>choke on all the objects that were a part of the previous sync 
>agreement?  Will I have problems with my data since it has been over 10 
>days since the last sync?
>
>  
>