6:41 a.m.
Hi !
I ask to help to solve a problem with the utility ldapsearch.
is a problem to carry out synchronization between FDS and AD. Has made the
following:
1) Install FDS
2) Configuring SSL Enabled FDS. For this purpose has started script
setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) from
HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL)
3) Restart FDS.
netstat -atupn | grep ns-
tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
4) Enable SSL on AD.
Install Certificate Service
Check util ldp.exe:
Connected param: Server- srv-vm1.mup-example.vrn.ru
Port - 636
Checkbox "SSL"
ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
LDAP_VERSION3);
Error <0x0> = ldap_connect(hLdap, NULL);
Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to srv-vm1.mup-example.vrn.ru.
Retrieving base DSA information...
.....
5) Import AD CA certificate in DER mode.
6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
slapd-asterisk1-
CA certificate CTu,u,u
server-cert u,u,u
Server-Cert u,u,u
ad-cert CT,C,C <- install this
6) [root@asterisk1 alias]# ldapsearch -Z -P
/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
rv-vm1.mup-example.vrn.ru -p 636 -D
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
Error:
ldapsearch: unabel to parse protocol version
"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
Help my!
Thanks
------------------------------------------------------
My Setup:
Fedora Core 5 (i386)
Fedora Directory Server 1.0.2
Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
------------------------------------------------------
10:35 a.m.
Safonov Alexey wrote:
Hi !
I ask to help to solve a problem with the utility ldapsearch.
is a problem to carry out synchronization between FDS and AD. Has made the
following:
1) Install FDS
2) Configuring SSL Enabled FDS. For this purpose has started script
setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) from
HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL)
3) Restart FDS.
netstat -atupn | grep ns-
tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
4) Enable SSL on AD.
Install Certificate Service
Check util ldp.exe:
Connected param: Server- srv-vm1.mup-example.vrn.ru
Port - 636
Checkbox "SSL"
ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
LDAP_VERSION3);
Error <0x0> = ldap_connect(hLdap, NULL);
Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to srv-vm1.mup-example.vrn.ru.
Retrieving base DSA information...
.....
5) Import AD CA certificate in DER mode.
6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
slapd-asterisk1-
CA certificate CTu,u,u
server-cert u,u,u
Server-Cert u,u,u
ad-cert CT,C,C <- install this
6) [root@asterisk1 alias]# ldapsearch -Z -P
/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
rv-vm1.mup-example.vrn.ru -p 636 -D
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
openssl for crypto, which is completely different than NSS. You need to
use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
Error:
ldapsearch: unabel to parse protocol version
"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
Help my!
Thanks
------------------------------------------------------
My Setup:
Fedora Core 5 (i386)
Fedora Directory Server 1.0.2
Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
11:12 a.m.
Thanks Richard!
Has absolutely forgotten, that the openldap-client is established.
Safonov Alexey
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
Megginson
Sent: Thursday, July 27, 2006 7:36 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Error at work of the utility
ldapsearch.
Safonov Alexey wrote:
Hi !
I ask to help to solve a problem with the utility ldapsearch.
is a problem to carry out synchronization between FDS and AD. Has made the
following:
1) Install FDS
2) Configuring SSL Enabled FDS. For this purpose has started script
setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) from
HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL)
3) Restart FDS.
netstat -atupn | grep ns-
tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
4) Enable SSL on AD.
Install Certificate Service
Check util ldp.exe:
Connected param: Server- srv-vm1.mup-example.vrn.ru
Port - 636
Checkbox "SSL"
ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
LDAP_VERSION3);
Error <0x0> = ldap_connect(hLdap, NULL);
Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to srv-vm1.mup-example.vrn.ru.
Retrieving base DSA information...
.....
5) Import AD CA certificate in DER mode.
6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
slapd-asterisk1-
CA certificate CTu,u,u
server-cert u,u,u
Server-Cert u,u,u
ad-cert CT,C,C <- install this
6) [root@asterisk1 alias]# ldapsearch -Z -P
/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
rv-vm1.mup-example.vrn.ru -p 636 -D
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
openssl for crypto, which is completely different than NSS. You need to
use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
Error:
ldapsearch: unabel to parse protocol version
"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
Help my!
Thanks
------------------------------------------------------
My Setup:
Fedora Core 5 (i386)
Fedora Directory Server 1.0.2
Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
7:40 a.m.
Thanks Richard!
Now I start so:
[root@asterisk1 bin]# ./ldapsearch -Z -P
/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
/opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
rv-vm1.mup-example.vrn.ru -p 636 -D
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w mupAdmin02 -s
base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v
Also I receive a error:
ldapsearch: started Fri Jul 28 16:21:39 2006
ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
ldaptool_getmodpath -- (null)
ldaptool_getdonglefilename -- (null)
ldap_simple_bind: Can't contact LDAP server
SSL error -8156 (Issuer certificate is invalid.)
Though the certificate ad-cert (from Windows DC) is established. The utility
certutil and Fedora Management Console (Manage Certificates) shows it.
[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
slapd-asterisk1-
CA certificate CTu,u,u
server-cert u,u,u
Server-Cert u,u,u
ad-cert CT,C,C
Help my!
Safonov Alexey
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
Megginson
Sent: Thursday, July 27, 2006 7:36 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Error at work of the utility
ldapsearch.
Safonov Alexey wrote:
Hi !
I ask to help to solve a problem with the utility ldapsearch.
is a problem to carry out synchronization between FDS and AD. Has made the
following:
1) Install FDS
2) Configuring SSL Enabled FDS. For this purpose has started script
setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) from
HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL)
3) Restart FDS.
netstat -atupn | grep ns-
tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
4) Enable SSL on AD.
Install Certificate Service
Check util ldp.exe:
Connected param: Server- srv-vm1.mup-example.vrn.ru
Port - 636
Checkbox "SSL"
ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
LDAP_VERSION3);
Error <0x0> = ldap_connect(hLdap, NULL);
Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to srv-vm1.mup-example.vrn.ru.
Retrieving base DSA information...
.....
5) Import AD CA certificate in DER mode.
6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
slapd-asterisk1-
CA certificate CTu,u,u
server-cert u,u,u
Server-Cert u,u,u
ad-cert CT,C,C <- install this
6) [root@asterisk1 alias]# ldapsearch -Z -P
/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
rv-vm1.mup-example.vrn.ru -p 636 -D
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
openssl for crypto, which is completely different than NSS. You need to
use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
Error:
ldapsearch: unabel to parse protocol version
"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
Help my!
Thanks
------------------------------------------------------
My Setup:
Fedora Core 5 (i386)
Fedora Directory Server 1.0.2
Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
8:44 a.m.
Safonov Alexey wrote:
Thanks Richard!
Now I start so:
[root@asterisk1 bin]# ./ldapsearch -Z -P
/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
/opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
rv-vm1.mup-example.vrn.ru -p 636 -D
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w mupAdmin02 -s
base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v
Also I receive a error:
ldapsearch: started Fri Jul 28 16:21:39 2006
ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
ldaptool_getmodpath -- (null)
ldaptool_getdonglefilename -- (null)
ldap_simple_bind: Can't contact LDAP server
SSL error -8156 (Issuer certificate is invalid.)
Though the certificate ad-cert (from Windows DC) is established. The utility
certutil and Fedora Management Console (Manage Certificates) shows it.
[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
slapd-asterisk1-
CA certificate CTu,u,u
server-cert u,u,u
Server-Cert u,u,u
ad-cert CT,C,C
Help my!
Is ad-cert the certificate of the AD server or the certificate of the CA
that issued the AD cert? An SSL client only needs to trust the CA cert
of the issuer of the server certs it wants to use.
Safonov Alexey
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
Megginson
Sent: Thursday, July 27, 2006 7:36 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Error at work of the utility
ldapsearch.
Safonov Alexey wrote:
> Hi !
>
> I ask to help to solve a problem with the utility ldapsearch.
>
> is a problem to carry out synchronization between FDS and AD. Has made the
> following:
> 1) Install FDS
> 2) Configuring SSL Enabled FDS. For this purpose has started script
> setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) from
> HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL)
> 3) Restart FDS.
> netstat -atupn | grep ns-
> tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
> tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
> 4) Enable SSL on AD.
> Install Certificate Service
> Check util ldp.exe:
> Connected param: Server- srv-vm1.mup-example.vrn.ru
> Port - 636
> Checkbox "SSL"
> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
> LDAP_VERSION3);
> Error <0x0> = ldap_connect(hLdap, NULL);
> Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
> Host supports SSL, SSL cipher strength = 128 bits
> Established connection to srv-vm1.mup-example.vrn.ru.
> Retrieving base DSA information...
> .....
> 5) Import AD CA certificate in DER mode.
> 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
> [root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
> slapd-asterisk1-
> CA certificate CTu,u,u
> server-cert u,u,u
> Server-Cert u,u,u
> ad-cert CT,C,C <- install this
>
> 6) [root@asterisk1 alias]# ldapsearch -Z -P
> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
> rv-vm1.mup-example.vrn.ru -p 636 -D
> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
>
>
That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
openssl for crypto, which is completely different than NSS. You need to
use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
> Error:
> ldapsearch: unabel to parse protocol version
> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>
> Help my!
> Thanks
>
> ------------------------------------------------------
> My Setup:
>
> Fedora Core 5 (i386)
> Fedora Directory Server 1.0.2
> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
> ------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
10:05 a.m.
Thanks Richard!
In my opinion it the certificate of the CA. Certificates you can see details
of reception of it on a screenshot (see the attached file)
Safonov Alexey
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
Megginson
Sent: Friday, July 28, 2006 5:45 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Error at work of the utility
ldapsearch.
Safonov Alexey wrote:
Thanks Richard!
Now I start so:
[root@asterisk1 bin]# ./ldapsearch -Z -P
/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
/opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
rv-vm1.mup-example.vrn.ru -p 636 -D
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v
Also I receive a error:
ldapsearch: started Fri Jul 28 16:21:39 2006
ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
ldaptool_getmodpath -- (null)
ldaptool_getdonglefilename -- (null)
ldap_simple_bind: Can't contact LDAP server
SSL error -8156 (Issuer certificate is invalid.)
Though the certificate ad-cert (from Windows DC) is established. The
utility
certutil and Fedora Management Console (Manage Certificates) shows
it.
[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
slapd-asterisk1-
CA certificate CTu,u,u
server-cert u,u,u
Server-Cert u,u,u
ad-cert CT,C,C
Help my!
Is ad-cert the certificate of the AD server or the certificate of the CA
that issued the AD cert? An SSL client only needs to trust the CA cert
of the issuer of the server certs it wants to use.
Safonov Alexey
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
Megginson
Sent: Thursday, July 27, 2006 7:36 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Error at work of the utility
ldapsearch.
Safonov Alexey wrote:
> Hi !
>
> I ask to help to solve a problem with the utility ldapsearch.
>
> is a problem to carry out synchronization between FDS and AD. Has made
the
> following:
> 1) Install FDS
> 2) Configuring SSL Enabled FDS. For this purpose has started script
> setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh)
from
> HOWTO "Howto:SSL"
(http://directory.fedora.redhat.com/wiki/Howto:SSL)
> 3) Restart FDS.
> netstat -atupn | grep ns-
> tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
> tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
> 4) Enable SSL on AD.
> Install Certificate Service
> Check util ldp.exe:
> Connected param: Server- srv-vm1.mup-example.vrn.ru
> Port - 636
> Checkbox "SSL"
> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
> LDAP_VERSION3);
> Error <0x0> = ldap_connect(hLdap, NULL);
> Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
> Host supports SSL, SSL cipher strength = 128 bits
> Established connection to srv-vm1.mup-example.vrn.ru.
> Retrieving base DSA information...
> .....
> 5) Import AD CA certificate in DER mode.
> 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
> [root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
> slapd-asterisk1-
> CA certificate CTu,u,u
> server-cert u,u,u
> Server-Cert u,u,u
> ad-cert CT,C,C <- install this
>
> 6) [root@asterisk1 alias]# ldapsearch -Z -P
> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
> rv-vm1.mup-example.vrn.ru -p 636 -D
> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
>
>
That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
openssl for crypto, which is completely different than NSS. You need to
use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
> Error:
> ldapsearch: unabel to parse protocol version
> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>
> Help my!
> Thanks
>
> ------------------------------------------------------
> My Setup:
>
> Fedora Core 5 (i386)
> Fedora Directory Server 1.0.2
> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
> ------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
10:25 a.m.
Thanks Richard!
In my opinion it the certificate of the CA. Certificates you can see details
of reception of it on a screenshot (see the attached file)
Safonov Alexey
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
Megginson
Sent: Friday, July 28, 2006 5:45 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Error at work of the utility
ldapsearch.
Safonov Alexey wrote:
Thanks Richard!
Now I start so:
[root@asterisk1 bin]# ./ldapsearch -Z -P
/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
/opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
rv-vm1.mup-example.vrn.ru -p 636 -D
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v
Also I receive a error:
ldapsearch: started Fri Jul 28 16:21:39 2006
ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
ldaptool_getmodpath -- (null)
ldaptool_getdonglefilename -- (null)
ldap_simple_bind: Can't contact LDAP server
SSL error -8156 (Issuer certificate is invalid.)
Though the certificate ad-cert (from Windows DC) is established. The
utility
certutil and Fedora Management Console (Manage Certificates) shows
it.
[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
slapd-asterisk1-
CA certificate CTu,u,u
server-cert u,u,u
Server-Cert u,u,u
ad-cert CT,C,C
Help my!
Is ad-cert the certificate of the AD server or the certificate of the CA
that issued the AD cert? An SSL client only needs to trust the CA cert
of the issuer of the server certs it wants to use.
Safonov Alexey
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
Megginson
Sent: Thursday, July 27, 2006 7:36 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Error at work of the utility
ldapsearch.
Safonov Alexey wrote:
> Hi !
>
> I ask to help to solve a problem with the utility ldapsearch.
>
> is a problem to carry out synchronization between FDS and AD. Has made
the
> following:
> 1) Install FDS
> 2) Configuring SSL Enabled FDS. For this purpose has started script
> setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh)
from
> HOWTO "Howto:SSL"
(http://directory.fedora.redhat.com/wiki/Howto:SSL)
> 3) Restart FDS.
> netstat -atupn | grep ns-
> tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
> tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
> 4) Enable SSL on AD.
> Install Certificate Service
> Check util ldp.exe:
> Connected param: Server- srv-vm1.mup-example.vrn.ru
> Port - 636
> Checkbox "SSL"
> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
> LDAP_VERSION3);
> Error <0x0> = ldap_connect(hLdap, NULL);
> Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
> Host supports SSL, SSL cipher strength = 128 bits
> Established connection to srv-vm1.mup-example.vrn.ru.
> Retrieving base DSA information...
> .....
> 5) Import AD CA certificate in DER mode.
> 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
> [root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
> slapd-asterisk1-
> CA certificate CTu,u,u
> server-cert u,u,u
> Server-Cert u,u,u
> ad-cert CT,C,C <- install this
>
> 6) [root@asterisk1 alias]# ldapsearch -Z -P
> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
> rv-vm1.mup-example.vrn.ru -p 636 -D
> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
>
>
That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
openssl for crypto, which is completely different than NSS. You need to
use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
> Error:
> ldapsearch: unabel to parse protocol version
> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>
> Help my!
> Thanks
>
> ------------------------------------------------------
> My Setup:
>
> Fedora Core 5 (i386)
> Fedora Directory Server 1.0.2
> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
> ------------------------------------------------------
use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
> Error:
> ldapsearch: unabel to parse protocol version
> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>
> Help my!
> Thanks
>
> ------------------------------------------------------
> My Setup:
>
> Fedora Core 5 (i386)
> Fedora Directory Server 1.0.2
> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
> ------------------------------------------------------
10:45 a.m.
One problem may be that you have to specify some additional option when
creating the MS CA cert or server certs issued by this CA. Is this a
root CA or did you get a CA certificate from somewhere else?
Do this:
cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P
slapd-asterisk1- -L -n ad-cert
Safonov Alexey wrote:
Thanks Richard!
In my opinion it the certificate of the CA. Certificates you can see details
of reception of it on a screenshot (see the attached file)
Safonov Alexey
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
Megginson
Sent: Friday, July 28, 2006 5:45 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Error at work of the utility
ldapsearch.
Safonov Alexey wrote:
> Thanks Richard!
>
> Now I start so:
> [root@asterisk1 bin]# ./ldapsearch -Z -P
> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
> /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
> rv-vm1.mup-example.vrn.ru -p 636 -D
> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v
>
> Also I receive a error:
>
> ldapsearch: started Fri Jul 28 16:21:39 2006
>
> ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
> ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
> ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
> ldaptool_getmodpath -- (null)
> ldaptool_getdonglefilename -- (null)
> ldap_simple_bind: Can't contact LDAP server
> SSL error -8156 (Issuer certificate is invalid.)
>
> Though the certificate ad-cert (from Windows DC) is established. The
>
utility
> certutil and Fedora Management Console (Manage Certificates) shows it.
> [root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
> slapd-asterisk1-
> CA certificate CTu,u,u
> server-cert u,u,u
> Server-Cert u,u,u
> ad-cert CT,C,C
>
> Help my!
>
>
Is ad-cert the certificate of the AD server or the certificate of the CA
that issued the AD cert? An SSL client only needs to trust the CA cert
of the issuer of the server certs it wants to use.
> Safonov Alexey
>
> -----Original Message-----
> From: fedora-directory-users-bounces(a)redhat.com
> [mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
> Megginson
> Sent: Thursday, July 27, 2006 7:36 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] Error at work of the utility
> ldapsearch.
>
>
> Safonov Alexey wrote:
>
>
>> Hi !
>>
>> I ask to help to solve a problem with the utility ldapsearch.
>>
>> is a problem to carry out synchronization between FDS and AD. Has made
>>
the
>> following:
>> 1) Install FDS
>> 2) Configuring SSL Enabled FDS. For this purpose has started script
>> setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh)
>>
from
>> HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL)
>> 3) Restart FDS.
>> netstat -atupn | grep ns-
>> tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
>> tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
>> 4) Enable SSL on AD.
>> Install Certificate Service
>> Check util ldp.exe:
>> Connected param: Server- srv-vm1.mup-example.vrn.ru
>> Port - 636
>> Checkbox "SSL"
>> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
>> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
>> LDAP_VERSION3);
>> Error <0x0> = ldap_connect(hLdap, NULL);
>> Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>> Host supports SSL, SSL cipher strength = 128 bits
>> Established connection to srv-vm1.mup-example.vrn.ru.
>> Retrieving base DSA information...
>> .....
>> 5) Import AD CA certificate in DER mode.
>> 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
>> [root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>> slapd-asterisk1-
>> CA certificate CTu,u,u
>> server-cert u,u,u
>> Server-Cert u,u,u
>> ad-cert CT,C,C <- install this
>>
>> 6) [root@asterisk1 alias]# ldapsearch -Z -P
>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>> rv-vm1.mup-example.vrn.ru -p 636 -D
>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
>> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
>>
>>
>>
> That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
> openssl for crypto, which is completely different than NSS. You need to
> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>
>
>> Error:
>> ldapsearch: unabel to parse protocol version
>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>
>> Help my!
>> Thanks
>>
>> ------------------------------------------------------
>> My Setup:
>>
>> Fedora Core 5 (i386)
>> Fedora Directory Server 1.0.2
>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>> ------------------------------------------------------
>>
> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>
>
>> Error:
>> ldapsearch: unabel to parse protocol version
>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>
>> Help my!
>> Thanks
>>
>> ------------------------------------------------------
>> My Setup:
>>
>> Fedora Core 5 (i386)
>> Fedora Directory Server 1.0.2
>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>> ------------------------------------------------------
>>
------------------------------------------------------------------------
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
1:43 p.m.
New subject: [Fedora-directory-users] LDAP Error
Has anyone seen this before? Possible causes? Thanks Joe
Start Slapd Server Config
FATAL Slapd ERROR LDAP authentication failed for url:
ldap://nodename.my.nis:1389 Netscaperoot user id admin (151:
unknown error)
Fatal slapd did not add directory server information into configuration
server
...
From: Richard Megginson <rmeggins(a)redhat.com>
Reply-To: "General discussion list for the Fedora Directory server
project." <fedora-directory-users(a)redhat.com>
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users(a)redhat.com>
Subject: Re: [Fedora-directory-users] Error at work of the utility
ldapsearch.
Date: Fri, 04 Aug 2006 09:45:37 -0600
One problem may be that you have to specify some additional option when
creating the MS CA cert or server certs issued by this CA. Is this a root
CA or did you get a CA certificate from somewhere else?
Do this:
cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P slapd-asterisk1-
-L -n ad-cert
Safonov Alexey wrote:
>Thanks Richard!
>
>In my opinion it the certificate of the CA. Certificates you can see
>details
>of reception of it on a screenshot (see the attached file)
>
>Safonov Alexey
>
>-----Original Message-----
>From: fedora-directory-users-bounces(a)redhat.com
>[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
>Megginson
>Sent: Friday, July 28, 2006 5:45 PM
>To: General discussion list for the Fedora Directory server project.
>Subject: Re: [Fedora-directory-users] Error at work of the utility
>ldapsearch.
>
>
>Safonov Alexey wrote:
>
>>Thanks Richard!
>>
>>Now I start so:
>>[root@asterisk1 bin]# ./ldapsearch -Z -P
>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
>>/opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
>>rv-vm1.mup-example.vrn.ru -p 636 -D
>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v
>>
>>Also I receive a error:
>>
>>ldapsearch: started Fri Jul 28 16:21:39 2006
>>
>>ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
>>ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
>>ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
>>ldaptool_getmodpath -- (null)
>>ldaptool_getdonglefilename -- (null)
>>ldap_simple_bind: Can't contact LDAP server
>> SSL error -8156 (Issuer certificate is invalid.)
>>
>>Though the certificate ad-cert (from Windows DC) is established. The
>>
>utility
>
>>certutil and Fedora Management Console (Manage Certificates) shows it.
>>[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>>slapd-asterisk1-
>>CA certificate CTu,u,u
>>server-cert u,u,u
>>Server-Cert u,u,u
>>ad-cert CT,C,C
>>
>>Help my!
>>
>>
>Is ad-cert the certificate of the AD server or the certificate of the CA
>that issued the AD cert? An SSL client only needs to trust the CA cert
>of the issuer of the server certs it wants to use.
>
>>Safonov Alexey
>>
>>-----Original Message-----
>>From: fedora-directory-users-bounces(a)redhat.com
>>[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
>>Megginson
>>Sent: Thursday, July 27, 2006 7:36 PM
>>To: General discussion list for the Fedora Directory server project.
>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>ldapsearch.
>>
>>
>>Safonov Alexey wrote:
>>
>>
>>>Hi !
>>>
>>>I ask to help to solve a problem with the utility ldapsearch.
>>>
>>>is a problem to carry out synchronization between FDS and AD. Has made
>>>
>the
>
>>>following:
>>>1) Install FDS
>>>2) Configuring SSL Enabled FDS. For this purpose has started script
>>>setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh)
>>>
>from
>
>>>HOWTO "Howto:SSL"
(http://directory.fedora.redhat.com/wiki/Howto:SSL)
>>>3) Restart FDS.
>>> netstat -atupn | grep ns-
>>>tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
>>>tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
>>>4) Enable SSL on AD.
>>>Install Certificate Service
>>>Check util ldp.exe:
>>>Connected param: Server- srv-vm1.mup-example.vrn.ru
>>> Port - 636
>>> Checkbox "SSL"
>>>ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
>>>Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
>>>LDAP_VERSION3);
>>>Error <0x0> = ldap_connect(hLdap, NULL);
>>>Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>>>Host supports SSL, SSL cipher strength = 128 bits
>>>Established connection to srv-vm1.mup-example.vrn.ru.
>>>Retrieving base DSA information...
>>>.....
>>>5) Import AD CA certificate in DER mode.
>>>6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
>>>[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>>>slapd-asterisk1-
>>>CA certificate CTu,u,u
>>>server-cert u,u,u
>>>Server-Cert u,u,u
>>>ad-cert CT,C,C <- install this
>>>
>>>6) [root@asterisk1 alias]# ldapsearch -Z -P
>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>>>rv-vm1.mup-example.vrn.ru -p 636 -D
>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01
-s
>>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
>>>
>>>
>>>
>>That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
>>openssl for crypto, which is completely different than NSS. You need to
>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>
>>
>>>Error:
>>>ldapsearch: unabel to parse protocol version
>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>
>>>Help my!
>>>Thanks
>>>
>>>------------------------------------------------------
>>>My Setup:
>>>
>>>Fedora Core 5 (i386)
>>>Fedora Directory Server 1.0.2
>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>------------------------------------------------------
>>>
>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>
>>
>>>Error:
>>>ldapsearch: unabel to parse protocol version
>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>
>>>Help my!
>>>Thanks
>>>
>>>------------------------------------------------------
>>>My Setup:
>>>
>>>Fedora Core 5 (i386)
>>>Fedora Directory Server 1.0.2
>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>------------------------------------------------------
>>>
>
>
>
>------------------------------------------------------------------------
>
>------------------------------------------------------------------------
>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> << smime.p7s >>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
3:04 p.m.
New subject: [Fedora-directory-users] LDAP Error
Joe Sheehan wrote:
Has anyone seen this before? Possible causes? Thanks Joe
Start Slapd Server Config
FATAL Slapd ERROR LDAP authentication failed for url:
ldap://nodename.my.nis:1389 Netscaperoot user id admin
(151: unknown error)
This usually indicates a problem with DNS or reverse DNS
setup.
Fatal slapd did not add directory server information into
configuration server
...
> From: Richard Megginson <rmeggins(a)redhat.com>
> Reply-To: "General discussion list for the Fedora Directory server
> project." <fedora-directory-users(a)redhat.com>
> To: "General discussion list for the Fedora Directory server
> project." <fedora-directory-users(a)redhat.com>
> Subject: Re: [Fedora-directory-users] Error at work of the utility
> ldapsearch.
> Date: Fri, 04 Aug 2006 09:45:37 -0600
>
> One problem may be that you have to specify some additional option
> when creating the MS CA cert or server certs issued by this CA. Is
> this a root CA or did you get a CA certificate from somewhere else?
>
> Do this:
> cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P
> slapd-asterisk1- -L -n ad-cert
>
> Safonov Alexey wrote:
>> Thanks Richard!
>>
>> In my opinion it the certificate of the CA. Certificates you can see
>> details
>> of reception of it on a screenshot (see the attached file)
>>
>> Safonov Alexey
>>
>> -----Original Message-----
>> From: fedora-directory-users-bounces(a)redhat.com
>> [mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
>> Megginson
>> Sent: Friday, July 28, 2006 5:45 PM
>> To: General discussion list for the Fedora Directory server project.
>> Subject: Re: [Fedora-directory-users] Error at work of the utility
>> ldapsearch.
>>
>>
>> Safonov Alexey wrote:
>>
>>> Thanks Richard!
>>>
>>> Now I start so:
>>> [root@asterisk1 bin]# ./ldapsearch -Z -P
>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
>>> /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
>>> rv-vm1.mup-example.vrn.ru -p 636 -D
>>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01
-s
>>> base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v
>>>
>>> Also I receive a error:
>>>
>>> ldapsearch: started Fri Jul 28 16:21:39 2006
>>>
>>> ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
>>> ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
>>> ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
>>> ldaptool_getmodpath -- (null)
>>> ldaptool_getdonglefilename -- (null)
>>> ldap_simple_bind: Can't contact LDAP server
>>> SSL error -8156 (Issuer certificate is invalid.)
>>>
>>> Though the certificate ad-cert (from Windows DC) is established. The
>>>
>> utility
>>
>>> certutil and Fedora Management Console (Manage Certificates) shows it.
>>> [root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>>> slapd-asterisk1-
>>> CA certificate CTu,u,u
>>> server-cert u,u,u
>>> Server-Cert u,u,u
>>> ad-cert CT,C,C
>>>
>>> Help my!
>>>
>>>
>> Is ad-cert the certificate of the AD server or the certificate of
>> the CA
>> that issued the AD cert? An SSL client only needs to trust the CA cert
>> of the issuer of the server certs it wants to use.
>>
>>> Safonov Alexey
>>>
>>> -----Original Message-----
>>> From: fedora-directory-users-bounces(a)redhat.com
>>> [mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
>>> Megginson
>>> Sent: Thursday, July 27, 2006 7:36 PM
>>> To: General discussion list for the Fedora Directory server project.
>>> Subject: Re: [Fedora-directory-users] Error at work of the utility
>>> ldapsearch.
>>>
>>>
>>> Safonov Alexey wrote:
>>>
>>>
>>>> Hi !
>>>>
>>>> I ask to help to solve a problem with the utility ldapsearch.
>>>>
>>>> is a problem to carry out synchronization between FDS and AD. Has
>>>> made
>>>>
>> the
>>
>>>> following:
>>>> 1) Install FDS
>>>> 2) Configuring SSL Enabled FDS. For this purpose has started script
>>>> setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh)
>>>>
>> from
>>
>>>> HOWTO "Howto:SSL"
(http://directory.fedora.redhat.com/wiki/Howto:SSL)
>>>> 3) Restart FDS.
>>>> netstat -atupn | grep ns-
>>>> tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
>>>> tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
>>>> 4) Enable SSL on AD.
>>>> Install Certificate Service
>>>> Check util ldp.exe:
>>>> Connected param: Server- srv-vm1.mup-example.vrn.ru
>>>> Port - 636
>>>> Checkbox "SSL"
>>>> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
>>>> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
>>>> LDAP_VERSION3);
>>>> Error <0x0> = ldap_connect(hLdap, NULL);
>>>> Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>>>> Host supports SSL, SSL cipher strength = 128 bits
>>>> Established connection to srv-vm1.mup-example.vrn.ru.
>>>> Retrieving base DSA information...
>>>> .....
>>>> 5) Import AD CA certificate in DER mode.
>>>> 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
>>>> [root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>>>> slapd-asterisk1-
>>>> CA certificate CTu,u,u
>>>> server-cert u,u,u
>>>> Server-Cert u,u,u
>>>> ad-cert CT,C,C <- install this
>>>>
>>>> 6) [root@asterisk1 alias]# ldapsearch -Z -P
>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>>>> rv-vm1.mup-example.vrn.ru -p 636 -D
>>>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w
secret01 -s
>>>> base -b "dc=mup-example,dc=vrn,dc=ru"
"objectclass=*"
>>>>
>>>>
>>>>
>>> That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
>>> openssl for crypto, which is completely different than NSS. You
>>> need to
>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>
>>>
>>>> Error:
>>>> ldapsearch: unabel to parse protocol version
>>>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>
>>>> Help my!
>>>> Thanks
>>>>
>>>> ------------------------------------------------------
>>>> My Setup:
>>>>
>>>> Fedora Core 5 (i386)
>>>> Fedora Directory Server 1.0.2
>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>> ------------------------------------------------------
>>>>
>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>
>>>
>>>> Error:
>>>> ldapsearch: unabel to parse protocol version
>>>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>
>>>> Help my!
>>>> Thanks
>>>>
>>>> ------------------------------------------------------
>>>> My Setup:
>>>>
>>>> Fedora Core 5 (i386)
>>>> Fedora Directory Server 1.0.2
>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>> ------------------------------------------------------
>>>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
> << smime.p7s >>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
3:14 p.m.
New subject: [Fedora-directory-users] LDAP Error
google(ing) for this - it basically says the same thing as you've stated.
Is there a way to fix this by hand or is LDAP corrupted beyond fixing unless
you
uninstall and re-install.
Joe
From: Richard Megginson <rmeggins(a)redhat.com>
Reply-To: "General discussion list for the Fedora Directory server
project." <fedora-directory-users(a)redhat.com>
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users(a)redhat.com>
Subject: Re: [Fedora-directory-users] LDAP Error
Date: Fri, 04 Aug 2006 14:04:23 -0600
Joe Sheehan wrote:
>Has anyone seen this before? Possible causes? Thanks Joe
>
>
>Start Slapd Server Config
>
>FATAL Slapd ERROR LDAP authentication failed for url:
>ldap://nodename.my.nis:1389 Netscaperoot user id admin (151:
>unknown error)
This usually indicates a problem with DNS or reverse DNS setup.
>
>Fatal slapd did not add directory server information into configuration
>server
>
>...
>
>
>
>
>>From: Richard Megginson <rmeggins(a)redhat.com>
>>Reply-To: "General discussion list for the Fedora Directory server
>>project." <fedora-directory-users(a)redhat.com>
>>To: "General discussion list for the Fedora Directory server project."
>><fedora-directory-users(a)redhat.com>
>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>ldapsearch.
>>Date: Fri, 04 Aug 2006 09:45:37 -0600
>>
>>One problem may be that you have to specify some additional option when
>>creating the MS CA cert or server certs issued by this CA. Is this a
>>root CA or did you get a CA certificate from somewhere else?
>>
>>Do this:
>>cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P slapd-asterisk1-
>>-L -n ad-cert
>>
>>Safonov Alexey wrote:
>>>Thanks Richard!
>>>
>>>In my opinion it the certificate of the CA. Certificates you can see
>>>details
>>>of reception of it on a screenshot (see the attached file)
>>>
>>>Safonov Alexey
>>>
>>>-----Original Message-----
>>>From: fedora-directory-users-bounces(a)redhat.com
>>>[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
>>>Megginson
>>>Sent: Friday, July 28, 2006 5:45 PM
>>>To: General discussion list for the Fedora Directory server project.
>>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>ldapsearch.
>>>
>>>
>>>Safonov Alexey wrote:
>>>
>>>>Thanks Richard!
>>>>
>>>>Now I start so:
>>>>[root@asterisk1 bin]# ./ldapsearch -Z -P
>>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
>>>>/opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
>>>>rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w
secret01 -s
>>>>base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
-v
>>>>
>>>>Also I receive a error:
>>>>
>>>>ldapsearch: started Fri Jul 28 16:21:39 2006
>>>>
>>>>ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
>>>>ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
>>>>ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
>>>>ldaptool_getmodpath -- (null)
>>>>ldaptool_getdonglefilename -- (null)
>>>>ldap_simple_bind: Can't contact LDAP server
>>>> SSL error -8156 (Issuer certificate is invalid.)
>>>>
>>>>Though the certificate ad-cert (from Windows DC) is established. The
>>>>
>>>utility
>>>
>>>>certutil and Fedora Management Console (Manage Certificates) shows it.
>>>>[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>>>>slapd-asterisk1-
>>>>CA certificate CTu,u,u
>>>>server-cert u,u,u
>>>>Server-Cert u,u,u
>>>>ad-cert CT,C,C
>>>>
>>>>Help my!
>>>>
>>>>
>>>Is ad-cert the certificate of the AD server or the certificate of the CA
>>>that issued the AD cert? An SSL client only needs to trust the CA cert
>>>of the issuer of the server certs it wants to use.
>>>
>>>>Safonov Alexey
>>>>
>>>>-----Original Message-----
>>>>From: fedora-directory-users-bounces(a)redhat.com
>>>>[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
>>>>Megginson
>>>>Sent: Thursday, July 27, 2006 7:36 PM
>>>>To: General discussion list for the Fedora Directory server project.
>>>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>>ldapsearch.
>>>>
>>>>
>>>>Safonov Alexey wrote:
>>>>
>>>>
>>>>>Hi !
>>>>>
>>>>>I ask to help to solve a problem with the utility ldapsearch.
>>>>>
>>>>>is a problem to carry out synchronization between FDS and AD. Has
made
>>>>>
>>>the
>>>
>>>>>following:
>>>>>1) Install FDS
>>>>>2) Configuring SSL Enabled FDS. For this purpose has started script
>>>>>setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh)
>>>>>
>>>from
>>>
>>>>>HOWTO "Howto:SSL"
(http://directory.fedora.redhat.com/wiki/Howto:SSL)
>>>>>3) Restart FDS.
>>>>> netstat -atupn | grep ns-
>>>>>tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
>>>>>tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
>>>>>4) Enable SSL on AD.
>>>>>Install Certificate Service
>>>>>Check util ldp.exe:
>>>>>Connected param: Server- srv-vm1.mup-example.vrn.ru
>>>>> Port - 636
>>>>> Checkbox "SSL"
>>>>>ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
>>>>>Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
>>>>>LDAP_VERSION3);
>>>>>Error <0x0> = ldap_connect(hLdap, NULL);
>>>>>Error <0x0> =
ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>>>>>Host supports SSL, SSL cipher strength = 128 bits
>>>>>Established connection to srv-vm1.mup-example.vrn.ru.
>>>>>Retrieving base DSA information...
>>>>>.....
>>>>>5) Import AD CA certificate in DER mode.
>>>>>6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
>>>>>[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
>>>>>slapd-asterisk1-
>>>>>CA certificate CTu,u,u
>>>>>server-cert u,u,u
>>>>>Server-Cert u,u,u
>>>>>ad-cert CT,C,C <- install this
>>>>>
>>>>>6) [root@asterisk1 alias]# ldapsearch -Z -P
>>>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>>>>>rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w
secret01 -s
>>>>>base -b "dc=mup-example,dc=vrn,dc=ru"
"objectclass=*"
>>>>>
>>>>>
>>>>>
>>>>That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses
>>>>openssl for crypto, which is completely different than NSS. You need
>>>>to
>>>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>
>>>>
>>>>>Error:
>>>>>ldapsearch: unabel to parse protocol version
>>>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>
>>>>>Help my!
>>>>>Thanks
>>>>>
>>>>>------------------------------------------------------
>>>>>My Setup:
>>>>>
>>>>>Fedora Core 5 (i386)
>>>>>Fedora Directory Server 1.0.2
>>>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>------------------------------------------------------
>>>>>
>>>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>
>>>>
>>>>>Error:
>>>>>ldapsearch: unabel to parse protocol version
>>>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>
>>>>>Help my!
>>>>>Thanks
>>>>>
>>>>>------------------------------------------------------
>>>>>My Setup:
>>>>>
>>>>>Fedora Core 5 (i386)
>>>>>Fedora Directory Server 1.0.2
>>>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>------------------------------------------------------
>>>>>
>>>
>>>
>>>
>>>------------------------------------------------------------------------
>>>
>>>
>>>------------------------------------------------------------------------
>>>
>>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users(a)redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>
>
>
<< smime.p7s >>
>
>
>
>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users << smime.p7s >>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
4:26 p.m.
New subject: [Fedora-directory-users] LDAP Error
Joe Sheehan wrote:
google(ing) for this - it basically says the same thing as you've
stated.
Is there a way to fix this by hand
Fix your DNS and reverse DNS set up. Are you
also using NIS for
hostname resolution? You may have to make sure NIS and DNS hosts
resolve to the same IP addresses.
or is LDAP corrupted beyond fixing unless you
uninstall and re-install.
This has nothing to do with ldap corruption. Although,
once you fix
your DNS and reverse DNS, you will need to re install from scratch.
This is unfortunately the easiest way to ensure proper Admin Server set up.
Joe
> From: Richard Megginson <rmeggins(a)redhat.com>
> Reply-To: "General discussion list for the Fedora Directory server
> project." <fedora-directory-users(a)redhat.com>
> To: "General discussion list for the Fedora Directory server
> project." <fedora-directory-users(a)redhat.com>
> Subject: Re: [Fedora-directory-users] LDAP Error
> Date: Fri, 04 Aug 2006 14:04:23 -0600
>
> Joe Sheehan wrote:
>> Has anyone seen this before? Possible causes? Thanks Joe
>>
>>
>> Start Slapd Server Config
>>
>> FATAL Slapd ERROR LDAP authentication failed for url:
>> ldap://nodename.my.nis:1389 Netscaperoot user id admin
>> (151: unknown error)
> This usually indicates a problem with DNS or reverse DNS setup.
>>
>> Fatal slapd did not add directory server information into
>> configuration server
>>
>> ...
>>
>>
>>
>>
>>> From: Richard Megginson <rmeggins(a)redhat.com>
>>> Reply-To: "General discussion list for the Fedora Directory server
>>> project." <fedora-directory-users(a)redhat.com>
>>> To: "General discussion list for the Fedora Directory server
>>> project." <fedora-directory-users(a)redhat.com>
>>> Subject: Re: [Fedora-directory-users] Error at work of the utility
>>> ldapsearch.
>>> Date: Fri, 04 Aug 2006 09:45:37 -0600
>>>
>>> One problem may be that you have to specify some additional option
>>> when creating the MS CA cert or server certs issued by this CA. Is
>>> this a root CA or did you get a CA certificate from somewhere else?
>>>
>>> Do this:
>>> cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P
>>> slapd-asterisk1- -L -n ad-cert
>>>
>>> Safonov Alexey wrote:
>>>> Thanks Richard!
>>>>
>>>> In my opinion it the certificate of the CA. Certificates you can
>>>> see details
>>>> of reception of it on a screenshot (see the attached file)
>>>>
>>>> Safonov Alexey
>>>>
>>>> -----Original Message-----
>>>> From: fedora-directory-users-bounces(a)redhat.com
>>>> [mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of
>>>> Richard
>>>> Megginson
>>>> Sent: Friday, July 28, 2006 5:45 PM
>>>> To: General discussion list for the Fedora Directory server project.
>>>> Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>> ldapsearch.
>>>>
>>>>
>>>> Safonov Alexey wrote:
>>>>
>>>>> Thanks Richard!
>>>>>
>>>>> Now I start so:
>>>>> [root@asterisk1 bin]# ./ldapsearch -Z -P
>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
>>>>> /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
>>>>> rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w
>>>>> secret01 -s
>>>>> base -b "dc=mup-example,dc=vrn,dc=ru"
"objectclass=*" -v
>>>>>
>>>>> Also I receive a error:
>>>>>
>>>>> ldapsearch: started Fri Jul 28 16:21:39 2006
>>>>>
>>>>> ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
>>>>> ldaptool_getcertpath --
>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
>>>>> ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db
>>>>> ldaptool_getmodpath -- (null)
>>>>> ldaptool_getdonglefilename -- (null)
>>>>> ldap_simple_bind: Can't contact LDAP server
>>>>> SSL error -8156 (Issuer certificate is invalid.)
>>>>>
>>>>> Though the certificate ad-cert (from Windows DC) is established. The
>>>>>
>>>> utility
>>>>
>>>>> certutil and Fedora Management Console (Manage Certificates)
>>>>> shows it.
>>>>> [root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d
>>>>> . -P
>>>>> slapd-asterisk1-
>>>>> CA certificate CTu,u,u
>>>>> server-cert u,u,u
>>>>> Server-Cert u,u,u
>>>>> ad-cert CT,C,C
>>>>>
>>>>> Help my!
>>>>>
>>>>>
>>>> Is ad-cert the certificate of the AD server or the certificate of
>>>> the CA
>>>> that issued the AD cert? An SSL client only needs to trust the CA
>>>> cert
>>>> of the issuer of the server certs it wants to use.
>>>>
>>>>> Safonov Alexey
>>>>>
>>>>> -----Original Message-----
>>>>> From: fedora-directory-users-bounces(a)redhat.com
>>>>> [mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of
>>>>> Richard
>>>>> Megginson
>>>>> Sent: Thursday, July 27, 2006 7:36 PM
>>>>> To: General discussion list for the Fedora Directory server project.
>>>>> Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>>> ldapsearch.
>>>>>
>>>>>
>>>>> Safonov Alexey wrote:
>>>>>
>>>>>
>>>>>> Hi !
>>>>>>
>>>>>> I ask to help to solve a problem with the utility ldapsearch.
>>>>>>
>>>>>> is a problem to carry out synchronization between FDS and AD.
>>>>>> Has made
>>>>>>
>>>> the
>>>>
>>>>>> following:
>>>>>> 1) Install FDS
>>>>>> 2) Configuring SSL Enabled FDS. For this purpose has started
script
>>>>>> setupssl.sh
>>>>>> (http://directory.fedora.redhat.com/download/setupssl.sh)
>>>>>>
>>>> from
>>>>
>>>>>> HOWTO "Howto:SSL"
>>>>>> (http://directory.fedora.redhat.com/wiki/Howto:SSL)
>>>>>> 3) Restart FDS.
>>>>>> netstat -atupn | grep ns-
>>>>>> tcp 0 0 :::389 :::* LISTEN
6039/ns-slapd
>>>>>> tcp 0 0 :::636 :::* LISTEN
6039/ns-slapd
>>>>>> 4) Enable SSL on AD.
>>>>>> Install Certificate Service
>>>>>> Check util ldp.exe:
>>>>>> Connected param: Server- srv-vm1.mup-example.vrn.ru
>>>>>> Port - 636
>>>>>> Checkbox "SSL"
>>>>>> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636,
1);
>>>>>> Error <0x0> = ldap_set_option(hLdap,
LDAP_OPT_PROTOCOL_VERSION,
>>>>>> LDAP_VERSION3);
>>>>>> Error <0x0> = ldap_connect(hLdap, NULL);
>>>>>> Error <0x0> =
ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>>>>>> Host supports SSL, SSL cipher strength = 128 bits
>>>>>> Established connection to srv-vm1.mup-example.vrn.ru.
>>>>>> Retrieving base DSA information...
>>>>>> .....
>>>>>> 5) Import AD CA certificate in DER mode.
>>>>>> 6) Copy, convert (PEM) and install AD CA certificate in FDS.
Check:
>>>>>> [root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d
>>>>>> . -P
>>>>>> slapd-asterisk1-
>>>>>> CA certificate CTu,u,u
>>>>>> server-cert u,u,u
>>>>>> Server-Cert u,u,u
>>>>>> ad-cert CT,C,C <- install this
>>>>>>
>>>>>> 6) [root@asterisk1 alias]# ldapsearch -Z -P
>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>>>>>> rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>>> "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru"
-w
>>>>>> secret01 -s
>>>>>> base -b "dc=mup-example,dc=vrn,dc=ru"
"objectclass=*"
>>>>>>
>>>>>>
>>>>>>
>>>>> That's /usr/bin/ldapsearch, which is openldap ldapsearch, which
uses
>>>>> openssl for crypto, which is completely different than NSS. You
>>>>> need to
>>>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>>
>>>>>
>>>>>> Error:
>>>>>> ldapsearch: unabel to parse protocol version
>>>>>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>>
>>>>>> Help my!
>>>>>> Thanks
>>>>>>
>>>>>> ------------------------------------------------------
>>>>>> My Setup:
>>>>>>
>>>>>> Fedora Core 5 (i386)
>>>>>> Fedora Directory Server 1.0.2
>>>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>> ------------------------------------------------------
>>>>>>
>>>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>>
>>>>>
>>>>>> Error:
>>>>>> ldapsearch: unabel to parse protocol version
>>>>>> "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>>
>>>>>> Help my!
>>>>>> Thanks
>>>>>>
>>>>>> ------------------------------------------------------
>>>>>> My Setup:
>>>>>>
>>>>>> Fedora Core 5 (i386)
>>>>>> Fedora Directory Server 1.0.2
>>>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>> ------------------------------------------------------
>>>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users(a)redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>
>>
>>> << smime.p7s >>
>>
>>
>>
>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> << smime.p7s >>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
4:42 p.m.
New subject: [Fedora-directory-users] LDAP Error
Thanks - we will definitely take your advice.
Curious if switching the order within the nsswitch.conf would do the trick.
Joe
From: Richard Megginson <rmeggins(a)redhat.com>
Reply-To: "General discussion list for the Fedora Directory server
project." <fedora-directory-users(a)redhat.com>
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users(a)redhat.com>
Subject: Re: [Fedora-directory-users] LDAP Error
Date: Fri, 04 Aug 2006 15:26:21 -0600
Joe Sheehan wrote:
>google(ing) for this - it basically says the same thing as you've stated.
>Is there a way to fix this by hand
Fix your DNS and reverse DNS set up. Are you also using NIS for hostname
resolution? You may have to make sure NIS and DNS hosts resolve to the
same IP addresses.
>or is LDAP corrupted beyond fixing unless you
>uninstall and re-install.
This has nothing to do with ldap corruption. Although, once you fix your
DNS and reverse DNS, you will need to re install from scratch. This is
unfortunately the easiest way to ensure proper Admin Server set up.
>
>Joe
>
>
>>From: Richard Megginson <rmeggins(a)redhat.com>
>>Reply-To: "General discussion list for the Fedora Directory server
>>project." <fedora-directory-users(a)redhat.com>
>>To: "General discussion list for the Fedora Directory server project."
>><fedora-directory-users(a)redhat.com>
>>Subject: Re: [Fedora-directory-users] LDAP Error
>>Date: Fri, 04 Aug 2006 14:04:23 -0600
>>
>>Joe Sheehan wrote:
>>>Has anyone seen this before? Possible causes? Thanks Joe
>>>
>>>
>>>Start Slapd Server Config
>>>
>>>FATAL Slapd ERROR LDAP authentication failed for url:
>>>ldap://nodename.my.nis:1389 Netscaperoot user id admin (151:
>>>unknown error)
>>This usually indicates a problem with DNS or reverse DNS setup.
>>>
>>>Fatal slapd did not add directory server information into configuration
>>>server
>>>
>>>...
>>>
>>>
>>>
>>>
>>>>From: Richard Megginson <rmeggins(a)redhat.com>
>>>>Reply-To: "General discussion list for the Fedora Directory server
>>>>project." <fedora-directory-users(a)redhat.com>
>>>>To: "General discussion list for the Fedora Directory server
project."
>>>><fedora-directory-users(a)redhat.com>
>>>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>>ldapsearch.
>>>>Date: Fri, 04 Aug 2006 09:45:37 -0600
>>>>
>>>>One problem may be that you have to specify some additional option when
>>>>creating the MS CA cert or server certs issued by this CA. Is this a
>>>>root CA or did you get a CA certificate from somewhere else?
>>>>
>>>>Do this:
>>>>cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P
>>>>slapd-asterisk1- -L -n ad-cert
>>>>
>>>>Safonov Alexey wrote:
>>>>>Thanks Richard!
>>>>>
>>>>>In my opinion it the certificate of the CA. Certificates you can see
>>>>>details
>>>>>of reception of it on a screenshot (see the attached file)
>>>>>
>>>>>Safonov Alexey
>>>>>
>>>>>-----Original Message-----
>>>>>From: fedora-directory-users-bounces(a)redhat.com
>>>>>[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of
Richard
>>>>>Megginson
>>>>>Sent: Friday, July 28, 2006 5:45 PM
>>>>>To: General discussion list for the Fedora Directory server project.
>>>>>Subject: Re: [Fedora-directory-users] Error at work of the utility
>>>>>ldapsearch.
>>>>>
>>>>>
>>>>>Safonov Alexey wrote:
>>>>>
>>>>>>Thanks Richard!
>>>>>>
>>>>>>Now I start so:
>>>>>>[root@asterisk1 bin]# ./ldapsearch -Z -P
>>>>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
>>>>>>/opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
>>>>>>rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru"
-w secret01 -s
>>>>>>base -b "dc=mup-example,dc=vrn,dc=ru"
"objectclass=*" -v
>>>>>>
>>>>>>Also I receive a error:
>>>>>>
>>>>>>ldapsearch: started Fri Jul 28 16:21:39 2006
>>>>>>
>>>>>>ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
>>>>>>ldaptool_getcertpath --
/opt/fedora-ds/alias/slapd-asterisk1-cert8.db
>>>>>>ldaptool_getkeypath --
/opt/fedora-ds/alias/slapd-asterisk1-key3.db
>>>>>>ldaptool_getmodpath -- (null)
>>>>>>ldaptool_getdonglefilename -- (null)
>>>>>>ldap_simple_bind: Can't contact LDAP server
>>>>>> SSL error -8156 (Issuer certificate is invalid.)
>>>>>>
>>>>>>Though the certificate ad-cert (from Windows DC) is established.
The
>>>>>>
>>>>>utility
>>>>>
>>>>>>certutil and Fedora Management Console (Manage Certificates) shows
>>>>>>it.
>>>>>>[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d .
-P
>>>>>>slapd-asterisk1-
>>>>>>CA certificate CTu,u,u
>>>>>>server-cert u,u,u
>>>>>>Server-Cert u,u,u
>>>>>>ad-cert CT,C,C
>>>>>>
>>>>>>Help my!
>>>>>>
>>>>>>
>>>>>Is ad-cert the certificate of the AD server or the certificate of the
>>>>>CA
>>>>>that issued the AD cert? An SSL client only needs to trust the CA
>>>>>cert
>>>>>of the issuer of the server certs it wants to use.
>>>>>
>>>>>>Safonov Alexey
>>>>>>
>>>>>>-----Original Message-----
>>>>>>From: fedora-directory-users-bounces(a)redhat.com
>>>>>>[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of
>>>>>>Richard
>>>>>>Megginson
>>>>>>Sent: Thursday, July 27, 2006 7:36 PM
>>>>>>To: General discussion list for the Fedora Directory server
project.
>>>>>>Subject: Re: [Fedora-directory-users] Error at work of the
utility
>>>>>>ldapsearch.
>>>>>>
>>>>>>
>>>>>>Safonov Alexey wrote:
>>>>>>
>>>>>>
>>>>>>>Hi !
>>>>>>>
>>>>>>>I ask to help to solve a problem with the utility ldapsearch.
>>>>>>>
>>>>>>>is a problem to carry out synchronization between FDS and AD.
Has
>>>>>>>made
>>>>>>>
>>>>>the
>>>>>
>>>>>>>following:
>>>>>>>1) Install FDS
>>>>>>>2) Configuring SSL Enabled FDS. For this purpose has started
script
>>>>>>>setupssl.sh
>>>>>>>(http://directory.fedora.redhat.com/download/setupssl.sh)
>>>>>>>
>>>>>from
>>>>>
>>>>>>>HOWTO "Howto:SSL"
>>>>>>>(http://directory.fedora.redhat.com/wiki/Howto:SSL)
>>>>>>>3) Restart FDS.
>>>>>>> netstat -atupn | grep ns-
>>>>>>>tcp 0 0 :::389 :::* LISTEN
6039/ns-slapd
>>>>>>>tcp 0 0 :::636 :::* LISTEN
6039/ns-slapd
>>>>>>>4) Enable SSL on AD.
>>>>>>>Install Certificate Service
>>>>>>>Check util ldp.exe:
>>>>>>>Connected param: Server- srv-vm1.mup-example.vrn.ru
>>>>>>> Port - 636
>>>>>>> Checkbox "SSL"
>>>>>>>ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636,
1);
>>>>>>>Error <0x0> = ldap_set_option(hLdap,
LDAP_OPT_PROTOCOL_VERSION,
>>>>>>>LDAP_VERSION3);
>>>>>>>Error <0x0> = ldap_connect(hLdap, NULL);
>>>>>>>Error <0x0> =
ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>>>>>>>Host supports SSL, SSL cipher strength = 128 bits
>>>>>>>Established connection to srv-vm1.mup-example.vrn.ru.
>>>>>>>Retrieving base DSA information...
>>>>>>>.....
>>>>>>>5) Import AD CA certificate in DER mode.
>>>>>>>6) Copy, convert (PEM) and install AD CA certificate in FDS.
Check:
>>>>>>>[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L
-d .
>>>>>>>-P
>>>>>>>slapd-asterisk1-
>>>>>>>CA certificate CTu,u,u
>>>>>>>server-cert u,u,u
>>>>>>>Server-Cert u,u,u
>>>>>>>ad-cert CT,C,C <- install
this
>>>>>>>
>>>>>>>6) [root@asterisk1 alias]# ldapsearch -Z -P
>>>>>>>/opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>>>>>>>rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>>>>"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru"
-w secret01
>>>>>>>-s
>>>>>>>base -b "dc=mup-example,dc=vrn,dc=ru"
"objectclass=*"
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>That's /usr/bin/ldapsearch, which is openldap ldapsearch,
which uses
>>>>>>openssl for crypto, which is completely different than NSS. You
need
>>>>>>to
>>>>>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>>>
>>>>>>
>>>>>>>Error:
>>>>>>>ldapsearch: unabel to parse protocol version
>>>>>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>>>
>>>>>>>Help my!
>>>>>>>Thanks
>>>>>>>
>>>>>>>------------------------------------------------------
>>>>>>>My Setup:
>>>>>>>
>>>>>>>Fedora Core 5 (i386)
>>>>>>>Fedora Directory Server 1.0.2
>>>>>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>>>------------------------------------------------------
>>>>>>>
>>>>>>use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>>>cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>>>
>>>>>>
>>>>>>>Error:
>>>>>>>ldapsearch: unabel to parse protocol version
>>>>>>>"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>>>
>>>>>>>Help my!
>>>>>>>Thanks
>>>>>>>
>>>>>>>------------------------------------------------------
>>>>>>>My Setup:
>>>>>>>
>>>>>>>Fedora Core 5 (i386)
>>>>>>>Fedora Directory Server 1.0.2
>>>>>>>Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>>>------------------------------------------------------
>>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>--
>>>>>Fedora-directory-users mailing list
>>>>>Fedora-directory-users(a)redhat.com
>>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>
>>>
>>>
<< smime.p7s >>
>>>
>>>
>>>
>>>
>>>>--
>>>>Fedora-directory-users mailing list
>>>>Fedora-directory-users(a)redhat.com
>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users(a)redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
><< smime.p7s >>
>
>
>
>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users << smime.p7s >>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
5:26 p.m.
New subject: [Fedora-directory-users] LDAP Error
Joe Sheehan wrote:
Thanks - we will definitely take your advice.
Curious if switching the order within the nsswitch.conf would do the
trick.
It might.
Joe
> From: Richard Megginson <rmeggins(a)redhat.com>
> Reply-To: "General discussion list for the Fedora Directory server
> project." <fedora-directory-users(a)redhat.com>
> To: "General discussion list for the Fedora Directory server
> project." <fedora-directory-users(a)redhat.com>
> Subject: Re: [Fedora-directory-users] LDAP Error
> Date: Fri, 04 Aug 2006 15:26:21 -0600
>
> Joe Sheehan wrote:
>> google(ing) for this - it basically says the same thing as you've
>> stated.
>> Is there a way to fix this by hand
> Fix your DNS and reverse DNS set up. Are you also using NIS for
> hostname resolution? You may have to make sure NIS and DNS hosts
> resolve to the same IP addresses.
>> or is LDAP corrupted beyond fixing unless you
>> uninstall and re-install.
> This has nothing to do with ldap corruption. Although, once you fix
> your DNS and reverse DNS, you will need to re install from scratch.
> This is unfortunately the easiest way to ensure proper Admin Server
> set up.
>>
>> Joe
>>
>>
>>> From: Richard Megginson <rmeggins(a)redhat.com>
>>> Reply-To: "General discussion list for the Fedora Directory server
>>> project." <fedora-directory-users(a)redhat.com>
>>> To: "General discussion list for the Fedora Directory server
>>> project." <fedora-directory-users(a)redhat.com>
>>> Subject: Re: [Fedora-directory-users] LDAP Error
>>> Date: Fri, 04 Aug 2006 14:04:23 -0600
>>>
>>> Joe Sheehan wrote:
>>>> Has anyone seen this before? Possible causes? Thanks Joe
>>>>
>>>>
>>>> Start Slapd Server Config
>>>>
>>>> FATAL Slapd ERROR LDAP authentication failed for url:
>>>> ldap://nodename.my.nis:1389 Netscaperoot user id admin
>>>> (151: unknown error)
>>> This usually indicates a problem with DNS or reverse DNS setup.
>>>>
>>>> Fatal slapd did not add directory server information into
>>>> configuration server
>>>>
>>>> ...
>>>>
>>>>
>>>>
>>>>
>>>>> From: Richard Megginson <rmeggins(a)redhat.com>
>>>>> Reply-To: "General discussion list for the Fedora Directory
>>>>> server project." <fedora-directory-users(a)redhat.com>
>>>>> To: "General discussion list for the Fedora Directory server
>>>>> project." <fedora-directory-users(a)redhat.com>
>>>>> Subject: Re: [Fedora-directory-users] Error at work of the
>>>>> utility ldapsearch.
>>>>> Date: Fri, 04 Aug 2006 09:45:37 -0600
>>>>>
>>>>> One problem may be that you have to specify some additional
>>>>> option when creating the MS CA cert or server certs issued by
>>>>> this CA. Is this a root CA or did you get a CA certificate from
>>>>> somewhere else?
>>>>>
>>>>> Do this:
>>>>> cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P
>>>>> slapd-asterisk1- -L -n ad-cert
>>>>>
>>>>> Safonov Alexey wrote:
>>>>>> Thanks Richard!
>>>>>>
>>>>>> In my opinion it the certificate of the CA. Certificates you can
>>>>>> see details
>>>>>> of reception of it on a screenshot (see the attached file)
>>>>>>
>>>>>> Safonov Alexey
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: fedora-directory-users-bounces(a)redhat.com
>>>>>> [mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of
>>>>>> Richard
>>>>>> Megginson
>>>>>> Sent: Friday, July 28, 2006 5:45 PM
>>>>>> To: General discussion list for the Fedora Directory server
>>>>>> project.
>>>>>> Subject: Re: [Fedora-directory-users] Error at work of the
utility
>>>>>> ldapsearch.
>>>>>>
>>>>>>
>>>>>> Safonov Alexey wrote:
>>>>>>
>>>>>>> Thanks Richard!
>>>>>>>
>>>>>>> Now I start so:
>>>>>>> [root@asterisk1 bin]# ./ldapsearch -Z -P
>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
>>>>>>> rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>>>>
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w
>>>>>>> secret01 -s
>>>>>>> base -b "dc=mup-example,dc=vrn,dc=ru"
"objectclass=*" -v
>>>>>>>
>>>>>>> Also I receive a error:
>>>>>>>
>>>>>>> ldapsearch: started Fri Jul 28 16:21:39 2006
>>>>>>>
>>>>>>> ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
>>>>>>> ldaptool_getcertpath --
>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
>>>>>>> ldaptool_getkeypath --
>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-key3.db
>>>>>>> ldaptool_getmodpath -- (null)
>>>>>>> ldaptool_getdonglefilename -- (null)
>>>>>>> ldap_simple_bind: Can't contact LDAP server
>>>>>>> SSL error -8156 (Issuer certificate is invalid.)
>>>>>>>
>>>>>>> Though the certificate ad-cert (from Windows DC) is
>>>>>>> established. The
>>>>>>>
>>>>>> utility
>>>>>>
>>>>>>> certutil and Fedora Management Console (Manage Certificates)
>>>>>>> shows it.
>>>>>>> [root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L
>>>>>>> -d . -P
>>>>>>> slapd-asterisk1-
>>>>>>> CA certificate CTu,u,u
>>>>>>> server-cert u,u,u
>>>>>>> Server-Cert u,u,u
>>>>>>> ad-cert CT,C,C
>>>>>>>
>>>>>>> Help my!
>>>>>>>
>>>>>>>
>>>>>> Is ad-cert the certificate of the AD server or the certificate
>>>>>> of the CA
>>>>>> that issued the AD cert? An SSL client only needs to trust the
>>>>>> CA cert
>>>>>> of the issuer of the server certs it wants to use.
>>>>>>
>>>>>>> Safonov Alexey
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: fedora-directory-users-bounces(a)redhat.com
>>>>>>> [mailto:fedora-directory-users-bounces@redhat.com]On Behalf
Of
>>>>>>> Richard
>>>>>>> Megginson
>>>>>>> Sent: Thursday, July 27, 2006 7:36 PM
>>>>>>> To: General discussion list for the Fedora Directory server
>>>>>>> project.
>>>>>>> Subject: Re: [Fedora-directory-users] Error at work of the
utility
>>>>>>> ldapsearch.
>>>>>>>
>>>>>>>
>>>>>>> Safonov Alexey wrote:
>>>>>>>
>>>>>>>
>>>>>>>> Hi !
>>>>>>>>
>>>>>>>> I ask to help to solve a problem with the utility
ldapsearch.
>>>>>>>>
>>>>>>>> is a problem to carry out synchronization between FDS and
AD.
>>>>>>>> Has made
>>>>>>>>
>>>>>> the
>>>>>>
>>>>>>>> following:
>>>>>>>> 1) Install FDS
>>>>>>>> 2) Configuring SSL Enabled FDS. For this purpose has
started
>>>>>>>> script
>>>>>>>> setupssl.sh
>>>>>>>>
(http://directory.fedora.redhat.com/download/setupssl.sh)
>>>>>>>>
>>>>>> from
>>>>>>
>>>>>>>> HOWTO "Howto:SSL"
>>>>>>>> (http://directory.fedora.redhat.com/wiki/Howto:SSL)
>>>>>>>> 3) Restart FDS.
>>>>>>>> netstat -atupn | grep ns-
>>>>>>>> tcp 0 0 :::389 :::* LISTEN
6039/ns-slapd
>>>>>>>> tcp 0 0 :::636 :::* LISTEN
6039/ns-slapd
>>>>>>>> 4) Enable SSL on AD.
>>>>>>>> Install Certificate Service
>>>>>>>> Check util ldp.exe:
>>>>>>>> Connected param: Server- srv-vm1.mup-example.vrn.ru
>>>>>>>> Port - 636
>>>>>>>> Checkbox "SSL"
>>>>>>>> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru",
636, 1);
>>>>>>>> Error <0x0> = ldap_set_option(hLdap,
LDAP_OPT_PROTOCOL_VERSION,
>>>>>>>> LDAP_VERSION3);
>>>>>>>> Error <0x0> = ldap_connect(hLdap, NULL);
>>>>>>>> Error <0x0> =
ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>>>>>>>> Host supports SSL, SSL cipher strength = 128 bits
>>>>>>>> Established connection to srv-vm1.mup-example.vrn.ru.
>>>>>>>> Retrieving base DSA information...
>>>>>>>> .....
>>>>>>>> 5) Import AD CA certificate in DER mode.
>>>>>>>> 6) Copy, convert (PEM) and install AD CA certificate in
FDS.
>>>>>>>> Check:
>>>>>>>> [root@asterisk1 alias]#
/opt/fedora-ds/shared/bin/certutil -L
>>>>>>>> -d . -P
>>>>>>>> slapd-asterisk1-
>>>>>>>> CA certificate CTu,u,u
>>>>>>>> server-cert u,u,u
>>>>>>>> Server-Cert u,u,u
>>>>>>>> ad-cert CT,C,C <-
install this
>>>>>>>>
>>>>>>>> 6) [root@asterisk1 alias]# ldapsearch -Z -P
>>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>>>>>>>> rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>>>>>
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w
>>>>>>>> secret01 -s
>>>>>>>> base -b "dc=mup-example,dc=vrn,dc=ru"
"objectclass=*"
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> That's /usr/bin/ldapsearch, which is openldap ldapsearch,
which
>>>>>>> uses
>>>>>>> openssl for crypto, which is completely different than NSS.
>>>>>>> You need to
>>>>>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>>>>
>>>>>>>
>>>>>>>> Error:
>>>>>>>> ldapsearch: unabel to parse protocol version
>>>>>>>>
"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>>>>
>>>>>>>> Help my!
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> ------------------------------------------------------
>>>>>>>> My Setup:
>>>>>>>>
>>>>>>>> Fedora Core 5 (i386)
>>>>>>>> Fedora Directory Server 1.0.2
>>>>>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>>>> ------------------------------------------------------
>>>>>>>>
>>>>>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>>>>
>>>>>>>
>>>>>>>> Error:
>>>>>>>> ldapsearch: unabel to parse protocol version
>>>>>>>>
"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>>>>
>>>>>>>> Help my!
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> ------------------------------------------------------
>>>>>>>> My Setup:
>>>>>>>>
>>>>>>>> Fedora Core 5 (i386)
>>>>>>>> Fedora Directory Server 1.0.2
>>>>>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>>>> ------------------------------------------------------
>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users(a)redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>
>>>>
>>>>> << smime.p7s >>
>>>>
>>>>
>>>>
>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users(a)redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users(a)redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>> << smime.p7s >>
>>
>>
>>
>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> << smime.p7s >>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
4:21 a.m.
Thanks Richard!
I created the certificate directly on a server srv-vm1.mu-example.vrn.ru
after start of service of certification.
Output command certutil -d . -P slapd-asterisk1- -L -n ad-cert:
[root@asterisk1 alias]# ../shared/bin/certutil -d . -P
slapd-asterisk1- -L -n ad-cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
73:bf:d5:d6:2d:48:c6:a7:47:f9:d4:a4:34:3f:ab:f3
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=srv-vm1,DC=mup-example,DC=vrn,DC=ru"
Validity:
Not Before: Wed Jul 26 08:23:12 2006
Not After : Tue Jul 26 08:32:35 2011
Subject: "CN=srv-vm1,DC=mup-example,DC=vrn,DC=ru"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
d1:05:76:84:a6:c9:37:65:1b:2c:69:94:71:74:09:82:
f9:88:a0:f9:4f:42:ac:20:2d:36:9c:dd:0d:19:1f:17:
2e:c2:7d:fc:28:bc:e0:ee:46:36:86:ae:59:c5:f4:76:
ed:46:5e:d6:8c:62:8b:f2:17:8d:a0:bf:d3:cf:0e:e3:
5e:e5:d7:b2:8c:31:8d:be:4e:2f:21:68:75:a4:b8:cd:
7f:e6:fa:95:22:48:44:97:d3:d8:7f:5f:a8:71:de:e1:
46:d2:0b:17:8d:94:a3:f8:d6:44:7d:7b:36:53:6d:66:
02:14:e8:d6:35:7d:3a:58:ca:c0:48:83:8c:17:61:6c:
a1:47:45:e2:76:ed:3b:16:d9:8f:16:5b:8d:4a:a5:49:
79:e5:c4:83:86:66:39:ce:8b:db:fe:3e:cd:35:0f:51:
d3:13:63:17:3f:5a:91:2c:ec:73:cc:38:df:44:c8:77:
4a:80:c8:10:37:fc:b1:66:59:85:9f:ac:3a:85:d9:c3:
97:8f:03:1b:35:85:48:1c:1b:2f:8c:ed:5f:82:93:be:
dd:0e:b1:19:5c:5f:da:fc:c8:49:a8:64:c4:eb:67:e9:
60:d3:49:3e:da:40:42:f7:a1:42:06:cd:8b:2f:e2:aa:
3e:21:f2:78:b3:37:fc:65:65:21:01:df:3e:c7:17:15
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Microsoft Enrollment Cert Type Extension
Data: "CA"
Name: Certificate Key Usage
Usages: Digital Signature
Certificate Signing
CRL Signing
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Certificate Subject Key ID
Data:
12:ab:df:2c:ec:92:bd:f0:94:29:d2:cf:a2:00:92:bc:
b6:35:ca:e5
Name: CRL Distribution Points
URI:
"ldap:///CN=srv-vm1,CN=srv-vm1,CN=CDP,CN=Public%20Key%20Serv
ices,CN=Services,CN=Configuration,DC=mup-example,DC=vrn,DC=ru
?certificateRevocationList?base?objectClass=cRLDistributionPo
int"
Name: Microsoft CertServ CA version
Data: 0 (0x0)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
20:87:df:98:51:90:d5:37:14:57:70:04:83:83:87:92:
ef:89:46:b7:3c:47:24:02:d9:28:d9:ee:57:07:1c:9e:
31:4e:c5:09:71:c7:fa:b1:d4:75:2c:d0:b1:c4:84:f1:
88:d5:bb:10:74:fe:1f:6d:8e:68:08:85:77:04:d4:8b:
7a:6c:aa:26:a0:d2:fa:7e:3f:f8:c9:d0:2b:e6:d5:ca:
79:49:31:9a:08:2c:72:43:5a:bb:58:fc:30:4e:15:29:
30:75:af:17:3a:7d:8b:07:4c:62:4d:7b:58:fb:a1:5d:
8d:b2:67:19:e0:bd:f6:e8:b9:a7:fc:e6:3c:23:b1:8d:
ce:44:ef:b3:68:8f:65:4c:ab:7b:b1:3e:b1:6d:2a:f0:
25:d4:8c:f1:c6:45:4e:3f:3e:1f:b6:90:8b:83:fb:32:
00:ec:3b:92:b5:2b:60:f6:ed:b1:fe:e8:45:ea:05:cd:
b7:03:34:bb:5e:87:9e:f2:a7:eb:0f:61:b3:24:41:5a:
97:18:fe:66:73:78:07:30:3a:8f:88:b3:94:5c:b5:4c:
cd:0e:cc:d2:3c:45:f2:e4:10:98:ac:68:5a:af:1f:29:
04:1c:fd:5b:a5:73:2e:5c:16:55:c3:36:64:e7:82:7b:
a0:78:aa:28:0e:e6:65:d4:e1:08:11:8b:14:2e:30:c1
Fingerprint (MD5):
36:D0:AF:D6:69:7C:8C:AF:32:72:04:D0:52:74:6B:F9
Fingerprint (SHA1):
29:D3:29:CE:70:B1:E9:0A:64:C7:63:A5:B1:95:3D:95:6D:A7:CF:08
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
Object Signing Flags:
Valid CA
Trusted CA
Safonov Alexey
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of Richard
Megginson
Sent: Friday, August 04, 2006 7:46 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Error at work of the utility
ldapsearch.
One problem may be that you have to specify some additional option when
creating the MS CA cert or server certs issued by this CA. Is this a
root CA or did you get a CA certificate from somewhere else?
Do this:
cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P
slapd-asterisk1- -L -n ad-cert
Safonov Alexey wrote:
Thanks Richard!
In my opinion it the certificate of the CA. Certificates you can see
details
of reception of it on a screenshot (see the attached file)
Safonov Alexey
6465
days inactive
6475
days old
389-users@lists.fedoraproject.org
14 comments
3 participants
participants (3)
-
Joe Sheehan -
Rich Megginson -
Safonov Alexey