Hi All , I am doing Active directory ----> FDS ( ssl) , all attribute is replicated from ADC ---> FDS .. But i am not able to see password attribute in FDS ? Replication FDS - working as master Passync for replication replication is happening from Active Directory:636 ---- > FDS : 636 . Am i am missing something ... ------Adc user profile , which is replicated in FDS ------- dn: uid=vramani, ou=People, dc=tf-lab,dc=test,dc=com ntUniqueId: f96921fe188c4b47a243ab088512103d givenName: vipul sn: r objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetOrgPerson objectClass: ntUser uid: vramani ntUserDeleteAccount: true cn: vipul r ntUserDomainId: vramani ntUserAcctExpires: 9223372036854775807 ntUserCodePage: 0 ------ ----acess------ [14/Oct/2008:08:37:16 -0700] conn=4 op=170 SRCH base="ou=People, dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [14/Oct/2008:08:37:16 -0700] conn=4 op=170 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:17 -0700] conn=4 op=171 SRCH base="ou=People, dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" attrs="objectClass" [14/Oct/2008:08:37:17 -0700] conn=4 op=171 RESULT err=0 tag=101 nentries=0 etime=1 [14/Oct/2008:08:37:19 -0700] conn=4 op=173 SRCH base="dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL[14/Oct/2008:08:37:19 -0700] conn=4 op=173 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:19 -0700] conn=4 op=174 SRCH base="dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" attrs="objectClass" [14/Oct/2008:08:37:19 -0700] conn=4 op=174 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:20 -0700] conn=4 op=175 SRCH base="ou=People, dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [14/Oct/2008:08:37:20 -0700] conn=4 op=175 RESULT err=0 tag=101 nentries=1 etime=0[14/Oct/2008:08:37:26 -0700] conn=3 op=122 SRCH base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL [14/Oct/2008:08:37:26 -0700] conn=3 op=122 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:27 -0700] conn=3 op=124 MOD dn="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" [14/Oct/2008:08:37:27 -0700] conn=3 op=124 RESULT err=0 tag=103 nentries=0 etime=0[14/Oct/2008:08:37:27 -0700] conn=3 op=125 SRCH base="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [14/Oct/2008:08:37:27 -0700] conn=3 op=125 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:31 -0700] conn=3 op=126 SRCH base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL[14/Oct/2008:08:37:31 -0700] conn=3 op=126 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:31 -0700] conn=3 op=127 MOD dn="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" [14/Oct/2008:08:37:31 -0700] conn=3 op=127 RESULT err=0 tag=103 nentries=0 etime=0[14/Oct/2008:08:37:31 -0700] conn=3 op=128 MOD dn="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" [14/Oct/2008:08:37:31 -0700] conn=3 op=128 RESULT err=0 tag=103 nentries=0 etime=0 [14/Oct/2008:08:37:37 -0700] conn=4 op=176 SRCH base="ou=People, dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" attrs="objectClass" [14/Oct/2008:08:37:37 -0700] conn=4 op=176 RESULT err=0 tag=101 nentries=18 etime=0 ------ thanks in Adv... -- Regards Vipul Ramani
--- passyc log ---
10/14/08 17:05:56: Failed to load entries from file
10/14/08 17:05:56: Ldap bind error in Connect
48: Inappropriate authentication
10/14/08 17:05:56: Can not connect to ldap server in SyncPasswords
-----------------------------
ADC ( where passysnc installed ) #
On the Directory Server, export the server certificate using pk12util.
FDS# pk12util -d . -o servercert.pfx -n Server-Cert
then ,
Import the server certificate from the Directory Server into the new
certificate databases using pk12util.exe.
pk12util.exe -d "C:\Program Files\Red Hat Directory Password
Synchronization" -i servercert.pfx
then
Give trusted peer status to the server.
certutil.exe -d "C:\Program Files\Red Hat Directory Password
Synchronization" -M
-n Server-Cert -t "P,P,P"
C:\Program Files (x86)\Red Hat Directory Password
Synchronization>certutil.exe -
L -d . -P
CA certificate c,c,c
Server-Cert Pu,Pu,Pu <--
imported from FDS
C:\Program Files (x86)\Red Hat Directory Password Synchronization>
---------------------------
still same error . ...
On Tue, Oct 14, 2008 at 3:42 PM, Vipul Ramani <vipulramani@gmail.com>
wrote:
> Hi All ,
>
> I am doing Active directory ----> FDS ( ssl) , all attribute is
replicated
> from ADC ---> FDS .. But i am not able to see password attribute in FDS
?
>
> Replication
> FDS - working as master
> Passync for replication
>
> replication is happening from Active Directory:636 ---- > FDS : 636 .
>
>
> Am i am missing something ...
>
> ------Adc user profile , which is replicated in FDS -------
> dn: uid=vramani, ou=People, dc=tf-lab,dc=test,dc=com
> ntUniqueId: f96921fe188c4b47a243ab088512103d
> givenName: vipul
> sn: r
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetOrgPerson
> objectClass: ntUser
> uid: vramani
> ntUserDeleteAccount: true
> cn: vipul r
> ntUserDomainId: vramani
> ntUserAcctExpires: 9223372036854775807
> ntUserCodePage: 0
> ------
> ----acess------
>
>
> [14/Oct/2008:08:37:16 -0700] conn=4 op=170 SRCH base="ou=People,
> dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)"
attrs=ALL
> [14/Oct/2008:08:37:16 -0700] conn=4 op=170 RESULT err=0 tag=101 nentries=1
> etime=0
> [14/Oct/2008:08:37:17 -0700] conn=4 op=171 SRCH base="ou=People,
> dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)"
> attrs="objectClass"
> [14/Oct/2008:08:37:17 -0700] conn=4 op=171 RESULT err=0 tag=101 nentries=0
> etime=1
> [14/Oct/2008:08:37:19 -0700] conn=4 op=173 SRCH
> base="dc=tf-lab,dc=test,dc=com" scope=0
filter="(objectClass=*)"
> attrs=ALL[14/Oct/2008:08:37:19 -0700] conn=4 op=173 RESULT err=0 tag=101
> nentries=1 etime=0
> [14/Oct/2008:08:37:19 -0700] conn=4 op=174 SRCH
> base="dc=tf-lab,dc=test,dc=com" scope=1
filter="(objectClass=*)"
> attrs="objectClass"
> [14/Oct/2008:08:37:19 -0700] conn=4 op=174 RESULT err=0 tag=101 nentries=1
> etime=0
> [14/Oct/2008:08:37:20 -0700] conn=4 op=175 SRCH base="ou=People,
> dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)"
attrs=ALL
> [14/Oct/2008:08:37:20 -0700] conn=4 op=175 RESULT err=0 tag=101 nentries=1
> etime=0[14/Oct/2008:08:37:26 -0700] conn=3 op=122 SRCH
> base="cn=replication,cn=config" scope=2
filter="(objectClass=*)" attrs=ALL
> [14/Oct/2008:08:37:26 -0700] conn=3 op=122 RESULT err=0 tag=101 nentries=1
> etime=0
> [14/Oct/2008:08:37:27 -0700] conn=3 op=124 MOD dn="cn=Vedant,
cn=replica,
> cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config"
> [14/Oct/2008:08:37:27 -0700] conn=3 op=124 RESULT err=0 tag=103 nentries=0
> etime=0[14/Oct/2008:08:37:27 -0700] conn=3 op=125 SRCH
base="cn=Vedant,
> cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree,
cn=config"
> scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))"
> attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd
> nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus
> nsds5replicaUpdateInProgress nsds5replicaLastInitStart
> nsds5replicaLastInitEnd nsds5replicaLastInitStatus
nsds5BeginReplicaRefresh"
> [14/Oct/2008:08:37:27 -0700] conn=3 op=125 RESULT err=0 tag=101 nentries=1
> etime=0
> [14/Oct/2008:08:37:31 -0700] conn=3 op=126 SRCH
> base="cn=replication,cn=config" scope=2
filter="(objectClass=*)"
> attrs=ALL[14/Oct/2008:08:37:31 -0700] conn=3 op=126 RESULT err=0 tag=101
> nentries=1 etime=0
> [14/Oct/2008:08:37:31 -0700] conn=3 op=127 MOD dn="cn=Vedant,
cn=replica,
> cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config"
> [14/Oct/2008:08:37:31 -0700] conn=3 op=127 RESULT err=0 tag=103 nentries=0
> etime=0[14/Oct/2008:08:37:31 -0700] conn=3 op=128 MOD dn="cn=Vedant,
> cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree,
cn=config"
> [14/Oct/2008:08:37:31 -0700] conn=3 op=128 RESULT err=0 tag=103 nentries=0
> etime=0
> [14/Oct/2008:08:37:37 -0700] conn=4 op=176 SRCH base="ou=People,
> dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)"
> attrs="objectClass"
> [14/Oct/2008:08:37:37 -0700] conn=4 op=176 RESULT err=0 tag=101 nentries=18
> etime=0
> ------
>
>
> thanks in Adv...
>
>
>
>
>
--
Regards
Vipul Ramani
I feel i am so close to solve this problem ..since long time .. if any 1 have clue where what i forgot ... I changed password of cn=replication,cn=config and now only i am getting error ----passsync log ---- 10/14/08 17:24:19: Failed to load entries from file ##### I dont know Failed to load entires from FILE ( WHICH PassSync talking about ) ##### 10/14/08 17:26:41: Failed to load entries from file 10/14/08 17:26:41: PassSync service stopped 10/14/08 17:26:42: PassSync service started 10/14/08 17:26:42: Failed to load entries from file ---------------- /var/log/dir-serv/slapd-linux2/access [14/Oct/2008:10:21:20 -0700] conn=38 fd=69 slot=69 SSL connection from 192.168.1.200 to 192.168.1.210 [14/Oct/2008:10:21:20 -0700] conn=38 SSL 128-bit RC4 [14/Oct/2008:10:21:20 -0700] conn=38 op=0 BIND dn="cn=replication,cn=config" method=128 version=2 [14/Oct/2008:10:21:20 -0700] conn=38 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication,cn=config" [14/Oct/2008:10:21:20 -0700] conn=38 op=1 UNBIND [14/Oct/2008:10:21:20 -0700] conn=38 op=1 fd=69 closed - U1 [14/Oct/2008:10:21:21 -0700] conn=39 fd=69 slot=69 SSL connection from 192.168.1.200 to 192.168.1.210 [14/Oct/2008:10:21:21 -0700] conn=39 SSL 128-bit RC4 [14/Oct/2008:10:21:21 -0700] conn=39 op=0 BIND dn="cn=replication,cn=config" method=128 version=2 [14/Oct/2008:10:21:21 -0700] conn=39 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication,cn=config" [14/Oct/2008:10:21:21 -0700] conn=39 op=1 UNBIND [14/Oct/2008:10:21:21 -0700] conn=39 op=1 fd=69 closed - U1 /var/log/dir-serv/slapd-linux2/errors NO ERRORs .. On Tue, Oct 14, 2008 at 5:10 PM, Vipul Ramani <vipulramani@gmail.com> wrote:> > --- passyc log --- > > 10/14/08 17:05:56: Failed to load entries from file > 10/14/08 17:05:56: Ldap bind error in Connect > 48: Inappropriate authentication > 10/14/08 17:05:56: Can not connect to ldap server in SyncPasswords > ----------------------------- > > ADC ( where passysnc installed ) # > > On the Directory Server, export the server certificate using pk12util. > > FDS# pk12util -d . -o servercert.pfx -n Server-Cert > > > then , > > Import the server certificate from the Directory Server into the new > certificate databases using pk12util.exe. > > pk12util.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -i servercert.pfx > > then > > Give trusted peer status to the server. > > certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -M > -n Server-Cert -t "P,P,P" > > > > C:\Program Files (x86)\Red Hat Directory Password > Synchronization>certutil.exe - > L -d . -P > CA certificate c,c,c > Server-Cert Pu,Pu,Pu <-- > imported from FDS > > C:\Program Files (x86)\Red Hat Directory Password Synchronization> > --------------------------- > > still same error . ... > > > > > > On Tue, Oct 14, 2008 at 3:42 PM, Vipul Ramani <vipulramani@gmail.com>wrote: > >> Hi All , >> >> I am doing Active directory ----> FDS ( ssl) , all attribute is replicated >> from ADC ---> FDS .. But i am not able to see password attribute in FDS ? >> >> Replication >> FDS - working as master >> Passync for replication >> >> replication is happening from Active Directory:636 ---- > FDS : 636 . >> >> >> Am i am missing something ... >> >> ------Adc user profile , which is replicated in FDS ------- >> dn: uid=vramani, ou=People, dc=tf-lab,dc=test,dc=com >> ntUniqueId: f96921fe188c4b47a243ab088512103d >> givenName: vipul >> sn: r >> objectClass: top >> objectClass: person >> objectClass: organizationalperson >> objectClass: inetOrgPerson >> objectClass: ntUser >> uid: vramani >> ntUserDeleteAccount: true >> cn: vipul r >> ntUserDomainId: vramani >> ntUserAcctExpires: 9223372036854775807 >> ntUserCodePage: 0 >> ------ >> ----acess------ >> >> >> [14/Oct/2008:08:37:16 -0700] conn=4 op=170 SRCH base="ou=People, >> dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >> [14/Oct/2008:08:37:16 -0700] conn=4 op=170 RESULT err=0 tag=101 nentries=1 >> etime=0 >> [14/Oct/2008:08:37:17 -0700] conn=4 op=171 SRCH base="ou=People, >> dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" >> attrs="objectClass" >> [14/Oct/2008:08:37:17 -0700] conn=4 op=171 RESULT err=0 tag=101 nentries=0 >> etime=1 >> [14/Oct/2008:08:37:19 -0700] conn=4 op=173 SRCH >> base="dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" >> attrs=ALL[14/Oct/2008:08:37:19 -0700] conn=4 op=173 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [14/Oct/2008:08:37:19 -0700] conn=4 op=174 SRCH >> base="dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" >> attrs="objectClass" >> [14/Oct/2008:08:37:19 -0700] conn=4 op=174 RESULT err=0 tag=101 nentries=1 >> etime=0 >> [14/Oct/2008:08:37:20 -0700] conn=4 op=175 SRCH base="ou=People, >> dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >> [14/Oct/2008:08:37:20 -0700] conn=4 op=175 RESULT err=0 tag=101 nentries=1 >> etime=0[14/Oct/2008:08:37:26 -0700] conn=3 op=122 SRCH >> base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL >> [14/Oct/2008:08:37:26 -0700] conn=3 op=122 RESULT err=0 tag=101 nentries=1 >> etime=0 >> [14/Oct/2008:08:37:27 -0700] conn=3 op=124 MOD dn="cn=Vedant, cn=replica, >> cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" >> [14/Oct/2008:08:37:27 -0700] conn=3 op=124 RESULT err=0 tag=103 nentries=0 >> etime=0[14/Oct/2008:08:37:27 -0700] conn=3 op=125 SRCH base="cn=Vedant, >> cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" >> scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" >> attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd >> nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus >> nsds5replicaUpdateInProgress nsds5replicaLastInitStart >> nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" >> [14/Oct/2008:08:37:27 -0700] conn=3 op=125 RESULT err=0 tag=101 nentries=1 >> etime=0 >> [14/Oct/2008:08:37:31 -0700] conn=3 op=126 SRCH >> base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" >> attrs=ALL[14/Oct/2008:08:37:31 -0700] conn=3 op=126 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [14/Oct/2008:08:37:31 -0700] conn=3 op=127 MOD dn="cn=Vedant, cn=replica, >> cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" >> [14/Oct/2008:08:37:31 -0700] conn=3 op=127 RESULT err=0 tag=103 nentries=0 >> etime=0[14/Oct/2008:08:37:31 -0700] conn=3 op=128 MOD dn="cn=Vedant, >> cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" >> [14/Oct/2008:08:37:31 -0700] conn=3 op=128 RESULT err=0 tag=103 nentries=0 >> etime=0 >> [14/Oct/2008:08:37:37 -0700] conn=4 op=176 SRCH base="ou=People, >> dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" >> attrs="objectClass" >> [14/Oct/2008:08:37:37 -0700] conn=4 op=176 RESULT err=0 tag=101 >> nentries=18 etime=0 >> ------ >> >> >> thanks in Adv... >> >> >> >> >> > -- > Regards > > Vipul Ramani > >-- Regards Vipul Ramani
Any luck ??? any 1 one who had pass through same problem ... Clueless no errors ( FDS , ADC ) only PassSync Error ..which is mentioned below ... On Tue, Oct 14, 2008 at 5:26 PM, Vipul Ramani <vipulramani@gmail.com> wrote:> > I feel i am so close to solve this problem ..since long time .. if any 1 > have clue where what i forgot ... > > > I changed password of cn=replication,cn=config > > and now only i am getting error > ----passsync log ---- > > 10/14/08 17:24:19: Failed to load entries from file ##### I dont know > Failed to load entires from FILE *( PassSync talking about which file ) > *##### > 10/14/08 17:26:41: Failed to load entries from file > 10/14/08 17:26:41: PassSync service stopped > 10/14/08 17:26:42: PassSync service started > 10/14/08 17:26:42: Failed to load entries from file > > ---------------- > /var/log/dir-serv/slapd-linux2/access > > > [14/Oct/2008:10:21:20 -0700] conn=38 fd=69 slot=69 SSL connection from > 192.168.1.200 to 192.168.1.210 > [14/Oct/2008:10:21:20 -0700] conn=38 SSL 128-bit RC4 > [14/Oct/2008:10:21:20 -0700] conn=38 op=0 BIND > dn="cn=replication,cn=config" method=128 version=2 > [14/Oct/2008:10:21:20 -0700] conn=38 op=0 RESULT err=0 tag=97 nentries=0 > etime=0 dn="cn=replication,cn=config" > [14/Oct/2008:10:21:20 -0700] conn=38 op=1 UNBIND > [14/Oct/2008:10:21:20 -0700] conn=38 op=1 fd=69 closed - U1 > [14/Oct/2008:10:21:21 -0700] conn=39 fd=69 slot=69 SSL connection from > 192.168.1.200 to 192.168.1.210 > [14/Oct/2008:10:21:21 -0700] conn=39 SSL 128-bit RC4 > [14/Oct/2008:10:21:21 -0700] conn=39 op=0 BIND > dn="cn=replication,cn=config" method=128 version=2 > [14/Oct/2008:10:21:21 -0700] conn=39 op=0 RESULT err=0 tag=97 nentries=0 > etime=0 dn="cn=replication,cn=config" > [14/Oct/2008:10:21:21 -0700] conn=39 op=1 UNBIND > [14/Oct/2008:10:21:21 -0700] conn=39 op=1 fd=69 closed - U1 > > /var/log/dir-serv/slapd-linux2/errors NO ERRORs .. > > On Tue, Oct 14, 2008 at 5:10 PM, Vipul Ramani <vipulramani@gmail.com>wrote: > >> >> --- passyc log --- >> >> 10/14/08 17:05:56: Failed to load entries from file >> 10/14/08 17:05:56: Ldap bind error in Connect >> 48: Inappropriate authentication >> 10/14/08 17:05:56: Can not connect to ldap server in SyncPasswords >> ----------------------------- >> >> ADC ( where passysnc installed ) # >> >> On the Directory Server, export the server certificate using pk12util. >> >> FDS# pk12util -d . -o servercert.pfx -n Server-Cert >> >> >> then , >> >> Import the server certificate from the Directory Server into the new >> certificate databases using pk12util.exe. >> >> pk12util.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -i servercert.pfx >> >> then >> >> Give trusted peer status to the server. >> >> certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -M >> -n Server-Cert -t "P,P,P" >> >> >> >> C:\Program Files (x86)\Red Hat Directory Password >> Synchronization>certutil.exe - >> L -d . -P >> CA certificate c,c,c >> Server-Cert Pu,Pu,Pu >> <-- imported from FDS >> >> C:\Program Files (x86)\Red Hat Directory Password Synchronization> >> --------------------------- >> >> still same error . ... >> >> >> >> >> >> On Tue, Oct 14, 2008 at 3:42 PM, Vipul Ramani <vipulramani@gmail.com>wrote: >> >>> Hi All , >>> >>> I am doing Active directory ----> FDS ( ssl) , all attribute is >>> replicated from ADC ---> FDS .. But i am not able to see password attribute >>> in FDS ? >>> >>> Replication >>> FDS - working as master >>> Passync for replication >>> >>> replication is happening from Active Directory:636 ---- > FDS : 636 . >>> >>> >>> Am i am missing something ... >>> >>> ------Adc user profile , which is replicated in FDS ------- >>> dn: uid=vramani, ou=People, dc=tf-lab,dc=test,dc=com >>> ntUniqueId: f96921fe188c4b47a243ab088512103d >>> givenName: vipul >>> sn: r >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalperson >>> objectClass: inetOrgPerson >>> objectClass: ntUser >>> uid: vramani >>> ntUserDeleteAccount: true >>> cn: vipul r >>> ntUserDomainId: vramani >>> ntUserAcctExpires: 9223372036854775807 >>> ntUserCodePage: 0 >>> ------ >>> ----acess------ >>> >>> >>> [14/Oct/2008:08:37:16 -0700] conn=4 op=170 SRCH base="ou=People, >>> dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >>> [14/Oct/2008:08:37:16 -0700] conn=4 op=170 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [14/Oct/2008:08:37:17 -0700] conn=4 op=171 SRCH base="ou=People, >>> dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" >>> attrs="objectClass" >>> [14/Oct/2008:08:37:17 -0700] conn=4 op=171 RESULT err=0 tag=101 >>> nentries=0 etime=1 >>> [14/Oct/2008:08:37:19 -0700] conn=4 op=173 SRCH >>> base="dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" >>> attrs=ALL[14/Oct/2008:08:37:19 -0700] conn=4 op=173 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [14/Oct/2008:08:37:19 -0700] conn=4 op=174 SRCH >>> base="dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" >>> attrs="objectClass" >>> [14/Oct/2008:08:37:19 -0700] conn=4 op=174 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [14/Oct/2008:08:37:20 -0700] conn=4 op=175 SRCH base="ou=People, >>> dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >>> [14/Oct/2008:08:37:20 -0700] conn=4 op=175 RESULT err=0 tag=101 >>> nentries=1 etime=0[14/Oct/2008:08:37:26 -0700] conn=3 op=122 SRCH >>> base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL >>> [14/Oct/2008:08:37:26 -0700] conn=3 op=122 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [14/Oct/2008:08:37:27 -0700] conn=3 op=124 MOD dn="cn=Vedant, cn=replica, >>> cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" >>> [14/Oct/2008:08:37:27 -0700] conn=3 op=124 RESULT err=0 tag=103 nentries=0 >>> etime=0[14/Oct/2008:08:37:27 -0700] conn=3 op=125 SRCH base="cn=Vedant, >>> cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" >>> scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>> attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd >>> nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus >>> nsds5replicaUpdateInProgress nsds5replicaLastInitStart >>> nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" >>> [14/Oct/2008:08:37:27 -0700] conn=3 op=125 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [14/Oct/2008:08:37:31 -0700] conn=3 op=126 SRCH >>> base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" >>> attrs=ALL[14/Oct/2008:08:37:31 -0700] conn=3 op=126 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [14/Oct/2008:08:37:31 -0700] conn=3 op=127 MOD dn="cn=Vedant, cn=replica, >>> cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" >>> [14/Oct/2008:08:37:31 -0700] conn=3 op=127 RESULT err=0 tag=103 >>> nentries=0 etime=0[14/Oct/2008:08:37:31 -0700] conn=3 op=128 MOD >>> dn="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping >>> tree, cn=config" >>> [14/Oct/2008:08:37:31 -0700] conn=3 op=128 RESULT err=0 tag=103 >>> nentries=0 etime=0 >>> [14/Oct/2008:08:37:37 -0700] conn=4 op=176 SRCH base="ou=People, >>> dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" >>> attrs="objectClass" >>> [14/Oct/2008:08:37:37 -0700] conn=4 op=176 RESULT err=0 tag=101 >>> nentries=18 etime=0 >>> ------ >>> >>> >>> thanks in Adv... >>> >>> >>> >>> >>> >> -- >> Regards >> >> Vipul Ramani >> >> > > > -- > Regards > > Vipul Ramani > >-- Regards Vipul Ramani
Rich Megginson
2008-Oct-15 21:05 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> Any luck ??? any 1 one who had pass through same problem ... > > Clueless no errors ( FDS , ADC ) only PassSync Error ..which is > mentioned below ... > > > > On Tue, Oct 14, 2008 at 5:26 PM, Vipul Ramani <vipulramani@gmail.com > <mailto:vipulramani@gmail.com>> wrote: > > > I feel i am so close to solve this problem ..since long time .. if > any 1 have clue where what i forgot ... > > > I changed password of cn=replication,cn=config > > and now only i am getting error > ----passsync log ---- > > 10/14/08 17:24:19: Failed to load entries from file ##### I > dont know Failed to load entires from FILE *( PassSync talking > about which file ) *##### > 10/14/08 17:26:41: Failed to load entries from file > 10/14/08 17:26:41: PassSync service stopped > 10/14/08 17:26:42: PassSync service started > 10/14/08 17:26:42: Failed to load entries from file >I''m not sure, but I think this means that there were no passwords to sync from AD to Fedora DS. It keeps a queue of passwords to send in a file (encrypted).> > > ---------------- > /var/log/dir-serv/slapd-linux2/access > > > [14/Oct/2008:10:21:20 -0700] conn=38 fd=69 slot=69 SSL connection > from 192.168.1.200 <http://192.168.1.200> to 192.168.1.210 > <http://192.168.1.210> > [14/Oct/2008:10:21:20 -0700] conn=38 SSL 128-bit RC4 > [14/Oct/2008:10:21:20 -0700] conn=38 op=0 BIND > dn="cn=replication,cn=config" method=128 version=2 > [14/Oct/2008:10:21:20 -0700] conn=38 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=replication,cn=config" > [14/Oct/2008:10:21:20 -0700] conn=38 op=1 UNBIND > [14/Oct/2008:10:21:20 -0700] conn=38 op=1 fd=69 closed - U1 > [14/Oct/2008:10:21:21 -0700] conn=39 fd=69 slot=69 SSL connection > from 192.168.1.200 <http://192.168.1.200> to 192.168.1.210 > <http://192.168.1.210> > [14/Oct/2008:10:21:21 -0700] conn=39 SSL 128-bit RC4 > [14/Oct/2008:10:21:21 -0700] conn=39 op=0 BIND > dn="cn=replication,cn=config" method=128 version=2 > [14/Oct/2008:10:21:21 -0700] conn=39 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=replication,cn=config" > [14/Oct/2008:10:21:21 -0700] conn=39 op=1 UNBIND > [14/Oct/2008:10:21:21 -0700] conn=39 op=1 fd=69 closed - U1 > > /var/log/dir-serv/slapd-linux2/errors NO ERRORs .. > > On Tue, Oct 14, 2008 at 5:10 PM, Vipul Ramani > <vipulramani@gmail.com <mailto:vipulramani@gmail.com>> wrote: > > > --- passyc log --- > > 10/14/08 17:05:56: Failed to load entries from file > 10/14/08 17:05:56: Ldap bind error in Connect > 48: Inappropriate authentication > 10/14/08 17:05:56: Can not connect to ldap server in SyncPasswords > ----------------------------- > > ADC ( where passysnc installed ) # > > On the Directory Server, export the server certificate using > |pk12util|. > > FDS# pk12util -d . -o servercert.pfx -n Server-Cert > > > then , > > Import the server certificate from the Directory Server into > the new certificate databases using p|k12util.exe|. > > pk12util.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -i servercert.pfx > > > then > > Give trusted peer status to the server. > > certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -M > -n Server-Cert -t "P,P,P" > > > > > C:\Program Files (x86)\Red Hat Directory Password > Synchronization>certutil.exe - > L -d . -P > CA certificate c,c,c > Server-Cert > Pu,Pu,Pu <-- imported from FDS > > C:\Program Files (x86)\Red Hat Directory Password Synchronization> > --------------------------- > > still same error . ... > > > > > > On Tue, Oct 14, 2008 at 3:42 PM, Vipul Ramani > <vipulramani@gmail.com <mailto:vipulramani@gmail.com>> wrote: > > Hi All , > > I am doing Active directory ----> FDS ( ssl) , all > attribute is replicated from ADC ---> FDS .. But i am not > able to see password attribute in FDS ? > > Replication > FDS - working as master > Passync for replication > > replication is happening from Active Directory:636 ---- > > FDS : 636 . > > > Am i am missing something ... > > ------Adc user profile , which is replicated in FDS ------- > dn: uid=vramani, ou=People, dc=tf-lab,dc=test,dc=com > ntUniqueId: f96921fe188c4b47a243ab088512103d > givenName: vipul > sn: r > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetOrgPerson > objectClass: ntUser > uid: vramani > ntUserDeleteAccount: true > cn: vipul r > ntUserDomainId: vramani > ntUserAcctExpires: 9223372036854775807 > ntUserCodePage: 0 > ------ > ----acess------ > > > [14/Oct/2008:08:37:16 -0700] conn=4 op=170 SRCH > base="ou=People, dc=tf-lab,dc=test,dc=com" scope=0 > filter="(objectClass=*)" attrs=ALL > [14/Oct/2008:08:37:16 -0700] conn=4 op=170 RESULT err=0 > tag=101 nentries=1 etime=0 > [14/Oct/2008:08:37:17 -0700] conn=4 op=171 SRCH > base="ou=People, dc=tf-lab,dc=test,dc=com" scope=1 > filter="(objectClass=*)" attrs="objectClass" > [14/Oct/2008:08:37:17 -0700] conn=4 op=171 RESULT err=0 > tag=101 nentries=0 etime=1 > [14/Oct/2008:08:37:19 -0700] conn=4 op=173 SRCH > base="dc=tf-lab,dc=test,dc=com" scope=0 > filter="(objectClass=*)" attrs=ALL[14/Oct/2008:08:37:19 > -0700] conn=4 op=173 RESULT err=0 tag=101 nentries=1 etime=0 > [14/Oct/2008:08:37:19 -0700] conn=4 op=174 SRCH > base="dc=tf-lab,dc=test,dc=com" scope=1 > filter="(objectClass=*)" attrs="objectClass" > [14/Oct/2008:08:37:19 -0700] conn=4 op=174 RESULT err=0 > tag=101 nentries=1 etime=0 > [14/Oct/2008:08:37:20 -0700] conn=4 op=175 SRCH > base="ou=People, dc=tf-lab,dc=test,dc=com" scope=0 > filter="(objectClass=*)" attrs=ALL > [14/Oct/2008:08:37:20 -0700] conn=4 op=175 RESULT err=0 > tag=101 nentries=1 etime=0[14/Oct/2008:08:37:26 -0700] > conn=3 op=122 SRCH base="cn=replication,cn=config" scope=2 > filter="(objectClass=*)" attrs=ALL > [14/Oct/2008:08:37:26 -0700] conn=3 op=122 RESULT err=0 > tag=101 nentries=1 etime=0 > [14/Oct/2008:08:37:27 -0700] conn=3 op=124 MOD > dn="cn=Vedant, cn=replica, > cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, > cn=config" [14/Oct/2008:08:37:27 -0700] conn=3 op=124 > RESULT err=0 tag=103 nentries=0 > etime=0[14/Oct/2008:08:37:27 -0700] conn=3 op=125 SRCH > base="cn=Vedant, cn=replica, > cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, > cn=config" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" > attrs="nsds5replicaLastUpdateStart > nsds5replicaLastUpdateEnd > nsds5replicaChangesSentSinceStartup > nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress > nsds5replicaLastInitStart nsds5replicaLastInitEnd > nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" > [14/Oct/2008:08:37:27 -0700] conn=3 op=125 RESULT err=0 > tag=101 nentries=1 etime=0 > [14/Oct/2008:08:37:31 -0700] conn=3 op=126 SRCH > base="cn=replication,cn=config" scope=2 > filter="(objectClass=*)" attrs=ALL[14/Oct/2008:08:37:31 > -0700] conn=3 op=126 RESULT err=0 tag=101 nentries=1 etime=0 > [14/Oct/2008:08:37:31 -0700] conn=3 op=127 MOD > dn="cn=Vedant, cn=replica, > cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" > [14/Oct/2008:08:37:31 -0700] conn=3 op=127 RESULT err=0 > tag=103 nentries=0 etime=0[14/Oct/2008:08:37:31 -0700] > conn=3 op=128 MOD dn="cn=Vedant, cn=replica, > cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" > [14/Oct/2008:08:37:31 -0700] conn=3 op=128 RESULT err=0 > tag=103 nentries=0 etime=0 > [14/Oct/2008:08:37:37 -0700] conn=4 op=176 SRCH > base="ou=People, dc=tf-lab,dc=test,dc=com" scope=1 > filter="(objectClass=*)" attrs="objectClass" > [14/Oct/2008:08:37:37 -0700] conn=4 op=176 RESULT err=0 > tag=101 nentries=18 etime=0 > ------ > > > thanks in Adv... > > > > > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Hi Rich , But i can login and changed the password of ADC users. :( is there any other way to debug in to the deep ??? Kindly suggest i am ready .... I''m not sure, but I think this means that there were no passwords to sync from AD to Fedora DS. It keeps a queue of passwords to send in a file (encrypted). Regards Vipul Ramani
Rich Megginson
2008-Oct-15 21:20 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> > > Hi Rich , > > But i can login and changed the password of ADC users. :( > > is there any other way to debug in to the deep ??? Kindly suggest i am > ready ....I don''t know.> > > I''m not sure, but I think this means that there were no passwords to > sync from AD to Fedora DS. It keeps a queue of passwords to send in a > file (encrypted). > > > > > > Regards > Vipul Ramani > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Eric Beda
2008-Oct-16 08:10 UTC
[Fedora-directory-users] Recovering Directory Server Admin Password
Hi, I''ve lost my directory server admin password, how do i recover it ?, so that i can manage the DS via GUI interface on the machine Help Please
Diaa Radwan
2008-Oct-16 08:36 UTC
Re: [Fedora-directory-users] Recovering Directory Server Admin Password
On Thu, Oct 16, 2008 at 10:10 AM, Eric Beda <ebeda@udsm.ac.tz> wrote:> Hi, > > I''ve lost my directory server admin password, how do i recover it ?, so > that i can manage the DS via GUI interface on the machineIf you mean the directory manager password check this link : http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword If you remember the password of your directory manager password you can log with directory manager through the console and change the admin user under o=netscaperoot or you can perform the following : $ slappasswd -v -c ''$1$%.8s'' -h {CRYPT} run the above command and supply your new password, then copy the output Then issue ldapmodify command: $ ldapmodify -x -h localhost -D"cn=Directory Manager" -W dn : uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot changetype: modify replace: userPassword userPassword: ''paste clipboard''> > Help Please > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >-- Diaa Radwan http://fossology.net
I enabled logleve 8192 in error log of FDS
linux2.test2.com is FDS and LABDC01 is ADC
I created sync aggrement between LDAP:636 and ADC:636 , but in logs it shows
still *ldap://linux2.test2.com:389 ---
---- error of FDS ----
*
16/Oct/2008:07:33:15 -0700] - acquire_replica, supplier RUV is newer
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant"
(LABDC01:636): Cancelling linger on the connection
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - windows_acquire_replica
returned success (101)
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant"
(LABDC01:636): State: ready_to_acquire_replica ->
sending_updates[16/Oct/2008:07:33:15 -0700] - csngen_adjust_time: gen state
before 48f750ab0003:1224167595:0:0
[16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay
(agmt="cn=Vedant"
(LABDC01:636)): Consumer RUV:
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant"
(LABDC01:636): {replicageneration} 48f373b90000014d0000[16/Oct/2008:07:33:15
-0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636):
{replica 333
ldap://linux2.test2.com:389} 48f3772f0000014d0000 48f74f7b0013014d0000
48f74f7b
[16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay
(agmt="cn=Vedant"
*(LABDC01:636)*): Supplier RUV:[16/Oct/2008:07:33:15 -0700]
NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636):
{replicageneration}
48f373b90000014d0000
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant"
(LABDC01:636): {replica 333 *ldap://linux2.test2.com:389*}
48f3772f0000014d0000 48f750ab0001014d0000 48f750ab
[16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - session
start:
anchorcsn=48f74f7b0013014d0000
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - changelog program -
agmt="cn=Vedant" (LABDC01:636): CSN 48f74f7b0013014d0000 found
, position set for replay
[16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - load=1
rec=1
csn=48f750ab0001014d0000[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant" (LABDC01:636): windows_replay_update: Looking at
modify
operation
local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com"
(ours,user,not
group) [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant"
(LABDC01:636): map_entry_dn_outbound: looking for AD entry for DS
dn="uid=vramani,ou=People, dc=tf-lab,dc=test2,dc=com"
guid="f96921fe188c4b47a243ab088512103d"
[16/Oct/2008:07:33:15 -0700] - Calling windows entry search request
plugin[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant"
(LABDC01:636): Linger timeout has expired on the connection
[16/Oct/2008:07:33:15 -0700] - windows_search_entry: recieved 2 messages, 1
entries, 0 references
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant"
(LABDC01:636): map_entry_dn_outbound: return code 0 from search f
or AD entry dn="<GUID=f96921fe188c4b47a243ab088512103d>" or
dn="CN=vipul
r,CN=Users,DC=tf-lab,DC=test2,DC=com"
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant"
(LABDC01:636): windows_replay_update: Processing modify operation
local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" remote
dn="<GUID=f96921fe188c4b47a243ab088512103d>"
[16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) -
clcache_load_buffer: rc=-30989
-----
i see this *" Linger time out has expired the connection " *
16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant"
(LABDC01:636): Beginning linger on the connection
[16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant"
(LABDC01:636): State: sending_updates -> wait_for_changes
[16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant"
(LABDC01:636): *Linger timeout has expired on the connection*
[16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant"
(LABDC01:636): Disconnected from the consumer
Any any clue
On Wed, Oct 15, 2008 at 2:15 PM, Vipul Ramani <vipulramani@gmail.com>
wrote:
>
>
> Hi Rich ,
>
> But i can login and changed the password of ADC users. :(
>
> is there any other way to debug in to the deep ??? Kindly suggest i am
> ready ....
>
>
> I''m not sure, but I think this means that there were no passwords
to sync
> from AD to Fedora DS. It keeps a queue of passwords to send in a file
> (encrypted).
>
>
>
>
>
>
> Regards
> Vipul Ramani
>
--
Regards
Vipul Ramani
Rich Megginson
2008-Oct-16 22:10 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> I enabled logleve 8192 in error log of FDS > > linux2.test2.com <http://linux2.test2.com> is FDS and LABDC01 is ADC > > I created sync aggrement between LDAP:636 and ADC:636 , but in logs it > shows still *ldap://linux2.test2.com:389 <http://linux2.test2.com:389> > --- > *That''s just the "name" of the agreement not the actual protocol and port used to connect. It looks as though the code is successfully connecting to AD.> * > ---- error of FDS ---- > * > > 16/Oct/2008:07:33:15 -0700] - acquire_replica, supplier RUV is newer > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): Cancelling linger on the connection > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > windows_acquire_replica returned success (101) > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): State: ready_to_acquire_replica -> > sending_updates[16/Oct/2008:07:33:15 -0700] - csngen_adjust_time: gen > state before 48f750ab0003:1224167595:0:0 > [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay > (agmt="cn=Vedant" (LABDC01:636)): Consumer RUV: > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): {replicageneration} > 48f373b90000014d0000[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin > - agmt="cn=Vedant" (LABDC01:636): {replica 333 > ldap://linux2.test2.com:389 <http://linux2.test2.com:389>} > 48f3772f0000014d0000 48f74f7b0013014d0000 48f74f7b > [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay > (agmt="cn=Vedant" *(LABDC01:636)*): Supplier RUV:[16/Oct/2008:07:33:15 > -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): > {replicageneration} 48f373b90000014d0000 > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): {replica 333 *ldap://linux2.test2.com:389 > <http://linux2.test2.com:389>*} 48f3772f0000014d0000 > 48f750ab0001014d0000 48f750ab > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - session > start: anchorcsn=48f74f7b0013014d0000 > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - changelog program > - agmt="cn=Vedant" (LABDC01:636): CSN 48f74f7b0013014d0000 found > , position set for replay > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - load=1 > rec=1 csn=48f750ab0001014d0000[16/Oct/2008:07:33:15 -0700] > NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): > windows_replay_update: Looking at modify operation > local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" > (ours,user,not group) [16/Oct/2008:07:33:15 -0700] > NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): > map_entry_dn_outbound: looking for AD entry for DS > dn="uid=vramani,ou=People, dc=tf-lab,dc=test2,dc=com" > guid="f96921fe188c4b47a243ab088512103d" > [16/Oct/2008:07:33:15 -0700] - Calling windows entry search request > plugin[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): Linger timeout has expired on the > connection > [16/Oct/2008:07:33:15 -0700] - windows_search_entry: recieved 2 > messages, 1 entries, 0 references > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): map_entry_dn_outbound: return code 0 from search f > or AD entry dn="<GUID=f96921fe188c4b47a243ab088512103d>" or > dn="CN=vipul r,CN=Users,DC=tf-lab,DC=test2,DC=com" > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): windows_replay_update: Processing modify operation > local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" remote > dn="<GUID=f96921fe188c4b47a243ab088512103d>" > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - > clcache_load_buffer: rc=-30989 > > > ----- > > i see this *" Linger time out has expired the connection " * > > 16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): Beginning linger on the connection > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): State: sending_updates -> wait_for_changes > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): *Linger timeout has expired on the connection* > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): Disconnected from the consumer > > > Any any clueThat''s normal. I don''t see any errors here.> > > On Wed, Oct 15, 2008 at 2:15 PM, Vipul Ramani <vipulramani@gmail.com > <mailto:vipulramani@gmail.com>> wrote: > > > > Hi Rich , > > But i can login and changed the password of ADC users. :( > > is there any other way to debug in to the deep ??? Kindly suggest > i am ready .... > > > I''m not sure, but I think this means that there were no passwords > to sync from AD to Fedora DS. It keeps a queue of passwords to > send in a file (encrypted). > > > > > > > > Regards > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Hey Rich , Do really need *Password policy @ Active directory and Password policy @ FDS needs to be same .... is that i am missing ... * On Thu, Oct 16, 2008 at 2:44 PM, Vipul Ramani <vipulramani@gmail.com> wrote:> I enabled logleve 8192 in error log of FDS > > linux2.test2.com is FDS and LABDC01 is ADC > > I created sync aggrement between LDAP:636 and ADC:636 , but in logs it > shows still *ldap://linux2.test2.com:389 --- > > ---- error of FDS ---- > * > > 16/Oct/2008:07:33:15 -0700] - acquire_replica, supplier RUV is newer > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): Cancelling linger on the connection > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > windows_acquire_replica returned success (101) > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): State: ready_to_acquire_replica -> > sending_updates[16/Oct/2008:07:33:15 -0700] - csngen_adjust_time: gen state > before 48f750ab0003:1224167595:0:0 > [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay > (agmt="cn=Vedant" (LABDC01:636)): Consumer RUV: > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): {replicageneration} 48f373b90000014d0000[16/Oct/2008:07:33:15 > -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): {replica 333 > ldap://linux2.test2.com:389} 48f3772f0000014d0000 48f74f7b0013014d0000 > 48f74f7b > [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay > (agmt="cn=Vedant" *(LABDC01:636)*): Supplier RUV:[16/Oct/2008:07:33:15 > -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): > {replicageneration} 48f373b90000014d0000 > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): {replica 333 *ldap://linux2.test2.com:389*} > 48f3772f0000014d0000 48f750ab0001014d0000 48f750ab > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - session > start: anchorcsn=48f74f7b0013014d0000 > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - changelog program - > agmt="cn=Vedant" (LABDC01:636): CSN 48f74f7b0013014d0000 found > , position set for replay > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - load=1 rec=1 > csn=48f750ab0001014d0000[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): windows_replay_update: Looking at modify > operation > local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" (ours,user,not > group) [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): map_entry_dn_outbound: looking for AD entry for DS > dn="uid=vramani,ou=People, dc=tf-lab,dc=test2,dc=com" > guid="f96921fe188c4b47a243ab088512103d" > [16/Oct/2008:07:33:15 -0700] - Calling windows entry search request > plugin[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): Linger timeout has expired on the connection > [16/Oct/2008:07:33:15 -0700] - windows_search_entry: recieved 2 messages, 1 > entries, 0 references > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): map_entry_dn_outbound: return code 0 from search f > or AD entry dn="<GUID=f96921fe188c4b47a243ab088512103d>" or dn="CN=vipul > r,CN=Users,DC=tf-lab,DC=test2,DC=com" > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): windows_replay_update: Processing modify operation > local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" remote > dn="<GUID=f96921fe188c4b47a243ab088512103d>" > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - > clcache_load_buffer: rc=-30989 > > > ----- > > i see this *" Linger time out has expired the connection " * > > 16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): Beginning linger on the connection > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): State: sending_updates -> wait_for_changes > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): *Linger timeout has expired on the connection* > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): Disconnected from the consumer > > > Any any clue > > > > On Wed, Oct 15, 2008 at 2:15 PM, Vipul Ramani <vipulramani@gmail.com>wrote: > >> >> >> Hi Rich , >> >> But i can login and changed the password of ADC users. :( >> >> is there any other way to debug in to the deep ??? Kindly suggest i am >> ready .... >> >> >> I''m not sure, but I think this means that there were no passwords to sync >> from AD to Fedora DS. It keeps a queue of passwords to send in a file >> (encrypted). >> >> >> >> >> >> >> Regards >> Vipul Ramani >> > > > > -- > Regards > > Vipul Ramani > >-- Regards Vipul Ramani
Rich Megginson
2008-Oct-17 22:42 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> Hey Rich , > > > Do really need *Password policy @ Active directory and Password policy > @ FDS needs to be same .... is that i am missing ... > *If you don''t manually make them the same, then you run the risk that a password accepted on AD will be rejected on FDS, or vice versa.> > > > > > On Thu, Oct 16, 2008 at 2:44 PM, Vipul Ramani <vipulramani@gmail.com > <mailto:vipulramani@gmail.com>> wrote: > > I enabled logleve 8192 in error log of FDS > > linux2.test2.com <http://linux2.test2.com> is FDS and LABDC01 is ADC > > I created sync aggrement between LDAP:636 and ADC:636 , but in > logs it shows still *ldap://linux2.test2.com:389 > <http://linux2.test2.com:389> --- > > ---- error of FDS ---- > * > > 16/Oct/2008:07:33:15 -0700] - acquire_replica, supplier RUV is newer > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): Cancelling linger on the connection > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > windows_acquire_replica returned success (101) > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): State: ready_to_acquire_replica -> > sending_updates[16/Oct/2008:07:33:15 -0700] - csngen_adjust_time: > gen state before 48f750ab0003:1224167595:0:0 > [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay > (agmt="cn=Vedant" (LABDC01:636)): Consumer RUV: > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): {replicageneration} > 48f373b90000014d0000[16/Oct/2008:07:33:15 -0700] > NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): {replica > 333 ldap://linux2.test2.com:389 <http://linux2.test2.com:389>} > 48f3772f0000014d0000 48f74f7b0013014d0000 48f74f7b > [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay > (agmt="cn=Vedant" *(LABDC01:636)*): Supplier > RUV:[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): {replicageneration} > 48f373b90000014d0000 > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): {replica 333 > *ldap://linux2.test2.com:389 <http://linux2.test2.com:389>*} > 48f3772f0000014d0000 48f750ab0001014d0000 48f750ab > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - > session start: anchorcsn=48f74f7b0013014d0000 > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - changelog > program - agmt="cn=Vedant" (LABDC01:636): CSN 48f74f7b0013014d0000 > found > , position set for replay > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - > load=1 rec=1 csn=48f750ab0001014d0000[16/Oct/2008:07:33:15 -0700] > NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): > windows_replay_update: Looking at modify operation > local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" > (ours,user,not group) [16/Oct/2008:07:33:15 -0700] > NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): > map_entry_dn_outbound: looking for AD entry for DS > dn="uid=vramani,ou=People, dc=tf-lab,dc=test2,dc=com" > guid="f96921fe188c4b47a243ab088512103d" > [16/Oct/2008:07:33:15 -0700] - Calling windows entry search > request plugin[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): Linger timeout has expired on the > connection > [16/Oct/2008:07:33:15 -0700] - windows_search_entry: recieved 2 > messages, 1 entries, 0 references > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): map_entry_dn_outbound: return code > 0 from search f > or AD entry dn="<GUID=f96921fe188c4b47a243ab088512103d>" or > dn="CN=vipul r,CN=Users,DC=tf-lab,DC=test2,DC=com" > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): windows_replay_update: Processing > modify operation > local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" remote > dn="<GUID=f96921fe188c4b47a243ab088512103d>" > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - > clcache_load_buffer: rc=-30989 > > > ----- > > i see this *" Linger time out has expired the connection " * > > 16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): Beginning linger on the connection > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): State: sending_updates -> > wait_for_changes > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): *Linger timeout has expired on the > connection* > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): Disconnected from the consumer > > > Any any clue > > > > On Wed, Oct 15, 2008 at 2:15 PM, Vipul Ramani > <vipulramani@gmail.com <mailto:vipulramani@gmail.com>> wrote: > > > > Hi Rich , > > But i can login and changed the password of ADC users. :( > > is there any other way to debug in to the deep ??? Kindly > suggest i am ready .... > > > I''m not sure, but I think this means that there were no > passwords to sync from AD to Fedora DS. It keeps a queue of > passwords to send in a file (encrypted). > > > > > > > > Regards > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Hi Rich , i have done setup from scratch ... again ...acutally this is my ( 9th time i am testing... ) for CA - i generated certification of requst from FDS and and that CSR is signed by ADC - CA . Then i installed @ CA @ FDS .. ------------ error -- ------------- NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple bind failed , LDAP sdk error 91 ( Can''t connect to the LDAP server ) , Netscape Portable Runtime error - 8179 ( Peer''s Certificate issuer is not recoginzed ) ------------ I have one question - I ADC it installted i think StandAlone CA - not Enterprise CA ( i am not Windows Admin and i dont know much about ADC ) ... so , to work PassSYN - FDS CSR must be signed by *" Enterprise CA "* ??? *and Any tip how to do i check on win2003 ( x64 edition ) Enterprise CA is installed or not ???? ... * thanks in adv to all ... FDS users ... Regards Vipul Ramani
Rich Megginson
2008-Oct-20 14:14 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> > > Hi Rich , > > i have done setup from scratch ... again ...acutally this is my ( 9th > time i am testing... ) > > for CA - i generated certification of requst from FDS and and that > CSR is signed by ADC - CA . Then i installed @ CA @ FDS .. > > ------------ error -- ------------- > NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple > bind failed , LDAP sdk error 91 ( Can''t connect to the LDAP server ) > , Netscape Portable Runtime error - 8179 ( Peer''s Certificate issuer > is not recoginzed )How did you install the MS CA cert into Fedora DS? certutil -L -d /etc/dirsrv/slapd-instancename> > ------------ > > I have one question - I ADC it installted i think StandAlone CA - > not Enterprise CA ( i am not Windows Admin and i dont know much about > ADC ) ... > > so , to work PassSYN - FDS CSR must be signed by *" Enterprise CA "* ??? > > *and Any tip how to do i check on win2003 ( x64 edition ) Enterprise > CA is installed or not ???? ... > *I''ve only used Enterprise CA, because if you do that, AD will automatically get an SSL server cert. Otherwise, I''m not sure how to configure AD to be an SSL server. Note that we only provide a 32-bit binary for passsync. I have no idea if it will work on 64-bit Windows - we''ve never tested that. The code is all open source though, and should be buildable with the free microsoft visual studio C++.> > > > thanks in adv to all ... FDS users ... > > Regards > Vipul Ramani > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Hi Rich , I installed from Fedora console - i copied MS CA on Window box then i did install using Fedora directory Console. Vipul Ramani wrote: Hi Rich , i have done setup from scratch ... again ...acutally this is my ( 9th time i am testing... ) for CA - i generated certification of requst from FDS and and that CSR is signed by ADC - CA . Then i installed @ CA @ FDS .. ------------ error -- ------------- NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple bind failed , LDAP sdk error 91 ( Can''t connect to the LDAP server ) , Netscape Portable Runtime error - 8179 ( Peer''s Certificate issuer is not recoginzed ) How did you install the MS CA cert into Fedora DS? certutil -L -d /etc/dirsrv/slapd-instancename ------------ I have one question - I ADC it installted i think StandAlone CA - not Enterprise CA ( i am not Windows Admin and i dont know much about ADC ) ... so , to work PassSYN - FDS CSR must be signed by *" Enterprise CA "* ??? *and Any tip how to do i check on win2003 ( x64 edition ) Enterprise CA is installed or not ???? ... * I''ve only used Enterprise CA, because if you do that, AD will automatically get an SSL server cert. Otherwise, I''m not sure how to configure AD to be an SSL server. Note that we only provide a 32-bit binary for passsync. I have no idea if it will work on 64-bit Windows - we''ve never tested that. The code is all open source though, and should be buildable with the free microsoft visual studio C++. On Sun, Oct 19, 2008 at 10:21 PM, Vipul Ramani <vipulramani@gmail.com>wrote:> > > Hi Rich , > > i have done setup from scratch ... again ...acutally this is my ( 9th time > i am testing... ) > > for CA - i generated certification of requst from FDS and and that CSR is > signed by ADC - CA . Then i installed @ CA @ FDS .. > > ------------ error -- ------------- > NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple bind > failed , LDAP sdk error 91 ( Can''t connect to the LDAP server ) , Netscape > Portable Runtime error - 8179 ( Peer''s Certificate issuer is not recoginzed > ) > > ------------ > > I have one question - I ADC it installted i think StandAlone CA - not > Enterprise CA ( i am not Windows Admin and i dont know much about ADC ) ... > > so , to work PassSYN - FDS CSR must be signed by *" Enterprise CA "* ??? > > *and Any tip how to do i check on win2003 ( x64 edition ) Enterprise CA > is installed or not ???? ... > * > > > thanks in adv to all ... FDS users ... > > Regards > Vipul Ramani >-- Regards Vipul Ramani
Rich Megginson
2008-Oct-20 18:19 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> Hi Rich , > > > I installed from Fedora console - i copied MS CA on Window box then i did install using Fedora directory Console.certutil -L -d /etc/dirsrv/slapd-instancename> > > > > > Vipul Ramani wrote: > > > > Hi Rich , > > > > i have done setup from scratch ... again ...acutally this is my ( > 9th time i am testing... ) for CA - i generated certification of > requst from FDS and and that CSR is signed by ADC - CA . Then i > installed @ CA @ FDS .. > > ------------ error -- ------------- > > > NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple > bind failed , LDAP sdk error 91 ( Can''t connect to the LDAP server > ) , Netscape Portable Runtime error - 8179 ( Peer''s Certificate > issuer is not recoginzed ) > > How did you install the MS CA cert into Fedora DS? > certutil -L -d /etc/dirsrv/slapd-instancename > > > ------------ > > > > I have one question - I ADC it installted i think StandAlone CA - > not Enterprise CA ( i am not Windows Admin and i dont know much > about ADC ) ... > > so , to work PassSYN - FDS CSR must be signed by *" Enterprise CA "* ??? > > > > *and Any tip how to do i check on win2003 ( x64 edition ) > Enterprise CA is installed or not ???? ... > > * > > > I''ve only used Enterprise CA, because if you do that, AD will > automatically get an SSL server cert. Otherwise, I''m not sure how to > configure AD to be an SSL server. Note that we only provide a 32-bit > binary for passsync. I have no idea if it will work on 64-bit Windows > - we''ve never tested that. The code is all open source though, and > should be buildable with the free microsoft visual studio C++. > > > > On Sun, Oct 19, 2008 at 10:21 PM, Vipul Ramani <vipulramani@gmail.com > <mailto:vipulramani@gmail.com>> wrote: > > > > Hi Rich , > > i have done setup from scratch ... again ...acutally this is my ( > 9th time i am testing... ) > > for CA - i generated certification of requst from FDS and and > that CSR is signed by ADC - CA . Then i installed @ CA @ FDS .. > > ------------ error -- ------------- > NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : > simple bind failed , LDAP sdk error 91 ( Can''t connect to the > LDAP server ) , Netscape Portable Runtime error - 8179 ( Peer''s > Certificate issuer is not recoginzed ) > > ------------ > > I have one question - I ADC it installted i think StandAlone CA > - not Enterprise CA ( i am not Windows Admin and i dont know much > about ADC ) ... > > so , to work PassSYN - FDS CSR must be signed by *" Enterprise CA > "* ??? > > *and Any tip how to do i check on win2003 ( x64 edition ) > Enterprise CA is installed or not ???? ... > * > > > thanks in adv to all ... FDS users ... > > Regards > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Vipul Ramani wrote:
Hi Rich ,
I installed from Fedora console - i copied MS CA on Window box then i
did install using Fedora directory Console.
certutil -L -d /etc/dirsrv/slapd-instancename
[root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA CTu,u,u
Server-Cert u,u,u
linux2 CTu,u,u
<-- this Cert is signed by ADC CA
[root@linux2 ~]#
And Sample profile which is replicated from ADC
dn: uid=vramani, ou=People, dc=tf-lab,dc=test2,dc=com
ntUniqueId: f6bcff406f334d46824236fc82f2b762
ntUserLastLogoff: 0
givenName: vipul
sn: ramani
ntUserParms:: bSAgICAgICAgICAgICAgICAgICAgIGQBICAgICAgICAgICAgICAgICAgICAgICA
gUAQaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C
5EggBQ3R4U2hhZG9345Cw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44Sw
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetOrgPerson
objectClass: ntUser
uid: vramani
ntUserDeleteAccount: true
cn: vipul ramani
ntUserLastLogon: 128687513442500000
ntUserDomainId: vramani
ntUserAcctExpires: 9223372036854775807
ntUserCodePage: 0
Rich Megginson
2008-Oct-20 18:42 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> Vipul Ramani wrote: > > > Hi Rich , > > > I installed from Fedora console - i copied MS CA on Window box then i did install using Fedora directory Console. > > > > certutil -L -d /etc/dirsrv/slapd-instancename > > [root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > CA CTu,u,u > Server-Cert u,u,u > > linux2 CTu,u,u <-- this Cert is signed by ADC CA > [root@linux2 ~]#Which one is the MS CA cert? The MS CA cert is required.> > > And Sample profile which is replicated from ADC > > > dn: uid=vramani, ou=People, dc=tf-lab,dc=test2,dc=com > > ntUniqueId: f6bcff406f334d46824236fc82f2b762 > ntUserLastLogoff: 0 > givenName: vipul > sn: ramani > ntUserParms:: bSAgICAgICAgICAgICAgICAgICAgIGQBICAgICAgICAgICAgICAgICAgICAgICA > gUAQaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C > > 5EggBQ3R4U2hhZG9345Cw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44Sw > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetOrgPerson > objectClass: ntUser > uid: vramani > > ntUserDeleteAccount: true > cn: vipul ramani > ntUserLastLogon: 128687513442500000 > ntUserDomainId: vramani > ntUserAcctExpires: 9223372036854775807 > ntUserCodePage: 0 > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Rich , i tell you how i did https://localhosts/certsrv/ ---> download cert in DER form and imported in FDS console ... [root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA CTu,u,u Server-Cert u,u,u linux2 CTu,u,u <-- this Cert is signed by ADC CA *labdc01 CT,, <---- MS CA Cert * sorry i missed last line ... last email . But no Luck ... On Mon, Oct 20, 2008 at 11:36 AM, Vipul Ramani <vipulramani@gmail.com>wrote:> Vipul Ramani wrote: > > Hi Rich , > > > I installed from Fedora console - i copied MS CA on Window box then i did install using Fedora directory Console. > > certutil -L -d /etc/dirsrv/slapd-instancename > > [root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > CA CTu,u,u > Server-Cert u,u,u > > linux2 CTu,u,u <-- this Cert is signed by ADC CA > [root@linux2 ~]# > > > And Sample profile which is replicated from ADC > > > dn: uid=vramani, ou=People, dc=tf-lab,dc=test2,dc=com > > ntUniqueId: f6bcff406f334d46824236fc82f2b762 > ntUserLastLogoff: 0 > givenName: vipul > sn: ramani > ntUserParms:: bSAgICAgICAgICAgICAgICAgICAgIGQBICAgICAgICAgICAgICAgICAgICAgICA > gUAQaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C > > 5EggBQ3R4U2hhZG9345Cw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44Sw > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetOrgPerson > objectClass: ntUser > uid: vramani > > ntUserDeleteAccount: true > cn: vipul ramani > ntUserLastLogon: 128687513442500000 > ntUserDomainId: vramani > ntUserAcctExpires: 9223372036854775807 > ntUserCodePage: 0 > > > >-- Regards Vipul Ramani
Rich Megginson
2008-Oct-20 19:00 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> > > Rich , > > i tell you how i did > > https://localhosts/certsrv/ ---> download cert in DER form and > imported in FDS console ... > > > [root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > CA CTu,u,uWhat is this CA? certutil -L -d /etc/dirsrv/slapd-linux2 -n "CA"> Server-Cert u,u,u > linux2 > CTu,u,u <-- this Cert is signed by ADC CAcertutil -L -d /etc/dirsrv/slapd-linux2 -n "linux2" Make sure the subjectDN starts with cn=fqdn where fqdn is the FQDN of linux2> *labdc01 > CT,, <---- MS CA Cert * > > sorry i missed last line ... last email . > > But no Luck ...A good way to test TLS/SSL is to use ldapsearch: /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P /etc/dirsrv/slapd-linux2 -3 -s base -b "" "objectclass=*" If that works, then you have the CA installed correctly, and the AD server cert is correct.> > > > > On Mon, Oct 20, 2008 at 11:36 AM, Vipul Ramani <vipulramani@gmail.com > <mailto:vipulramani@gmail.com>> wrote: > > Vipul Ramani wrote: > > > Hi Rich , > > > I installed from Fedora console - i copied MS CA on Window box then i did install using Fedora directory Console. > > > > certutil -L -d /etc/dirsrv/slapd-instancename > [root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 > > Certificate Nickname Trust Attributes > > > SSL,S/MIME,JAR/XPI > > CA CTu,u,u > Server-Cert u,u,u > > > linux2 CTu,u,u <-- this Cert is signed by ADC CA > [root@linux2 ~]# > > > And Sample profile which is replicated from ADC > dn: uid=vramani, ou=People, dc=tf-lab,dc=test2,dc=com > > ntUniqueId: f6bcff406f334d46824236fc82f2b762 > ntUserLastLogoff: 0 > givenName: vipul > sn: ramani > ntUserParms:: bSAgICAgICAgICAgICAgICAgICAgIGQBICAgICAgICAgICAgICAgICAgICAgICA > gUAQaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C > > > 5EggBQ3R4U2hhZG9345Cw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44Sw > objectClass: top objectClass: person objectClass: > organizationalperson objectClass: inetOrgPerson objectClass: > ntUser uid: vramani ntUserDeleteAccount: true > cn: vipul ramani > ntUserLastLogon: 128687513442500000 > ntUserDomainId: vramani ntUserAcctExpires: 9223372036854775807 > ntUserCodePage: 0 > > > > > > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
CA is self-signed generated certificate . by Linux2 it self.
[root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "CA"
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1000 (0x3e8)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=CAcert"
Validity:
Not Before: Fri Oct 17 15:11:18 2008
Not After : Wed Oct 17 15:11:18 2018
Subject: "CN=CAcert"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c8:40:4b:86:0b:70:3d:5d:6a:f6:f4:a5:86:e9:1c:98:
d0:dd:19:31:e3:b8:18:3b:0a:c8:9f:83:33:98:cd:98:
54:83:9d:73:97:69:04:26:b8:75:4a:95:7e:ed:92:62:
51:2c:70:8a:a6:f2:a6:8b:b5:c6:53:d3:f8:cc:01:c9:
e8:78:55:1f:69:e3:c4:5c:5e:e8:a6:bf:dc:53:ac:a6:
ce:75:14:98:2f:a7:c0:da:ae:be:5d:91:e6:f2:96:84:
02:a0:ec:df:e4:de:91:25:2d:65:d8:bd:79:3d:07:ea:
8c:9f:9e:5b:ee:04:a3:18:2e:98:c6:ab:15:a1:d5:d9
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
55:bd:f2:f7:37:e5:60:e0:87:20:a7:d7:69:b2:eb:79:
e6:98:7e:72:f1:b1:dc:11:08:94:fd:c3:56:a8:14:37:
2b:1b:cd:bc:05:3d:54:45:73:7f:b2:dc:f8:f1:f4:44:
61:25:54:c6:e2:c2:68:1f:d7:cc:d3:37:16:37:98:b8:
37:c3:7e:49:48:12:58:17:26:fe:87:bc:d4:ef:ee:6b:
5d:35:1f:1f:72:a5:5e:6b:b7:94:e6:c3:63:7c:2a:24:
4c:43:39:cd:74:7b:56:08:15:f9:85:3f:ed:c9:ba:01:
88:d0:90:84:1d:e6:0e:84:7f:83:8e:bf:9e:9a:b2:a3
Fingerprint (MD5):
2C:77:B6:61:BA:3D:F0:E2:8E:EB:BA:4D:74:A4:E4:0C
Fingerprint (SHA1):
06:FE:B9:62:26:E7:56:1E:2B:84:C0:5E:AC:DC:F7:1A:AE:A8:58:0E
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
User
Object Signing Flags:
User
[root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "linux2"
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
14:fc:4e:02:00:00:00:00:00:16
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=labdc01,DC=tf-lab,DC=test2,DC=com"
Validity:
Not Before: Fri Oct 17 23:35:13 2008
Not After : Sun Oct 17 23:35:13 2010
Subject:
"CN=linux2,OU=Ops,O=Exponential,L=Emeryville,ST=California,C
=US"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
da:db:9b:d8:c2:aa:42:4e:85:69:b2:0a:19:46:87:2d:
67:e6:4b:9b:4d:97:96:6a:e3:bf:90:c2:ab:a7:0d:17:
--removed-some-part---
24:72:dc:18:5c:7e:1a:16:b3:bd:38:1b:0a:0f:a6:48:
ae:4e:ef:5a:eb:cd:12:6f:5e:16:8f:6c:ce:ff:fa:71
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Subject Key ID
Data:
75:e0:f9:0d:9f:77:24:61:38:87:17:87:43:ee:25:5d:
c0:b2:4f:d3
Name: Certificate Authority Key Identifier
Key ID:
83:c2:a6:03:eb:b2:a8:ea:40:d0:63:42:01:68:8f:a8:
11:9e:ec:f9
Name: CRL Distribution Points
URI:
"ldap:///CN=labdc01,CN=labdc01,CN=CDP,CN=Public%20Key%20Serv
ices,CN=Services,CN=Configuration,DC=tf-lab,DC=test2,D
C=com?certificateRevocationList?base?objectClass=cRLDistribut
ionPoint"
URI: "http://labdc01.tf-lab.test2.com/CertEnroll/labdc01.c
rl"
Name: Authority Information Access
Method: PKIX CA issuers access method
Location:
URI:
"ldap:///CN=labdc01,CN=AIA,CN=Public%20Key%20Services,CN
=Services,CN=Configuration,DC=tf-lab,DC=test2,DC=c
om?cACertificate?base?objectClass=certificationAuthority"
Method: PKIX CA issuers access method
Location:
URI: "*http://labdc01.tf-lab.test2.com*/CertEnroll/labdc
01.tf-lab.test2.com_labdc01.crt"
Name: Microsoft Enrollment Cert Type Extension
Data: "WebServer"
Name: Certificate Basic Constraints
Critical: True
Data: Is not a CA.
Name: Certificate Key Usage
Usages: Digital Signature
Key Encipherment
Name: Extended Key Usage
TLS Web Server Authentication Certificate
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
0b:f7:2f:25:e5:99:aa:27:59:5d:76:96:5a:64:0b:a7:
91:7d:48:49:fd:a8:46:db:cc:39:7b:97:34:94:3c:0c:
7c:fe:4d:f7:99:5e:da:a6:7d:53:5c:36:ba:ed:a7:05:
60:04:2a:76:6e:02:75:a0:1c:59:bd:ad:82:db:fc:61:
--removed some--part--
6d:11:23:4c:77:60:18:ec:fd:47:63:72:d3:00:ee:04:
c2:01:3a:d8:dc:f1:4b:55:c5:7a:39:09:83:9b:09:bd:
65:64:4c:6f:8d:19:86:94:95:76:1b:07:08:ad:03:70
Fingerprint (MD5):
BD:3D:31:6C:27:A8:82:1A:11:81:5B:F6:56:D7:FA:E3
Fingerprint (SHA1):
89:45:EE:8E:7D:B7:01:EB:72:80:F2:86:91:B8:02:D4:60:3A:19:FA
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
User
Object Signing Flags:
User
*| /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P
/etc/dirsrv/slapd-linux2 -3 -s base -b "" "objectclass=*" *
*When i do this i am getting cordump ... :(( *
Rich Megginson
2008-Oct-20 19:35 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> > > CA is self-signed generated certificate . by Linux2 it self. > > > [root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "CA" > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1000 (0x3e8) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=CAcert" > Validity: > Not Before: Fri Oct 17 15:11:18 2008 > Not After : Wed Oct 17 15:11:18 2018 > Subject: "CN=CAcert" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > c8:40:4b:86:0b:70:3d:5d:6a:f6:f4:a5:86:e9:1c:98: > d0:dd:19:31:e3:b8:18:3b:0a:c8:9f:83:33:98:cd:98: > 54:83:9d:73:97:69:04:26:b8:75:4a:95:7e:ed:92:62: > 51:2c:70:8a:a6:f2:a6:8b:b5:c6:53:d3:f8:cc:01:c9: > e8:78:55:1f:69:e3:c4:5c:5e:e8:a6:bf:dc:53:ac:a6: > ce:75:14:98:2f:a7:c0:da:ae:be:5d:91:e6:f2:96:84: > 02:a0:ec:df:e4:de:91:25:2d:65:d8:bd:79:3d:07:ea: > 8c:9f:9e:5b:ee:04:a3:18:2e:98:c6:ab:15:a1:d5:d9 > Exponent: 65537 (0x10001) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Signature: > 55:bd:f2:f7:37:e5:60:e0:87:20:a7:d7:69:b2:eb:79: > e6:98:7e:72:f1:b1:dc:11:08:94:fd:c3:56:a8:14:37: > 2b:1b:cd:bc:05:3d:54:45:73:7f:b2:dc:f8:f1:f4:44: > 61:25:54:c6:e2:c2:68:1f:d7:cc:d3:37:16:37:98:b8: > 37:c3:7e:49:48:12:58:17:26:fe:87:bc:d4:ef:ee:6b: > 5d:35:1f:1f:72:a5:5e:6b:b7:94:e6:c3:63:7c:2a:24: > 4c:43:39:cd:74:7b:56:08:15:f9:85:3f:ed:c9:ba:01: > 88:d0:90:84:1d:e6:0e:84:7f:83:8e:bf:9e:9a:b2:a3 > Fingerprint (MD5): > 2C:77:B6:61:BA:3D:F0:E2:8E:EB:BA:4D:74:A4:E4:0C > Fingerprint (SHA1): > 06:FE:B9:62:26:E7:56:1E:2B:84:C0:5E:AC:DC:F7:1A:AE:A8:58:0E > > Certificate Trust Flags: > SSL Flags: > Valid CA > Trusted CA > User > Trusted Client CA > Email Flags: > User > Object Signing Flags: > User > > [root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "linux2" > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 14:fc:4e:02:00:00:00:00:00:16 > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=labdc01,DC=tf-lab,DC=test2,DC=com" > Validity: > Not Before: Fri Oct 17 23:35:13 2008 > Not After : Sun Oct 17 23:35:13 2010 > Subject: > "CN=linux2,OU=Ops,O=Exponential,L=Emeryville,ST=California,C > =US"This is not correct. instead of CN=linux2, you should have CN=linux2.tf-lab.test2.com or whatever your domain is. Although I don''t think this is the cause of the failure to connect.> Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > da:db:9b:d8:c2:aa:42:4e:85:69:b2:0a:19:46:87:2d: > 67:e6:4b:9b:4d:97:96:6a:e3:bf:90:c2:ab:a7:0d:17: > --removed-some-part--- > 24:72:dc:18:5c:7e:1a:16:b3:bd:38:1b:0a:0f:a6:48: > ae:4e:ef:5a:eb:cd:12:6f:5e:16:8f:6c:ce:ff:fa:71 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Subject Key ID > Data: > 75:e0:f9:0d:9f:77:24:61:38:87:17:87:43:ee:25:5d: > c0:b2:4f:d3 > > Name: Certificate Authority Key Identifier > Key ID: > 83:c2:a6:03:eb:b2:a8:ea:40:d0:63:42:01:68:8f:a8: > 11:9e:ec:f9 > > Name: CRL Distribution Points > URI: > "ldap:///CN=labdc01,CN=labdc01,CN=CDP,CN=Public%20Key%20Serv > ices,CN=Services,CN=Configuration,DC=tf-lab,DC=test2,D > > C=com?certificateRevocationList?base?objectClass=cRLDistribut > ionPoint" > URI: "http://labdc01.tf-lab.test2.com/CertEnroll/labdc01.c > rl" > > Name: Authority Information Access > Method: PKIX CA issuers access method > Location: > URI: > "ldap:///CN=labdc01,CN=AIA,CN=Public%20Key%20Services,CN > =Services,CN=Configuration,DC=tf-lab,DC=test2,DC=c > > om?cACertificate?base?objectClass=certificationAuthority" > Method: PKIX CA issuers access method > Location: > URI: "*http://labdc01.tf-lab.test2.com*/CertEnroll/labdc > 01.tf-lab.test2.com_labdc01.crt" > > Name: Microsoft Enrollment Cert Type Extension > Data: "WebServer" > > Name: Certificate Basic Constraints > Critical: True > Data: Is not a CA. > > Name: Certificate Key Usage > Usages: Digital Signature > Key Encipherment > > Name: Extended Key Usage > TLS Web Server Authentication Certificate > > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Signature: > 0b:f7:2f:25:e5:99:aa:27:59:5d:76:96:5a:64:0b:a7: > 91:7d:48:49:fd:a8:46:db:cc:39:7b:97:34:94:3c:0c: > 7c:fe:4d:f7:99:5e:da:a6:7d:53:5c:36:ba:ed:a7:05: > 60:04:2a:76:6e:02:75:a0:1c:59:bd:ad:82:db:fc:61: > --removed some--part-- > 6d:11:23:4c:77:60:18:ec:fd:47:63:72:d3:00:ee:04: > c2:01:3a:d8:dc:f1:4b:55:c5:7a:39:09:83:9b:09:bd: > 65:64:4c:6f:8d:19:86:94:95:76:1b:07:08:ad:03:70 > Fingerprint (MD5): > BD:3D:31:6C:27:A8:82:1A:11:81:5B:F6:56:D7:FA:E3 > Fingerprint (SHA1): > 89:45:EE:8E:7D:B7:01:EB:72:80:F2:86:91:B8:02:D4:60:3A:19:FA > > Certificate Trust Flags: > SSL Flags: > Valid CA > Trusted CA > User > Trusted Client CA > Email Flags: > User > Object Signing Flags: > User > > > > *| /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P > /etc/dirsrv/slapd-linux2 -3 -s base -b "" "objectclass=*" * >Sorry, try /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P /etc/dirsrv/slapd-linux2/cert8.db -3 -s base -b "" "objectclass=*"> *When i do this i am getting cordump ... :(( * > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
i think we are head to solutions ... do i need to re-install certificate in passync again ??? after we install new CSR with FQDN ... ??? root@linux2 slapd-linux2]# /usr/lib/mozldap/ldapsearch -v -h labdc01.tf-lab.test2.com -p 636 -Z -P /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db -3 -s base -b "" "objectclass=*" ldapsearch: started Mon Oct 20 06:18:20 2008 ldap_init( labdc01.tf-lab.test2.com, 636 ) ldaptool_getcertpath -- /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db ldaptool_getkeypath -- /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db ldaptool_getmodpath -- (null) ldaptool_getdonglefilename -- (null) filter pattern: objectclass=* returning: ALL filter is: (objectclass=*) version: 1 dn: currentTime: 20081020202134.0Z subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=tf-lab,DC=tribal fusion,DC=com dsServiceName: CN=NTDS Settings,CN=LABDC01,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=tf-lab,DC=test2,DC=com namingContexts: DC=tf-lab,DC=test2,DC=com namingContexts: CN=Configuration,DC=tf-lab,DC=test2,DC=com namingContexts: CN=Schema,CN=Configuration,DC=tf-lab,DC=test2,DC=com namingContexts: DC=DomainDnsZones,DC=tf-lab,DC=test2,DC=com namingContexts: DC=ForestDnsZones,DC=tf-lab,DC=test2,DC=com defaultNamingContext: DC=tf-lab,DC=test2,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=tf-lab,DC=test2,DC=c om configurationNamingContext: CN=Configuration,DC=tf-lab,DC=test2,DC=com rootDomainNamingContext: DC=tf-lab,DC=test2,DC=com supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 1.2.840.113556.1.4.528 supportedControl: 1.2.840.113556.1.4.417 supportedControl: 1.2.840.113556.1.4.619 supportedControl: 1.2.840.113556.1.4.841 supportedControl: 1.2.840.113556.1.4.529 supportedControl: 1.2.840.113556.1.4.805 supportedControl: 1.2.840.113556.1.4.521 supportedControl: 1.2.840.113556.1.4.1948 supportedLDAPVersion: 3 supportedLDAPVersion: 2 supportedLDAPPolicies: MaxPoolThreads supportedLDAPPolicies: MaxDatagramRecv supportedLDAPPolicies: MaxReceiveBuffer supportedLDAPPolicies: InitRecvTimeout supportedLDAPPolicies: MaxConnections supportedLDAPPolicies: MaxConnIdleTime supportedLDAPPolicies: MaxPageSize supportedLDAPPolicies: MaxQueryDuration supportedLDAPPolicies: MaxTempTableSize supportedLDAPPolicies: MaxResultSetSize supportedLDAPPolicies: MaxNotificationPerConn supportedLDAPPolicies: MaxValRange highestCommittedUSN: 90680 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 dnsHostName: labdc01.tf-lab.test2.com ldapServiceName: tf-lab.test2.com:labdc01$@TF-LAB.TEST2.COM serverName: CN=LABDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tf-lab,DC=test2,DC=com supportedCapabilities: 1.2.840.113556.1.4.800 supportedCapabilities: 1.2.840.113556.1.4.1670 supportedCapabilities: 1.2.840.113556.1.4.1791 isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 0 forestFunctionality: 0 domainControllerFunctionality: 2 root@linux2 slapd-linux2]# grep err /var/log/dirsrv/slapd-linux2/errors [root@linux2 slapd-linux2]# On Mon, Oct 20, 2008 at 12:07 PM, Vipul Ramani <vipulramani@gmail.com>wrote:> > > CA is self-signed generated certificate . by Linux2 it self. > > > [root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "CA" > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1000 (0x3e8) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=CAcert" > Validity: > Not Before: Fri Oct 17 15:11:18 2008 > Not After : Wed Oct 17 15:11:18 2018 > Subject: "CN=CAcert" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > c8:40:4b:86:0b:70:3d:5d:6a:f6:f4:a5:86:e9:1c:98: > d0:dd:19:31:e3:b8:18:3b:0a:c8:9f:83:33:98:cd:98: > 54:83:9d:73:97:69:04:26:b8:75:4a:95:7e:ed:92:62: > 51:2c:70:8a:a6:f2:a6:8b:b5:c6:53:d3:f8:cc:01:c9: > e8:78:55:1f:69:e3:c4:5c:5e:e8:a6:bf:dc:53:ac:a6: > ce:75:14:98:2f:a7:c0:da:ae:be:5d:91:e6:f2:96:84: > 02:a0:ec:df:e4:de:91:25:2d:65:d8:bd:79:3d:07:ea: > 8c:9f:9e:5b:ee:04:a3:18:2e:98:c6:ab:15:a1:d5:d9 > Exponent: 65537 (0x10001) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Signature: > 55:bd:f2:f7:37:e5:60:e0:87:20:a7:d7:69:b2:eb:79: > e6:98:7e:72:f1:b1:dc:11:08:94:fd:c3:56:a8:14:37: > 2b:1b:cd:bc:05:3d:54:45:73:7f:b2:dc:f8:f1:f4:44: > 61:25:54:c6:e2:c2:68:1f:d7:cc:d3:37:16:37:98:b8: > 37:c3:7e:49:48:12:58:17:26:fe:87:bc:d4:ef:ee:6b: > 5d:35:1f:1f:72:a5:5e:6b:b7:94:e6:c3:63:7c:2a:24: > 4c:43:39:cd:74:7b:56:08:15:f9:85:3f:ed:c9:ba:01: > 88:d0:90:84:1d:e6:0e:84:7f:83:8e:bf:9e:9a:b2:a3 > Fingerprint (MD5): > 2C:77:B6:61:BA:3D:F0:E2:8E:EB:BA:4D:74:A4:E4:0C > Fingerprint (SHA1): > 06:FE:B9:62:26:E7:56:1E:2B:84:C0:5E:AC:DC:F7:1A:AE:A8:58:0E > > Certificate Trust Flags: > SSL Flags: > Valid CA > Trusted CA > User > Trusted Client CA > Email Flags: > User > Object Signing Flags: > User > > [root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "linux2" > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 14:fc:4e:02:00:00:00:00:00:16 > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=labdc01,DC=tf-lab,DC=test2,DC=com" > Validity: > Not Before: Fri Oct 17 23:35:13 2008 > Not After : Sun Oct 17 23:35:13 2010 > Subject: > "CN=linux2,OU=Ops,O=Exponential,L=Emeryville,ST=California,C > =US" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > da:db:9b:d8:c2:aa:42:4e:85:69:b2:0a:19:46:87:2d: > 67:e6:4b:9b:4d:97:96:6a:e3:bf:90:c2:ab:a7:0d:17: > --removed-some-part--- > 24:72:dc:18:5c:7e:1a:16:b3:bd:38:1b:0a:0f:a6:48: > ae:4e:ef:5a:eb:cd:12:6f:5e:16:8f:6c:ce:ff:fa:71 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Subject Key ID > Data: > 75:e0:f9:0d:9f:77:24:61:38:87:17:87:43:ee:25:5d: > c0:b2:4f:d3 > > Name: Certificate Authority Key Identifier > Key ID: > 83:c2:a6:03:eb:b2:a8:ea:40:d0:63:42:01:68:8f:a8: > 11:9e:ec:f9 > > Name: CRL Distribution Points > URI: > "ldap:///CN=labdc01,CN=labdc01,CN=CDP,CN=Public%20Key%20Serv > ices,CN=Services,CN=Configuration,DC=tf-lab,DC=test2,D > > C=com?certificateRevocationList?base?objectClass=cRLDistribut > ionPoint" > URI: "http://labdc01.tf-lab.test2.com/CertEnroll/labdc01.c > rl" > > Name: Authority Information Access > Method: PKIX CA issuers access method > Location: > URI: > "ldap:///CN=labdc01,CN=AIA,CN=Public%20Key%20Services,CN > =Services,CN=Configuration,DC=tf-lab,DC=test2,DC=c > > om?cACertificate?base?objectClass=certificationAuthority" > Method: PKIX CA issuers access method > Location: > URI: "*http://labdc01.tf-lab.test2.com*/CertEnroll/labdc > 01.tf-lab.test2.com_labdc01.crt" > > Name: Microsoft Enrollment Cert Type Extension > Data: "WebServer" > > Name: Certificate Basic Constraints > Critical: True > Data: Is not a CA. > > Name: Certificate Key Usage > Usages: Digital Signature > Key Encipherment > > Name: Extended Key Usage > TLS Web Server Authentication Certificate > > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Signature: > 0b:f7:2f:25:e5:99:aa:27:59:5d:76:96:5a:64:0b:a7: > 91:7d:48:49:fd:a8:46:db:cc:39:7b:97:34:94:3c:0c: > 7c:fe:4d:f7:99:5e:da:a6:7d:53:5c:36:ba:ed:a7:05: > 60:04:2a:76:6e:02:75:a0:1c:59:bd:ad:82:db:fc:61: > --removed some--part-- > 6d:11:23:4c:77:60:18:ec:fd:47:63:72:d3:00:ee:04: > c2:01:3a:d8:dc:f1:4b:55:c5:7a:39:09:83:9b:09:bd: > 65:64:4c:6f:8d:19:86:94:95:76:1b:07:08:ad:03:70 > Fingerprint (MD5): > BD:3D:31:6C:27:A8:82:1A:11:81:5B:F6:56:D7:FA:E3 > Fingerprint (SHA1): > 89:45:EE:8E:7D:B7:01:EB:72:80:F2:86:91:B8:02:D4:60:3A:19:FA > > Certificate Trust Flags: > SSL Flags: > Valid CA > Trusted CA > User > Trusted Client CA > Email Flags: > User > Object Signing Flags: > User > > > > *| /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P > /etc/dirsrv/slapd-linux2 -3 -s base -b "" "objectclass=*" * > > > *When i do this i am getting cordump ... :(( * > > >-- Regards Vipul Ramani
Rich Megginson
2008-Oct-20 20:57 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> i think we are head to solutions ... > > do i need to re-install certificate in passync again ??? after we > install new CSR with FQDN ... ???No, at least, not yet. The ldapsearch output below looks correct. In your sync agreement, did you use labdc01.tf-lab.test2.com or just labdc01? You have to use the FQDN. Is /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db a symlink to /etc/dirsrv/slapd-linux2/cert8.db? What is the relationship between slapd-linux2cert8.db and cert8.db?> > > root@linux2 slapd-linux2]# /usr/lib/mozldap/ldapsearch -v -h > labdc01.tf-lab.test2.com <http://labdc01.tf-lab.test2.com> -p 636 -Z > -P /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db -3 -s base -b "" > "objectclass=*" > ldapsearch: started Mon Oct 20 06:18:20 2008 > > ldap_init( labdc01.tf-lab.test2.com <http://labdc01.tf-lab.test2.com>, > 636 ) > ldaptool_getcertpath -- /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db > ldaptool_getkeypath -- /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db > ldaptool_getmodpath -- (null) > ldaptool_getdonglefilename -- (null) > filter pattern: objectclass=* > returning: ALL > filter is: (objectclass=*) > version: 1 > dn: > currentTime: 20081020202134.0Z > subschemaSubentry: > CN=Aggregate,CN=Schema,CN=Configuration,DC=tf-lab,DC=tribal > fusion,DC=com > dsServiceName: CN=NTDS > Settings,CN=LABDC01,CN=Servers,CN=Default-First-Site-Na > me,CN=Sites,CN=Configuration,DC=tf-lab,DC=test2,DC=com > namingContexts: DC=tf-lab,DC=test2,DC=com > namingContexts: CN=Configuration,DC=tf-lab,DC=test2,DC=com > namingContexts: CN=Schema,CN=Configuration,DC=tf-lab,DC=test2,DC=com > namingContexts: DC=DomainDnsZones,DC=tf-lab,DC=test2,DC=com > namingContexts: DC=ForestDnsZones,DC=tf-lab,DC=test2,DC=com > defaultNamingContext: DC=tf-lab,DC=test2,DC=com > schemaNamingContext: CN=Schema,CN=Configuration,DC=tf-lab,DC=test2,DC=c > om > configurationNamingContext: CN=Configuration,DC=tf-lab,DC=test2,DC=com > rootDomainNamingContext: DC=tf-lab,DC=test2,DC=com > supportedControl: 1.2.840.113556.1.4.319 > supportedControl: 1.2.840.113556.1.4.801 > supportedControl: 1.2.840.113556.1.4.473 > supportedControl: 1.2.840.113556.1.4.528 > supportedControl: 1.2.840.113556.1.4.417 > supportedControl: 1.2.840.113556.1.4.619 > supportedControl: 1.2.840.113556.1.4.841 > supportedControl: 1.2.840.113556.1.4.529 > supportedControl: 1.2.840.113556.1.4.805 > supportedControl: 1.2.840.113556.1.4.521 > supportedControl: 1.2.840.113556.1.4.1948 > supportedLDAPVersion: 3 > supportedLDAPVersion: 2 > supportedLDAPPolicies: MaxPoolThreads > supportedLDAPPolicies: MaxDatagramRecv > supportedLDAPPolicies: MaxReceiveBuffer > supportedLDAPPolicies: InitRecvTimeout > supportedLDAPPolicies: MaxConnections > supportedLDAPPolicies: MaxConnIdleTime > supportedLDAPPolicies: MaxPageSize > supportedLDAPPolicies: MaxQueryDuration > supportedLDAPPolicies: MaxTempTableSize > supportedLDAPPolicies: MaxResultSetSize > supportedLDAPPolicies: MaxNotificationPerConn > supportedLDAPPolicies: MaxValRange > highestCommittedUSN: 90680 > supportedSASLMechanisms: GSSAPI > supportedSASLMechanisms: GSS-SPNEGO > supportedSASLMechanisms: EXTERNAL > supportedSASLMechanisms: DIGEST-MD5 > dnsHostName: labdc01.tf-lab.test2.com <http://labdc01.tf-lab.test2.com> > ldapServiceName: tf-lab.test2.com:labdc01$@TF-LAB.TEST2.COM > <http://TF-LAB.TEST2.COM> > serverName: > CN=LABDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tf-lab,DC=test2,DC=com > supportedCapabilities: 1.2.840.113556.1.4.800 > supportedCapabilities: 1.2.840.113556.1.4.1670 > supportedCapabilities: 1.2.840.113556.1.4.1791 > isSynchronized: TRUE > isGlobalCatalogReady: TRUE > domainFunctionality: 0 > forestFunctionality: 0 > domainControllerFunctionality: 2 > > > root@linux2 slapd-linux2]# grep err /var/log/dirsrv/slapd-linux2/errors > [root@linux2 slapd-linux2]# > > > > > > > > On Mon, Oct 20, 2008 at 12:07 PM, Vipul Ramani <vipulramani@gmail.com > <mailto:vipulramani@gmail.com>> wrote: > > > > CA is self-signed generated certificate . by Linux2 it self. > > > [root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "CA" > > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1000 (0x3e8) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=CAcert" > Validity: > Not Before: Fri Oct 17 15:11:18 2008 > Not After : Wed Oct 17 15:11:18 2018 > Subject: "CN=CAcert" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > c8:40:4b:86:0b:70:3d:5d:6a:f6:f4:a5:86:e9:1c:98: > d0:dd:19:31:e3:b8:18:3b:0a:c8:9f:83:33:98:cd:98: > 54:83:9d:73:97:69:04:26:b8:75:4a:95:7e:ed:92:62: > 51:2c:70:8a:a6:f2:a6:8b:b5:c6:53:d3:f8:cc:01:c9: > e8:78:55:1f:69:e3:c4:5c:5e:e8:a6:bf:dc:53:ac:a6: > ce:75:14:98:2f:a7:c0:da:ae:be:5d:91:e6:f2:96:84: > 02:a0:ec:df:e4:de:91:25:2d:65:d8:bd:79:3d:07:ea: > 8c:9f:9e:5b:ee:04:a3:18:2e:98:c6:ab:15:a1:d5:d9 > Exponent: 65537 (0x10001) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Signature: > 55:bd:f2:f7:37:e5:60:e0:87:20:a7:d7:69:b2:eb:79: > e6:98:7e:72:f1:b1:dc:11:08:94:fd:c3:56:a8:14:37: > 2b:1b:cd:bc:05:3d:54:45:73:7f:b2:dc:f8:f1:f4:44: > 61:25:54:c6:e2:c2:68:1f:d7:cc:d3:37:16:37:98:b8: > 37:c3:7e:49:48:12:58:17:26:fe:87:bc:d4:ef:ee:6b: > 5d:35:1f:1f:72:a5:5e:6b:b7:94:e6:c3:63:7c:2a:24: > 4c:43:39:cd:74:7b:56:08:15:f9:85:3f:ed:c9:ba:01: > 88:d0:90:84:1d:e6:0e:84:7f:83:8e:bf:9e:9a:b2:a3 > Fingerprint (MD5): > 2C:77:B6:61:BA:3D:F0:E2:8E:EB:BA:4D:74:A4:E4:0C > Fingerprint (SHA1): > 06:FE:B9:62:26:E7:56:1E:2B:84:C0:5E:AC:DC:F7:1A:AE:A8:58:0E > > Certificate Trust Flags: > SSL Flags: > Valid CA > Trusted CA > User > Trusted Client CA > Email Flags: > User > Object Signing Flags: > User > > [root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "linux2" > > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 14:fc:4e:02:00:00:00:00:00:16 > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=labdc01,DC=tf-lab,DC=test2,DC=com" > Validity: > Not Before: Fri Oct 17 23:35:13 2008 > Not After : Sun Oct 17 23:35:13 2010 > Subject: > "CN=linux2,OU=Ops,O=Exponential,L=Emeryville,ST=California,C > =US" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > da:db:9b:d8:c2:aa:42:4e:85:69:b2:0a:19:46:87:2d: > 67:e6:4b:9b:4d:97:96:6a:e3:bf:90:c2:ab:a7:0d:17: > --removed-some-part--- > 24:72:dc:18:5c:7e:1a:16:b3:bd:38:1b:0a:0f:a6:48: > ae:4e:ef:5a:eb:cd:12:6f:5e:16:8f:6c:ce:ff:fa:71 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Subject Key ID > Data: > 75:e0:f9:0d:9f:77:24:61:38:87:17:87:43:ee:25:5d: > c0:b2:4f:d3 > > Name: Certificate Authority Key Identifier > Key ID: > 83:c2:a6:03:eb:b2:a8:ea:40:d0:63:42:01:68:8f:a8: > 11:9e:ec:f9 > > Name: CRL Distribution Points > URI: > "ldap:///CN=labdc01,CN=labdc01,CN=CDP,CN=Public%20Key%20Serv > ices,CN=Services,CN=Configuration,DC=tf-lab,DC=test2,D > > C=com?certificateRevocationList?base?objectClass=cRLDistribut > ionPoint" > URI: "http://labdc01.tf-lab.test2.com/CertEnroll/labdc01.c > rl" > > Name: Authority Information Access > Method: PKIX CA issuers access method > Location: > URI: > "ldap:///CN=labdc01,CN=AIA,CN=Public%20Key%20Services,CN > =Services,CN=Configuration,DC=tf-lab,DC=test2,DC=c > > om?cACertificate?base?objectClass=certificationAuthority" > Method: PKIX CA issuers access method > Location: > URI: > "*http://labdc01.tf-lab.test2.com*/CertEnroll/labdc > 01.tf-lab.test2.com_labdc01.crt" > > Name: Microsoft Enrollment Cert Type Extension > Data: "WebServer" > > Name: Certificate Basic Constraints > Critical: True > Data: Is not a CA. > > Name: Certificate Key Usage > Usages: Digital Signature > Key Encipherment > > Name: Extended Key Usage > TLS Web Server Authentication Certificate > > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Signature: > 0b:f7:2f:25:e5:99:aa:27:59:5d:76:96:5a:64:0b:a7: > 91:7d:48:49:fd:a8:46:db:cc:39:7b:97:34:94:3c:0c: > 7c:fe:4d:f7:99:5e:da:a6:7d:53:5c:36:ba:ed:a7:05: > 60:04:2a:76:6e:02:75:a0:1c:59:bd:ad:82:db:fc:61: > --removed some--part-- > 6d:11:23:4c:77:60:18:ec:fd:47:63:72:d3:00:ee:04: > c2:01:3a:d8:dc:f1:4b:55:c5:7a:39:09:83:9b:09:bd: > 65:64:4c:6f:8d:19:86:94:95:76:1b:07:08:ad:03:70 > Fingerprint (MD5): > BD:3D:31:6C:27:A8:82:1A:11:81:5B:F6:56:D7:FA:E3 > Fingerprint (SHA1): > 89:45:EE:8E:7D:B7:01:EB:72:80:F2:86:91:B8:02:D4:60:3A:19:FA > > Certificate Trust Flags: > SSL Flags: > Valid CA > Trusted CA > User > Trusted Client CA > Email Flags: > User > Object Signing Flags: > User > > > > > *| /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P > /etc/dirsrv/slapd-linux2 -3 -s base -b "" "objectclass=*" * > > *When i do this i am getting cordump ... :(( * > > > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
HI Rich The ldapsearch output below looks correct. In your sync agreement, did you use labdc01.tf-lab.test2.com or just labdc01? You have to use the FQDN. Is in winsync Aggreement i used FQDN ... /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db a symlink to /etc/dirsrv/slapd-linux2/cert8.db? What is the relationship between slapd-linux2cert8.db and cert8.db? Yes you are right it is sym link. /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db a symlink to /etc/dirsrv/slapd-linux2/cert8.db .... Regards Vipul Ramani
Rich Megginson
2008-Oct-20 21:38 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> HI Rich > > The ldapsearch output below looks correct. In your sync agreement, did > you use labdc01.tf-lab.test2.com <http://labdc01.tf-lab.test2.com> or > just labdc01? You have to use the FQDN. Is > > > in winsync Aggreement i used FQDN ... > > > > > > > /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db a symlink to > /etc/dirsrv/slapd-linux2/cert8.db? What is the relationship between > slapd-linux2cert8.db and cert8.db? > > > > Yes you are right it is sym link. > /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db a symlink to > /etc/dirsrv/slapd-linux2/cert8.db ....The original error is this: https://www.redhat.com/archives/fedora-directory-users/2008-October/msg00056.html NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple bind failed , LDAP sdk error 91 ( Can''t connect to the LDAP server ) , Netscape Portable Runtime error - 8179 ( Peer''s Certificate issuer is not recoginzed ) That usually means that Fedora DS cannot verify the AD SSL server cert. This is usually because Fedora DS doesn''t have or trust the CA cert of the CA that issued the AD SSL cert. The Peer in this case is the AD SSL server, the issuer is the CA that issued the AD SSL server cert. I''m not sure what the problem could be.> > > > > Regards > Vipul Ramani > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
look new error ... 20/Oct/2008:06:36:22 -0700] conn=4 op=92 SRCH base="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test2,dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [20/Oct/2008:06:36:22 -0700] conn=4 op=92 RESULT err=0 tag=101 nentries=1 etime=0 [20/Oct/2008:06:37:12 -0700] conn=12 fd=68 slot=68 SSL connection from 192.168.1.200 to 192.168.1.210 *[20/Oct/2008:06:37:12 -0700] conn=12 op=-1 fd=68 closed - Peer does not recognize and trust the CA that issued your certificate*. [20/Oct/2008:06:37:13 -0700] conn=13 fd=68 slot=68 SSL connection from 192.168.1.200 to 192.168.1.210 *[20/Oct/2008:06:37:13 -0700] conn=13 op=-1 fd=68 closed - Peer does not recognize and trust the CA that issued your certificate.* [20/Oct/2008:06:44:34 -0700] conn=5 op=111 SRCH base="cn=RAS and IAS Servers, ou=People, dc=tf-lab,dc=test2,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [20/Oct/2008:06:44:34 -0700] conn=5 op=111 RESULT err=0 tag=101 nentries=1 etime=0 [20/Oct/2008:06:44:35 -0
Rich Megginson
2008-Oct-20 22:17 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> look new error ... > > > 20/Oct/2008:06:36:22 -0700] conn=4 op=92 SRCH base="cn=Vedant, > cn=replica, cn=\22dc=tf-lab,dc=test2,dc=com\22, cn=mapping tree, > cn=config" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" > attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd > nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus > nsds5replicaUpdateInProgress nsds5replicaLastInitStart > nsds5replicaLastInitEnd nsds5replicaLastInitStatus > nsds5BeginReplicaRefresh" > [20/Oct/2008:06:36:22 -0700] conn=4 op=92 RESULT err=0 tag=101 > nentries=1 etime=0 > [20/Oct/2008:06:37:12 -0700] conn=12 fd=68 slot=68 SSL connection from > 192.168.1.200 <http://192.168.1.200> to 192.168.1.210 > <http://192.168.1.210> > *[20/Oct/2008:06:37:12 -0700] conn=12 op=-1 fd=68 closed - Peer does > not recognize and trust the CA that issued your certificate*. > [20/Oct/2008:06:37:13 -0700] conn=13 fd=68 slot=68 SSL connection from > 192.168.1.200 <http://192.168.1.200> to 192.168.1.210 > <http://192.168.1.210> > *[20/Oct/2008:06:37:13 -0700] conn=13 op=-1 fd=68 closed - Peer does > not recognize and trust the CA that issued your certificate.*I''m not sure what this means - are you trying to use SSL client cert auth or simple bind?> [20/Oct/2008:06:44:34 -0700] conn=5 op=111 SRCH base="cn=RAS and IAS > Servers, ou=People, dc=tf-lab,dc=test2,dc=com" scope=0 > filter="(objectClass=*)" attrs=ALL > [20/Oct/2008:06:44:34 -0700] conn=5 op=111 RESULT err=0 tag=101 > nentries=1 etime=0 > [20/Oct/2008:06:44:35 -0 > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Yes i am using simple authentication . NOT SSL based client auth .. Any plans for PassSyn Support for 64 - bit OS ???> > >-- Regards Vipul Ramani
Rich Megginson
2008-Oct-20 23:04 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> > > Yes i am using simple authentication . NOT SSL based client auth ..I don''t understand why you''re getting the peer cert error then. Try enabling the replication log level - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting - to get some more detail about the bind procedure> > Any plans for PassSyn Support for 64 - bit OS ???No. No plans currently.> > > > > > > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
already enabled 8192 log-level !!! ... And what does it mean 640-bit does not supported - does mean FDS community wont be able to support or PassSyn not work at all !!! Can you please explain ... do u know any other piece of code which will replace PassSync and i can come out of this 64-bit limitation ??? On Mon, Oct 20, 2008 at 4:01 PM, Vipul Ramani <vipulramani@gmail.com> wrote:> > > Yes i am using simple authentication . NOT SSL based client auth .. > > Any plans for PassSyn Support for 64 - bit OS ??? > > > > > >> >> >> > > > -- > Regards > > Vipul Ramani > >-- Regards Vipul Ramani
Rich Megginson
2008-Oct-21 01:41 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> > already enabled 8192 log-level !!! ... > > And what does it mean 640-bit does not supported - does mean FDS > community wont be able to support or PassSyn not work at all !!! Can > you please explain ...That means we don''t have a 64-bit Windows development environment with which to develop and test 64-bit winsync. AFAIK, the code is 64-bit clean - it just needs to be built and tested.> > do u know any other piece of code which will replace PassSync and i > can come out of this 64-bit limitation ???No, not that I know of.> > > > > > On Mon, Oct 20, 2008 at 4:01 PM, Vipul Ramani <vipulramani@gmail.com > <mailto:vipulramani@gmail.com>> wrote: > > > > Yes i am using simple authentication . NOT SSL based client auth .. > > Any plans for PassSyn Support for 64 - bit OS ??? > > > > > > > > > > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Rich, Any Luck ?? What to do now .. is it possible to build 64-bit PassSync - i wish to use it ....> >-- Regards Vipul Ramani
Rich Megginson
2008-Oct-21 17:31 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> > Rich, > > Any Luck ?? What to do now ..I''m not sure. It seems like some sort of SSL cert issuance or CA trust issue.> > is it possible to build 64-bit PassSync - i wish to use it ....Yes, it is possible for you to build it.> > > > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
then i am waiting for PassSync 64 bit version . On Tue, Oct 21, 2008 at 10:16 AM, Vipul Ramani <vipulramani@gmail.com>wrote:> > Rich, > > Any Luck ?? What to do now .. > > is it possible to build 64-bit PassSync - i wish to use it .... > > > >> >> > > > -- > Regards > > Vipul Ramani > >-- Regards Vipul Ramani
Rich , do you think this is problem due to password policy ?? - but if we disable password policy on FDS . It must copied data right ??? or it will failed .. ?? what do you say ... Yes - we are getting error relatd to CA related .... [ it does not say anything about password policy related .... ] Can we do initial winsync replication without same password policy @ ADC and @ FDS ?? - i guess it should - reason it is simple replication. what is your view ??? As per document if password policy does not same @ FDS AND @ ADC , then if any password changed on ADC it wont replicated to FDS right .... ? -- Regards Vipul Ramani
Rich Megginson
2008-Oct-21 19:17 UTC
Re: [Fedora-directory-users] Re: SYNC without password ...
Vipul Ramani wrote:> Rich , > > do you think this is problem due to password policy ??All of the problems I have seen so far are SSL related. So, no.> - but if we disable password policy on FDS . It must copied data > right ???Right. If Fedora DS accepts the password change, it will attempt to replay it to AD, and vice versa.> or it will failed .. ?? what do you say ... > > Yes - we are getting error relatd to CA related .... [ it does not > say anything about password policy related .... ] > > > Can we do initial winsync replication without same password policy @ > ADC and @ FDS ?? - i guess it should - reason it is simple replication. > > what is your view ???Yes. You can sync everything except passwords.> > As per document if password policy does not same @ FDS AND @ ADC , > then if any password changed on ADC it wont replicated to FDS right .... ?Right. You could have a case where the password policy on FDS is more restrictive than on AD, or vice versa.> > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >