Shan Kumaraswamy wrote:
Rich,
Can I know command to trust IPA genearated CA cert file?
See below
So I don't think that is the problem here. If that were the problem, I
would expect a different error message. I think you're just going to
have to use something like openssl s_client to examine the server cert
used by AD.
On Tue, Aug 17, 2010 at 7:26 PM, Rich Megginson <[email protected]
<mailto:[email protected]>> wrote:
Shan Kumaraswamy wrote:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
46:90:cd:94:c6:53:d4:ae:44:a6:df:e2:6b:24:15:56
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=test-WINDOWS-CA,DC=test,DC=ad"
Validity:
Not Before: Tue Aug 17 01:39:07 2010
Not After : Mon Aug 17 01:49:05 2015
Subject: "CN=test-WINDOWS-CA,DC=test,DC=ad"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
a9:6e:1a:54:c2:70:1c:d7:dc:06:b4:d3:09:0f:8d:25:
e5:8f:9f:1f:f6:f9:ee:fb:9c:6b:9c:84:c3:01:f7:45:
f1:8e:43:d3:ed:ad:01:e6:92:6c:52:f4:d7:03:03:19:
0a:93:84:18:42:92:2b:6b:74:3d:77:8c:31:b9:bf:75:
84:cb:a0:8c:a5:df:c2:5a:d6:cb:a3:78:a2:1a:6d:a6:
e1:b4:81:ea:22:e7:83:bb:1f:0d:70:f8:44:29:24:96:
f3:f0:01:12:49:7a:59:b8:f7:1a:84:e4:e4:a4:0d:60:
58:db:d9:9c:b4:51:7a:21:f2:a2:f9:ed:ee:92:6f:c0:
00:39:dc:26:9f:c5:0b:e3:e1:72:62:5d:9f:8e:4a:79:
f3:95:56:a0:37:63:9a:d1:53:af:74:0b:c9:88:b7:43:
ff:11:cb:91:02:4a:5c:8c:35:41:cb:39:4e:fb:8c:a4:
2d:a6:88:7b:dc:29:04:7a:f0:0a:89:25:24:76:b1:34:
57:1e:c2:3f:48:79:21:47:f0:f1:1a:70:15:d8:b5:9b:
cb:bc:a2:3c:42:f6:da:91:a7:24:5b:fa:08:ec:41:8b:
c5:82:7c:81:76:3c:ef:84:58:93:cd:92:36:5d:96:55:
40:72:21:5e:14:7c:fe:78:cf:35:69:97:4a:49:35:81
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Microsoft Enrollment Cert Type Extension
Data: "CA"
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Certificate Signing
CRL Signing
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Certificate Subject Key ID
Data:
a9:7a:6e:7c:dd:dd:4f:9e:75:78:86:6a:ff:f1:b4:06:
e6:fb:3a:6d
Name: Microsoft CertServ CA version
Data: 0 (0x0)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
02:50:bd:c6:3a:80:85:9d:46:16:94:8c:e2:e8:2f:0d:
35:09:d7:af:e1:ce:c0:23:94:19:ef:a7:df:de:56:17:
c8:9e:d5:a0:80:7e:31:46:1d:c0:c1:5a:e9:7d:fe:c3:
bb:08:c0:6d:35:3a:f2:43:c2:b7:2f:44:2b:89:7f:f1:
ad:e8:9e:51:fa:98:12:d9:2b:2d:08:00:80:c3:78:93:
e7:bc:ee:17:ae:a3:07:81:6b:63:ac:bf:65:d5:e9:a8:
e9:81:42:56:24:fc:2f:b8:d1:76:5b:72:c0:8f:62:66:
cc:4d:5b:84:85:fb:63:06:6c:0a:54:a0:55:08:bf:11:
4b:30:ab:ba:49:19:39:ee:4f:57:3c:7b:0b:d3:8d:fe:
10:d8:18:63:ee:86:e9:cb:89:1e:ea:7e:0a:68:8c:f8:
da:40:69:ca:2c:bc:5d:24:18:bc:2b:d7:ce:08:ca:d7:
e8:aa:4b:d8:cb:ee:17:f3:4f:18:29:fc:48:59:ae:98:
18:37:f0:a7:cd:42:1f:5d:79:cd:a1:0f:30:41:7f:97:
81:43:68:8b:74:0c:d8:21:b6:eb:76:14:bf:44:14:13:
dd:07:ee:ce:68:95:29:b1:14:f6:93:81:90:b5:e6:6a:
2b:38:6a:f0:4c:20:3f:fc:88:84:3f:43:5e:5f:6e:ed
Fingerprint (MD5):
4B:AE:EB:7D:D0:B6:C8:D3:15:1B:08:ED:39:A0:68:6C
Fingerprint (SHA1):
84:17:7E:EE:93:B2:A3:4F:D9:7B:72:C6:ED:D6:61:9E:0E:82:51:BC
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Object Signing Flags:
Valid CA
Trusted CA
This looks ok. So is it possible the AD server cert was not
issued by this CA? I suppose you could use an SSL test program
like /usr/bin/ssltap
or openssl s_client like this:
openssl s_client -connect windows.test.ad:636
<http://windows.test.ad:636/> -CAfile /path/to/msadcacert.asc
You can also add -verify 3 and -showcerts and -debug
see "man s_client" for more information
On Tue, Aug 17, 2010 at 7:04 PM, Shan Kumaraswamy
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>
wrote:
done, and it came the output also, can plz let me know the
next step.
On Tue, Aug 17, 2010 at 7:00 PM, Rich Megginson
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
Shan Kumaraswamy wrote:
Rich,
Please find the below out put of the command:
[r...@saprhds001 ~]# certutil -d
/etc/dirsrv/slapd-XXXX-COM -L
Certificate Nickname
Trust Attributes
SSL,S/MIME,JAR/XPI
Imported CA
CT,,C
CA certificate
CTu,u,Cu
The CT means the CA is trusted for SSL client and server certs.
certutil -H
...
trustargs is of the form x,y,z where x is for
SSL, y is for S/MIME,
...
c valid CA
T trusted CA to issue client certs
(implies c)
C trusted CA to issue server certs
(implies c)
Server-Cert
u,u,u
I'm assuming "Imported CA" is the MS AD CA. Do this:
certutil -d /etc/dirsrv/slapd-XXXX-COM -L -n "Imported CA"
On Tue, Aug 17, 2010 at 6:35 PM, Rich Megginson
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>>
wrote:
Shan Kumaraswamy wrote:
After this error, I have triyed your the
following
steps:
/usr/lib64/mozldap/ldapsearch -h
windows.test.ad <http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad <http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>> -D
"CN=administrator,CN=users,DC=test,DC=ad" -w
"xxxx"
-s base -b
"" "objectclass=*"
Then I got output like this:
version: 1
dn:
currentTime: 20100817220245.0Z
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
dsServiceName: CN=NTDS
Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=test,DC=ad
namingContexts: DC=test,DC=ad
namingContexts: CN=Configuration,DC=test,DC=ad
namingContexts:
CN=Schema,CN=Configuration,DC=test,DC=ad
namingContexts: DC=DomainDnsZones,DC=test,DC=ad
namingContexts: DC=ForestDnsZones,DC=test,DC=ad
defaultNamingContext: DC=test,DC=ad
schemaNamingContext:
CN=Schema,CN=Configuration,DC=test,DC=ad
configurationNamingContext:
CN=Configuration,DC=test,DC=ad
rootDomainNamingContext: DC=test,DC=ad
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
highestCommittedUSN: 73772
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: Windows.test.ad
<http://windows.test.ad/>
<http://windows.test.ad/> <http://windows.test.ad/>
<http://Windows.test.ad
<http://windows.test.ad/> <http://windows.test.ad/>
<http://windows.test.ad/>>
ldapServiceName: test.ad:[email protected]
<http://test.ad/>
<http://test.ad/> <http://test.ad/>
<http://TEST.AD <http://test.ad/>
<http://test.ad/> <http://test.ad/>>
serverName:
CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=test,DC=ad
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 4
forestFunctionality: 4
domainControllerFunctionality: 4
Then I tried next step:
/usr/lib64/mozldap/ldapsearch -ZZ -P
/etc/dirsrv/slapd-XXXX-COM/cert8.db -h
windows.test.ad <http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad <http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>> -D
"CN=administrator,CN=users,DC=test,DC=ad" -w
"xxxxx" -s base
-b "" "objectclass=*"
ldap_simple_bind: Can't contact LDAP server
TLS/SSL error -8179 (Peer's Certificate
issuer is not
recognized.)
Please help me to fix this.....
This usually means the SSL server's CA cert is not
recognized.
What does this say:
certutil -d /etc/dirsrv/slapd-XXXX-COM -L
?
On Tue, Aug 17, 2010 at 2:02 PM, Shan
Kumaraswamy
<[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>>>
wrote:
Hi Rich,
After I did all the steps, I am getting
this error:
INFO:root:Added CA certificate
/etc/dirsrv/slapd-XXXX-COM/adcert.cer to
certificate
database for
tesipa001.test.com
<http://tesipa001.test.com/> <http://tesipa001.test.com/>
<http://tesipa001.test.com/>
<http://tesipa001.test.com/>
INFO:root:Restarted directory server
tesipa001.test.com <http://tesipa001.test.com/>
<http://tesipa001.test.com/>
<http://tesipa001.test.com/>
<http://tesipa001.test.com/>
INFO:root:Could not validate connection to
remote server
windows.test.ad:636
<http://windows.test.ad:636/>
<http://windows.test.ad:636/>
<http://windows.test.ad:636/>
<http://windows.test.ad:636/> - continuing
INFO:root:The error was: {'info':
'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify
failed',
'desc': "Can't contact LDAP server"}
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
Windows PassSync entry exists, not resetting
password
INFO:root:Added new sync agreement,
waiting for
it to
become ready
. . .
INFO:root:Replication Update in progress:
FALSE:
status: 81 -
LDAP error: Can't contact LDAP server:
start: 0:
end: 0
INFO:root:Agreement is ready, starting
replication . . .
Starting replication, please wait until
this has
completed.
[saprhds001.bmibank.com
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>
<http://saprhds001.bmibank.com/>] reports:
Update failed! Status: [81 - LDAP error:
Can't
contact
LDAP server]
INFO:root:Added agreement for other host
windows.test.ad <http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
Please help me to fix this issue.
The syntex I used:
ipa-replica-manage add
--winsync
--binddn
CN=Administrator,CN=Users,DC=test,DC=com
--bindpw "password"
--cacert
/etc/dirsrv/slapd-TEST-COM/adcert.cer
windows.test.ad <http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/>
<http://windows.test.ad/> -v --passsync
"password"
On Mon, Aug 16, 2010 at
6:06 PM,
Rich Megginson
<[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>>> wrote:
Shan Kumaraswamy wrote:
Rich,
While installing IPA its creates its
won CA cert
right?
(cacert.p12),
Right.
and also I done the setep of
export this
CA file as
dsca.crt.
Right. You have to do that so that
AD can
be an SSL
client to
the IPA SSL server.
Please let me know steps to
generate the
IPA CA and
server
cert?
The other part is that you have to
install
the AD CA
cert in
IPA so that IPA can be the SSL client
to the
AD SSL server.
On Mon, Aug
16, 2010
at 5:41 PM, Rich Megginson
<[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>> <mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>>>>
wrote:
Shan Kumaraswamy wrote:
Hi,
I have deployed FreeIPA
1.2.1 in
RHEL 5.5 and I
want to sync
with Active Directory (windows
2008 R2). Can
please
anyone
have step-by-step
configuration
doc and
share to me?
Previously I have done the
same
exercise,
but now
that is not
working for me and I am
facing lot of
challenges to
make this
happen.
Please find the steps what
exactly I done so
for:
1. Installed RHDS
8.1 and
FreeIPA
1.2.1 and
configured
properly and tested its
working fine
2. In AD side, installed
Active Directory
certificate
Server as a Enterprise Root
3. Copy the “cacert.p12”
file and
imported under
Certificates –Service (Active
Directory Domain
service) on
Local Computer using MMC.
4. Installed PasSync.msi
file and
given all
the required
information
5. Run the command
“certutil -d . -L
-n "CA
certificate"
-a > dsca.crt” from IPA server
and copied
the .crt
file in to
AD server and ran this command
from “cd
"C:\Program
Files\Red
Hat Directory Password
Synchronization"
6. certutil.exe -d . -N
7. certutil.exe -d .
-A -n
"DS CA cert" -t
CT,, -a -i
\path\to\dsca.crt
8. certutil.exe -d .
-L -n
"DS CA
cert" and
rebooted the
AD server.
After this steps, when try to
create sync
agreement
from IPA
server I am getting this
error:
ldap_simple_bind:
Can't
contact
LDAP server
SSL error -8179 (Peer's
Certificate
issuer
is not
recognized.)
Please share the steps to
configure AD Sync with
IPA server.
http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html
But it looks as though there is a
step missing.
If you
use MS AD
CA to generate the AD cert,
and use
IPA to
generate the
IPA CA and
server cert, then you have to
import
the MS AD
CA cert
into IPA.
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
-- Thanks & Regards
Shan Kumaraswamy
--
Thanks & Regards
Shan Kumaraswamy
--
Thanks & Regards
Shan Kumaraswamy
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
