Thanks - we will definitely take your advice.
Curious if switching the order within the nsswitch.conf would do the
trick.
It might.
Joe
> From: Richard Megginson <rmeggins(a)redhat.com>
> Reply-To: "General discussion list for the Fedora Directory server
> project." <fedora-directory-users(a)redhat.com>
> To: "General discussion list for the Fedora Directory server
> project." <fedora-directory-users(a)redhat.com>
> Subject: Re: [Fedora-directory-users] LDAP Error
> Date: Fri, 04 Aug 2006 15:26:21 -0600
>
> Joe Sheehan wrote:
>> google(ing) for this - it basically says the same thing as you've
>> stated.
>> Is there a way to fix this by hand
> Fix your DNS and reverse DNS set up. Are you also using NIS for
> hostname resolution? You may have to make sure NIS and DNS hosts
> resolve to the same IP addresses.
>> or is LDAP corrupted beyond fixing unless you
>> uninstall and re-install.
> This has nothing to do with ldap corruption. Although, once you fix
> your DNS and reverse DNS, you will need to re install from scratch.
> This is unfortunately the easiest way to ensure proper Admin Server
> set up.
>>
>> Joe
>>
>>
>>> From: Richard Megginson <rmeggins(a)redhat.com>
>>> Reply-To: "General discussion list for the Fedora Directory server
>>> project." <fedora-directory-users(a)redhat.com>
>>> To: "General discussion list for the Fedora Directory server
>>> project." <fedora-directory-users(a)redhat.com>
>>> Subject: Re: [Fedora-directory-users] LDAP Error
>>> Date: Fri, 04 Aug 2006 14:04:23 -0600
>>>
>>> Joe Sheehan wrote:
>>>> Has anyone seen this before? Possible causes? Thanks Joe
>>>>
>>>>
>>>> Start Slapd Server Config
>>>>
>>>> FATAL Slapd ERROR LDAP authentication failed for url:
>>>> ldap://nodename.my.nis:1389 Netscaperoot user id admin
>>>> (151: unknown error)
>>> This usually indicates a problem with DNS or reverse DNS setup.
>>>>
>>>> Fatal slapd did not add directory server information into
>>>> configuration server
>>>>
>>>> ...
>>>>
>>>>
>>>>
>>>>
>>>>> From: Richard Megginson <rmeggins(a)redhat.com>
>>>>> Reply-To: "General discussion list for the Fedora Directory
>>>>> server project." <fedora-directory-users(a)redhat.com>
>>>>> To: "General discussion list for the Fedora Directory server
>>>>> project." <fedora-directory-users(a)redhat.com>
>>>>> Subject: Re: [Fedora-directory-users] Error at work of the
>>>>> utility ldapsearch.
>>>>> Date: Fri, 04 Aug 2006 09:45:37 -0600
>>>>>
>>>>> One problem may be that you have to specify some additional
>>>>> option when creating the MS CA cert or server certs issued by
>>>>> this CA. Is this a root CA or did you get a CA certificate from
>>>>> somewhere else?
>>>>>
>>>>> Do this:
>>>>> cd /opt/fedora-ds/alias ; ../shared/bin/certutil -d . -P
>>>>> slapd-asterisk1- -L -n ad-cert
>>>>>
>>>>> Safonov Alexey wrote:
>>>>>> Thanks Richard!
>>>>>>
>>>>>> In my opinion it the certificate of the CA. Certificates you can
>>>>>> see details
>>>>>> of reception of it on a screenshot (see the attached file)
>>>>>>
>>>>>> Safonov Alexey
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: fedora-directory-users-bounces(a)redhat.com
>>>>>> [mailto:fedora-directory-users-bounces@redhat.com]On Behalf Of
>>>>>> Richard
>>>>>> Megginson
>>>>>> Sent: Friday, July 28, 2006 5:45 PM
>>>>>> To: General discussion list for the Fedora Directory server
>>>>>> project.
>>>>>> Subject: Re: [Fedora-directory-users] Error at work of the
utility
>>>>>> ldapsearch.
>>>>>>
>>>>>>
>>>>>> Safonov Alexey wrote:
>>>>>>
>>>>>>> Thanks Richard!
>>>>>>>
>>>>>>> Now I start so:
>>>>>>> [root@asterisk1 bin]# ./ldapsearch -Z -P
>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K
>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h
>>>>>>> rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>>>>
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w
>>>>>>> secret01 -s
>>>>>>> base -b "dc=mup-example,dc=vrn,dc=ru"
"objectclass=*" -v
>>>>>>>
>>>>>>> Also I receive a error:
>>>>>>>
>>>>>>> ldapsearch: started Fri Jul 28 16:21:39 2006
>>>>>>>
>>>>>>> ldap_init( srv-vm1.mup-example.vrn.ru, 636 )
>>>>>>> ldaptool_getcertpath --
>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db
>>>>>>> ldaptool_getkeypath --
>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-key3.db
>>>>>>> ldaptool_getmodpath -- (null)
>>>>>>> ldaptool_getdonglefilename -- (null)
>>>>>>> ldap_simple_bind: Can't contact LDAP server
>>>>>>> SSL error -8156 (Issuer certificate is invalid.)
>>>>>>>
>>>>>>> Though the certificate ad-cert (from Windows DC) is
>>>>>>> established. The
>>>>>>>
>>>>>> utility
>>>>>>
>>>>>>> certutil and Fedora Management Console (Manage Certificates)
>>>>>>> shows it.
>>>>>>> [root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L
>>>>>>> -d . -P
>>>>>>> slapd-asterisk1-
>>>>>>> CA certificate CTu,u,u
>>>>>>> server-cert u,u,u
>>>>>>> Server-Cert u,u,u
>>>>>>> ad-cert CT,C,C
>>>>>>>
>>>>>>> Help my!
>>>>>>>
>>>>>>>
>>>>>> Is ad-cert the certificate of the AD server or the certificate
>>>>>> of the CA
>>>>>> that issued the AD cert? An SSL client only needs to trust the
>>>>>> CA cert
>>>>>> of the issuer of the server certs it wants to use.
>>>>>>
>>>>>>> Safonov Alexey
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: fedora-directory-users-bounces(a)redhat.com
>>>>>>> [mailto:fedora-directory-users-bounces@redhat.com]On Behalf
Of
>>>>>>> Richard
>>>>>>> Megginson
>>>>>>> Sent: Thursday, July 27, 2006 7:36 PM
>>>>>>> To: General discussion list for the Fedora Directory server
>>>>>>> project.
>>>>>>> Subject: Re: [Fedora-directory-users] Error at work of the
utility
>>>>>>> ldapsearch.
>>>>>>>
>>>>>>>
>>>>>>> Safonov Alexey wrote:
>>>>>>>
>>>>>>>
>>>>>>>> Hi !
>>>>>>>>
>>>>>>>> I ask to help to solve a problem with the utility
ldapsearch.
>>>>>>>>
>>>>>>>> is a problem to carry out synchronization between FDS and
AD.
>>>>>>>> Has made
>>>>>>>>
>>>>>> the
>>>>>>
>>>>>>>> following:
>>>>>>>> 1) Install FDS
>>>>>>>> 2) Configuring SSL Enabled FDS. For this purpose has
started
>>>>>>>> script
>>>>>>>> setupssl.sh
>>>>>>>>
(
http://directory.fedora.redhat.com/download/setupssl.sh)
>>>>>>>>
>>>>>> from
>>>>>>
>>>>>>>> HOWTO "Howto:SSL"
>>>>>>>> (
http://directory.fedora.redhat.com/wiki/Howto:SSL)
>>>>>>>> 3) Restart FDS.
>>>>>>>> netstat -atupn | grep ns-
>>>>>>>> tcp 0 0 :::389 :::* LISTEN
6039/ns-slapd
>>>>>>>> tcp 0 0 :::636 :::* LISTEN
6039/ns-slapd
>>>>>>>> 4) Enable SSL on AD.
>>>>>>>> Install Certificate Service
>>>>>>>> Check util ldp.exe:
>>>>>>>> Connected param: Server- srv-vm1.mup-example.vrn.ru
>>>>>>>> Port - 636
>>>>>>>> Checkbox "SSL"
>>>>>>>> ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru",
636, 1);
>>>>>>>> Error <0x0> = ldap_set_option(hLdap,
LDAP_OPT_PROTOCOL_VERSION,
>>>>>>>> LDAP_VERSION3);
>>>>>>>> Error <0x0> = ldap_connect(hLdap, NULL);
>>>>>>>> Error <0x0> =
ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
>>>>>>>> Host supports SSL, SSL cipher strength = 128 bits
>>>>>>>> Established connection to srv-vm1.mup-example.vrn.ru.
>>>>>>>> Retrieving base DSA information...
>>>>>>>> .....
>>>>>>>> 5) Import AD CA certificate in DER mode.
>>>>>>>> 6) Copy, convert (PEM) and install AD CA certificate in
FDS.
>>>>>>>> Check:
>>>>>>>> [root@asterisk1 alias]#
/opt/fedora-ds/shared/bin/certutil -L
>>>>>>>> -d . -P
>>>>>>>> slapd-asterisk1-
>>>>>>>> CA certificate CTu,u,u
>>>>>>>> server-cert u,u,u
>>>>>>>> Server-Cert u,u,u
>>>>>>>> ad-cert CT,C,C <-
install this
>>>>>>>>
>>>>>>>> 6) [root@asterisk1 alias]# ldapsearch -Z -P
>>>>>>>> /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h
>>>>>>>> rv-vm1.mup-example.vrn.ru -p 636 -D
>>>>>>>>
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w
>>>>>>>> secret01 -s
>>>>>>>> base -b "dc=mup-example,dc=vrn,dc=ru"
"objectclass=*"
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> That's /usr/bin/ldapsearch, which is openldap ldapsearch,
which
>>>>>>> uses
>>>>>>> openssl for crypto, which is completely different than NSS.
>>>>>>> You need to
>>>>>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>>>>
>>>>>>>
>>>>>>>> Error:
>>>>>>>> ldapsearch: unabel to parse protocol version
>>>>>>>>
"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>>>>
>>>>>>>> Help my!
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> ------------------------------------------------------
>>>>>>>> My Setup:
>>>>>>>>
>>>>>>>> Fedora Core 5 (i386)
>>>>>>>> Fedora Directory Server 1.0.2
>>>>>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>>>> ------------------------------------------------------
>>>>>>>>
>>>>>>> use the ldapsearch in /opt/fedora-ds/shared/bin e.g.
>>>>>>> cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....
>>>>>>>
>>>>>>>
>>>>>>>> Error:
>>>>>>>> ldapsearch: unabel to parse protocol version
>>>>>>>>
"/opt/fedora-ds/alias/slapd-asterisk1-cert8.db"
>>>>>>>>
>>>>>>>> Help my!
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> ------------------------------------------------------
>>>>>>>> My Setup:
>>>>>>>>
>>>>>>>> Fedora Core 5 (i386)
>>>>>>>> Fedora Directory Server 1.0.2
>>>>>>>> Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
>>>>>>>> ------------------------------------------------------
>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>
>>>>
>>>>> << smime.p7s >>
>>>>
>>>>
>>>>
>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users(a)redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users(a)redhat.com
>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>> << smime.p7s >>
>>
>>
>>
>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users(a)redhat.com
>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> << smime.p7s >>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users