Thank you David.
Anyone able to address the other questions about ssl? I was able to use
the system version of ldapsearch to connect securely to my domain
controller from the FDS box. I can also connect the same way to FDS. I
have read that the -81 error means that there is a problem with my
server cert, or the ca cert that was used to create it. I have 2 server
certs signed by different CAs (nothing self-signed), and I have tried
them both. The CA certs are installed, and seem to be fine. I even
exported on to use on the local openldap in order to test connections to
the domain controller without a problem.
Is FDS dependent on specific versions of libssl3.so or ?... The thing
that confuses me the most is that it all seems to be working fine in
every other case. I am still not sure there isn't a problem with my
Win2003 domain controller...
Ack!
>Date: Tue, 31 Jan 2006 15:17:18 -0500
>From: Daniel Shackelford <dshackel(a)arbor.edu>
>Subject: [Fedora-directory-users] Hosed sync with AD
>To: FedoraUsers <fedora-directory-users(a)redhat.com>
>Message-ID: <43DFC5CE.1050909(a)arbor.edu>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>Hello...
>
>Earlier this month we had an issue with one of our domain controllers
>(Win2003) and took it down. It was the one the directory server was
>pointing to for synchronization. Ever since then, no sync has occurred
>and I am back to getting the
>
>-81 (Peer's Certificate issuer is not recognized.)
>
>I have checked the DC, and all looks well. We were merely moving the
>logs to another volume, so it should not have an effect on ldap
>connections. I did some fiddling and at one point I removed the native
>java since I had installed the IBM version. Jessie depended on it, so
>that was removed as well. I have since gotten new certs and CA certs,
>and installed them, but still no luck on the connection. Certutil no
>longer worked, so I installed mozilla-nss, and now it does not work
>for other reasons:
>
>NSS_Initialize failed: An I/O error occurred during security authorization.
>
>All certificate management via the console seems to work fine...
>
>So, my questions are:
>
>Is there a way to get my ssl libraries so they line up with what FDS wants?
>Was jessie even involved in this issue?
>I already have all our data in this directory, so is there a way for me
>to get this thing syncing again without a wipe and reinstall?
>If I delete the sync agreement, and create a new one, what happens on
>the first sync? Will it just pick up where it left off, or will it
>choke on all the objects that were a part of the previous sync
>agreement? Will I have problems with my data since it has been over 10
>days since the last sync?
>
>
>