google(ing) for this - it basically says the same thing as you've stated.
Is there a way to fix this by hand or is LDAP corrupted beyond fixing unless
you
uninstall and re-install.
Joe
From: Richard Megginson <rmeggins(a)redhat.com>
Reply-To: "General discussion list for the Fedora Directory server
project." <fedora-directory-users(a)redhat.com>
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users(a)redhat.com>
Subject: Re: [Fedora-directory-users] LDAP Error
Date: Fri, 04 Aug 2006 14:04:23 -0600
Joe Sheehan wrote:
>Has anyone seen this before? Possible causes? Thanks Joe
>
>
>Start Slapd Server Config
>
>FATAL Slapd ERROR LDAP authentication failed for url:
>ldap://nodename.my.nis:1389 Netscaperoot user id admin (151:
>unknown error)
This usually indicates a problem with DNS or reverse DNS setup.
>
>Fatal slapd did not add directory server information into configuration
>server
>
>...
>
>
>
>
>>From: Richard Megginson <rmeggins(a)redhat.com>
>>Reply-To: "General discussion list for the Fedora Directory server
>>project." <fedora-directory-users(a)redhat.com>
>>To: "General discussion list for the Fedora Directory server project."
>><fedora-directory-users(a)redhat.com>
>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>ldapsearch.
>>Date: Fri, 04 Aug 2006 09:45:37 -0600
>>
>>One problem may be that you have to specify some additional option when
>>creating the MS CA cert or server certs issued by this CA. Is this a
>>root CA or did you get a CA certificate from somewhere else?
>>
>>Do this:
>>cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P slapd-asterisk1-
>>-L -n ad-cert
>>
>>Safonov Alexey wrote:
>>>Thanks Richard!
>>>
>>>In my opinion it the certificate of the CA. Certificates you can see
>>>details
>>>of reception of it on a screenshot (see the attached file)
>>>
>>>Safonov Alexey
>>>
>>>-----Original Message-----
>>>From: fedora-directory-users-bounces(a)redhat.com
>>>[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
>>>Megginson
>>>Sent: Friday, July 28, 2006 5:45 PM
>>>To: General discussion list for the Fedora Directory server project.
>>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>ldapsearch.
>>>
>>>
>>>Safonov Alexey wrote:
>>>
>>>>Thanks Richard!
>>>>
>>>>Now I start so:
>>>>[root@asterisk1 bin]# ./ldapsearch -Z -P
>>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
>>>>/opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
>>>>rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w
secret01 -s
>>>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
-v
>>>>
>>>>Also I receive a error:
>>>>
>>>>ldapsearch: started Fri Jul 28 16:21:39 2006
>>>>
>>>>ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
>>>>ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
>>>>ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
>>>>ldaptool_getmodpath -- (null)
>>>>ldaptool_getdonglefilename -- (null)
>>>>ldap_simple_bind: Can't contact LDAP server
>>>> SSL error -8156 (Issuer certificate is invalid.)
>>>>
>>>>Though the certificate ad-cert (from Windows DC) is established. The
>>>>
>>>utility
>>>
>>>>certutil and Fedora Management Console (Manage Certificates) shows it.
>>>>[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>>>>slapd-asterisk1-
>>>>CA certificate CTu,u,u
>>>>server-cert u,u,u
>>>>Server-Cert u,u,u
>>>>ad-cert CT,C,C
>>>>
>>>>Help my!
>>>>
>>>>
>>>Is ad-cert the certificate of the AD server or the certificate of the CA
>>>that issued the AD cert? An SSL client only needs to trust the CA cert
>>>of the issuer of the server certs it wants to use.
>>>
>>>>Safonov Alexey
>>>>
>>>>-----Original Message-----
>>>>From: fedora-directory-users-bounces(a)redhat.com
>>>>[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
>>>>Megginson
>>>>Sent: Thursday, July 27, 2006 7:36 PM
>>>>To: General discussion list for the Fedora Directory server project.
>>>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>>ldapsearch.
>>>>
>>>>
>>>>Safonov Alexey wrote:
>>>>
>>>>
>>>>>Hi !
>>>>>
>>>>>I ask to help to solve a problem with the utility ldapsearch.
>>>>>
>>>>>is a problem to carry out synchronization between FDS and AD. Has
made
>>>>>
>>>the
>>>
>>>>>following:
>>>>>1) Install FDS
>>>>>2) Configuring SSL Enabled FDS. For this purpose has started script
>>>>>setupssl.sh (
http://directory.fedora.redhat.com/download/setupssl.sh)
>>>>>
>>>from
>>>
>>>>>HOWTO "Howto:SSL"
(
http://directory.fedora.redhat.com/wiki/Howto:SSL)
>>>>>3) Restart FDS.
>>>>> netstat -atupn | grep ns-
>>>>>tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
>>>>>tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
>>>>>4) Enable SSL on AD.
>>>>>Install Certificate Service
>>>>>Check util ldp.exe:
>>>>>Connected param: Server- srv-vm1.mup-example.vrn.ru
>>>>> Port - 636
>>>>> Checkbox "SSL"
>>>>>ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
>>>>>Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
>>>>>LDAP_VERSION3);
>>>>>Error <0x0> = ldap_connect(hLdap, NULL);
>>>>>Error <0x0> =
ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>>>>>Host supports SSL, SSL cipher strength = 128 bits
>>>>>Established connection to srv-vm1.mup-example.vrn.ru.
>>>>>Retrieving base DSA information...
>>>>>.....
>>>>>5) Import AD CA certificate in DER mode.
>>>>>6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
>>>>>[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>>>>>slapd-asterisk1-
>>>>>CA certificate CTu,u,u
>>>>>server-cert u,u,u
>>>>>Server-Cert u,u,u
>>>>>ad-cert CT,C,C <- install this
>>>>>
>>>>>6) [root@asterisk1 alias]# ldapsearch -Z -P
>>>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>>>>>rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w
secret01 -s
>>>>>base -b "dc=mup-example,dc=vrn,dc=ru"
"objectclass=*"
>>>>>
>>>>>
>>>>>
>>>>That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
>>>>openssl for crypto, which is completely different than NSS. You need
>>>>to
>>>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>
>>>>
>>>>>Error:
>>>>>ldapsearch: unabel to parse protocol version
>>>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>
>>>>>Help my!
>>>>>Thanks
>>>>>
>>>>>------------------------------------------------------
>>>>>My Setup:
>>>>>
>>>>>Fedora Core 5 (i386)
>>>>>Fedora Directory Server 1.0.2
>>>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>------------------------------------------------------
>>>>>
>>>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>
>>>>
>>>>>Error:
>>>>>ldapsearch: unabel to parse protocol version
>>>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>
>>>>>Help my!
>>>>>Thanks
>>>>>
>>>>>------------------------------------------------------
>>>>>My Setup:
>>>>>
>>>>>Fedora Core 5 (i386)
>>>>>Fedora Directory Server 1.0.2
>>>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>------------------------------------------------------
>>>>>
>>>
>>>
>>>
>>>------------------------------------------------------------------------
>>>
>>>
>>>------------------------------------------------------------------------
>>>
>>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users(a)redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>
>
>
<< smime.p7s >>
>
>
>
>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users