I feel i am so close to solve this problem ..since long time .. if any 1 have clue where what i forgot ...

I changed password of cn=replication,cn=config

and now only i am getting error ----passsync log ----

10/14/08 17:24:19: Failed to load entries from file ##### I dont know Failed to load entires from FILE ( WHICH PassSync talking about ) ##### 10/14/08 17:26:41: Failed to load entries from file 10/14/08 17:26:41: PassSync service stopped 10/14/08 17:26:42: PassSync service started 10/14/08 17:26:42: Failed to load entries from file

---------------- /var/log/dir-serv/slapd-linux2/access

[14/Oct/2008:10:21:20 -0700] conn=38 fd=69 slot=69 SSL connection from 192.168.1.200 to 192.168.1.210 [14/Oct/2008:10:21:20 -0700] conn=38 SSL 128-bit RC4 [14/Oct/2008:10:21:20 -0700] conn=38 op=0 BIND dn="cn=replication,cn=config" method=128 version=2 [14/Oct/2008:10:21:20 -0700] conn=38 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication,cn=config" [14/Oct/2008:10:21:20 -0700] conn=38 op=1 UNBIND [14/Oct/2008:10:21:20 -0700] conn=38 op=1 fd=69 closed - U1 [14/Oct/2008:10:21:21 -0700] conn=39 fd=69 slot=69 SSL connection from 192.168.1.200 to 192.168.1.210 [14/Oct/2008:10:21:21 -0700] conn=39 SSL 128-bit RC4 [14/Oct/2008:10:21:21 -0700] conn=39 op=0 BIND dn="cn=replication,cn=config" method=128 version=2 [14/Oct/2008:10:21:21 -0700] conn=39 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication,cn=config" [14/Oct/2008:10:21:21 -0700] conn=39 op=1 UNBIND [14/Oct/2008:10:21:21 -0700] conn=39 op=1 fd=69 closed - U1

/var/log/dir-serv/slapd-linux2/errors NO ERRORs ..

On Tue, Oct 14, 2008 at 5:10 PM, Vipul Ramani vipulramani@gmail.com wrote:

--- passyc log ---

10/14/08 17:05:56: Failed to load entries from file 10/14/08 17:05:56: Ldap bind error in Connect 48: Inappropriate authentication 10/14/08 17:05:56: Can not connect to ldap server in SyncPasswords

---

ADC ( where passysnc installed ) #

On the Directory Server, export the server certificate using pk12util.

FDS# pk12util -d . -o servercert.pfx -n Server-Cert

then ,

Import the server certificate from the Directory Server into the new certificate databases using pk12util.exe.

pk12util.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -i servercert.pfx

then

Give trusted peer status to the server.

certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -M -n Server-Cert -t "P,P,P"

C:\Program Files (x86)\Red Hat Directory Password Synchronization>certutil.exe - L -d . -P CA certificate c,c,c Server-Cert Pu,Pu,Pu <-- imported from FDS

C:\Program Files (x86)\Red Hat Directory Password Synchronization>

still same error . ...

On Tue, Oct 14, 2008 at 3:42 PM, Vipul Ramani vipulramani@gmail.comwrote:

...

Hi All ,

I am doing Active directory ----> FDS ( ssl) , all attribute is replicated from ADC ---> FDS .. But i am not able to see password attribute in FDS ?

Replication FDS - working as master Passync for replication

replication is happening from Active Directory:636 ---- > FDS : 636 .

Am i am missing something ...

------Adc user profile , which is replicated in FDS ------- dn: uid=vramani, ou=People, dc=tf-lab,dc=test,dc=com ntUniqueId: f96921fe188c4b47a243ab088512103d givenName: vipul sn: r objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetOrgPerson objectClass: ntUser uid: vramani ntUserDeleteAccount: true cn: vipul r ntUserDomainId: vramani ntUserAcctExpires: 9223372036854775807 ntUserCodePage: 0

---

----acess------

[14/Oct/2008:08:37:16 -0700] conn=4 op=170 SRCH base="ou=People, dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [14/Oct/2008:08:37:16 -0700] conn=4 op=170 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:17 -0700] conn=4 op=171 SRCH base="ou=People, dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" attrs="objectClass" [14/Oct/2008:08:37:17 -0700] conn=4 op=171 RESULT err=0 tag=101 nentries=0 etime=1 [14/Oct/2008:08:37:19 -0700] conn=4 op=173 SRCH base="dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL[14/Oct/2008:08:37:19 -0700] conn=4 op=173 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:19 -0700] conn=4 op=174 SRCH base="dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" attrs="objectClass" [14/Oct/2008:08:37:19 -0700] conn=4 op=174 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:20 -0700] conn=4 op=175 SRCH base="ou=People, dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [14/Oct/2008:08:37:20 -0700] conn=4 op=175 RESULT err=0 tag=101 nentries=1 etime=0[14/Oct/2008:08:37:26 -0700] conn=3 op=122 SRCH base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL [14/Oct/2008:08:37:26 -0700] conn=3 op=122 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:27 -0700] conn=3 op=124 MOD dn="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" [14/Oct/2008:08:37:27 -0700] conn=3 op=124 RESULT err=0 tag=103 nentries=0 etime=0[14/Oct/2008:08:37:27 -0700] conn=3 op=125 SRCH base="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [14/Oct/2008:08:37:27 -0700] conn=3 op=125 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:31 -0700] conn=3 op=126 SRCH base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL[14/Oct/2008:08:37:31 -0700] conn=3 op=126 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:31 -0700] conn=3 op=127 MOD dn="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" [14/Oct/2008:08:37:31 -0700] conn=3 op=127 RESULT err=0 tag=103 nentries=0 etime=0[14/Oct/2008:08:37:31 -0700] conn=3 op=128 MOD dn="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" [14/Oct/2008:08:37:31 -0700] conn=3 op=128 RESULT err=0 tag=103 nentries=0 etime=0 [14/Oct/2008:08:37:37 -0700] conn=4 op=176 SRCH base="ou=People, dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" attrs="objectClass" [14/Oct/2008:08:37:37 -0700] conn=4 op=176 RESULT err=0 tag=101 nentries=18 etime=0

---

thanks in Adv...

-- Regards

Vipul Ramani

Vipul Ramani wrote:

Any luck ??? any 1 one who had pass through same problem ...

Clueless no errors ( FDS , ADC ) only PassSync Error ..which is mentioned below ...

On Tue, Oct 14, 2008 at 5:26 PM, Vipul Ramani <vipulramani@gmail.com mailto:vipulramani@gmail.com> wrote:

I feel i am so close to solve this problem ..since long time .. if
any 1 have clue where what i forgot ...


I changed password of cn=replication,cn=config

and now only i am getting error
----passsync log ----

10/14/08 17:24:19: Failed to load entries from file      ##### I
dont know Failed to load entires from FILE  *( PassSync talking
about which file  ) *#####
10/14/08 17:26:41: Failed to load entries from file
10/14/08 17:26:41: PassSync service stopped
10/14/08 17:26:42: PassSync service started
10/14/08 17:26:42: Failed to load entries from file

I'm not sure, but I think this means that there were no passwords to sync from AD to Fedora DS. It keeps a queue of passwords to send in a file (encrypted).

----------------
  /var/log/dir-serv/slapd-linux2/access 


[14/Oct/2008:10:21:20 -0700] conn=38 fd=69 slot=69 SSL connection
from 192.168.1.200 <http://192.168.1.200> to 192.168.1.210
<http://192.168.1.210>
[14/Oct/2008:10:21:20 -0700] conn=38 SSL 128-bit RC4
[14/Oct/2008:10:21:20 -0700] conn=38 op=0 BIND
dn="cn=replication,cn=config" method=128 version=2
[14/Oct/2008:10:21:20 -0700] conn=38 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=replication,cn=config"
[14/Oct/2008:10:21:20 -0700] conn=38 op=1 UNBIND
[14/Oct/2008:10:21:20 -0700] conn=38 op=1 fd=69 closed - U1
[14/Oct/2008:10:21:21 -0700] conn=39 fd=69 slot=69 SSL connection
from 192.168.1.200 <http://192.168.1.200> to 192.168.1.210
<http://192.168.1.210>
[14/Oct/2008:10:21:21 -0700] conn=39 SSL 128-bit RC4
[14/Oct/2008:10:21:21 -0700] conn=39 op=0 BIND
dn="cn=replication,cn=config" method=128 version=2
[14/Oct/2008:10:21:21 -0700] conn=39 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=replication,cn=config"
[14/Oct/2008:10:21:21 -0700] conn=39 op=1 UNBIND
[14/Oct/2008:10:21:21 -0700] conn=39 op=1 fd=69 closed - U1

/var/log/dir-serv/slapd-linux2/errors   NO ERRORs ..

On Tue, Oct 14, 2008 at 5:10 PM, Vipul Ramani
<vipulramani@gmail.com <mailto:vipulramani@gmail.com>> wrote:


    --- passyc log ---

    10/14/08 17:05:56: Failed to load entries from file
    10/14/08 17:05:56: Ldap bind error in Connect
        48: Inappropriate authentication
    10/14/08 17:05:56: Can not connect to ldap server in SyncPasswords
    -----------------------------

    ADC ( where passysnc installed )  #

    On the Directory Server, export the server certificate using
    |pk12util|.

    FDS# pk12util -d . -o servercert.pfx -n Server-Cert


    then ,

    Import the server certificate from the Directory Server into
    the new certificate databases using p|k12util.exe|.

    pk12util.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -i servercert.pfx


    then

    Give trusted peer status to the server.

    certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -M 
         -n Server-Cert -t "P,P,P"




    C:\Program Files (x86)\Red Hat Directory Password
    Synchronization>certutil.exe -
    L -d . -P
    CA certificate                                               c,c,c
    Server-Cert                                                 
    Pu,Pu,Pu   <-- imported from FDS

    C:\Program Files (x86)\Red Hat Directory Password Synchronization>
    ---------------------------

    still same error . ...





    On Tue, Oct 14, 2008 at 3:42 PM, Vipul Ramani
    <vipulramani@gmail.com <mailto:vipulramani@gmail.com>> wrote:

        Hi All ,

        I am doing Active directory ----> FDS ( ssl) , all
        attribute is replicated from ADC ---> FDS .. But i am not
        able to see password attribute in FDS ?

        Replication
        FDS - working as master
        Passync for replication

         replication is happening from Active Directory:636 ---- >
        FDS : 636 .


        Am i am missing something ...

        ------Adc user profile , which is replicated in FDS -------
        dn: uid=vramani, ou=People, dc=tf-lab,dc=test,dc=com
        ntUniqueId: f96921fe188c4b47a243ab088512103d
        givenName: vipul
        sn: r
        objectClass: top
        objectClass: person
        objectClass: organizationalperson
        objectClass: inetOrgPerson
        objectClass: ntUser
        uid: vramani
        ntUserDeleteAccount: true
        cn: vipul r
        ntUserDomainId: vramani
        ntUserAcctExpires: 9223372036854775807
        ntUserCodePage: 0
        ------
        ----acess------


        [14/Oct/2008:08:37:16 -0700] conn=4 op=170 SRCH
        base="ou=People, dc=tf-lab,dc=test,dc=com" scope=0
        filter="(objectClass=*)" attrs=ALL
        [14/Oct/2008:08:37:16 -0700] conn=4 op=170 RESULT err=0
        tag=101 nentries=1 etime=0
        [14/Oct/2008:08:37:17 -0700] conn=4 op=171 SRCH
        base="ou=People, dc=tf-lab,dc=test,dc=com" scope=1
        filter="(objectClass=*)" attrs="objectClass"
        [14/Oct/2008:08:37:17 -0700] conn=4 op=171 RESULT err=0
        tag=101 nentries=0 etime=1
        [14/Oct/2008:08:37:19 -0700] conn=4 op=173 SRCH
        base="dc=tf-lab,dc=test,dc=com" scope=0
        filter="(objectClass=*)" attrs=ALL[14/Oct/2008:08:37:19
        -0700] conn=4 op=173 RESULT err=0 tag=101 nentries=1 etime=0
        [14/Oct/2008:08:37:19 -0700] conn=4 op=174 SRCH
        base="dc=tf-lab,dc=test,dc=com" scope=1
        filter="(objectClass=*)" attrs="objectClass"
        [14/Oct/2008:08:37:19 -0700] conn=4 op=174 RESULT err=0
        tag=101 nentries=1 etime=0
        [14/Oct/2008:08:37:20 -0700] conn=4 op=175 SRCH
        base="ou=People, dc=tf-lab,dc=test,dc=com" scope=0
        filter="(objectClass=*)" attrs=ALL
        [14/Oct/2008:08:37:20 -0700] conn=4 op=175 RESULT err=0
        tag=101 nentries=1 etime=0[14/Oct/2008:08:37:26 -0700]
        conn=3 op=122 SRCH base="cn=replication,cn=config" scope=2
        filter="(objectClass=*)" attrs=ALL
        [14/Oct/2008:08:37:26 -0700] conn=3 op=122 RESULT err=0
        tag=101 nentries=1 etime=0
        [14/Oct/2008:08:37:27 -0700] conn=3 op=124 MOD
        dn="cn=Vedant, cn=replica,
        cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree,
        cn=config" [14/Oct/2008:08:37:27 -0700] conn=3 op=124
        RESULT err=0 tag=103 nentries=0
        etime=0[14/Oct/2008:08:37:27 -0700] conn=3 op=125 SRCH
        base="cn=Vedant, cn=replica,
        cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree,
        cn=config" scope=0
        filter="(|(objectClass=*)(objectClass=ldapsubentry))"
        attrs="nsds5replicaLastUpdateStart
        nsds5replicaLastUpdateEnd
        nsds5replicaChangesSentSinceStartup
        nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress
        nsds5replicaLastInitStart nsds5replicaLastInitEnd
        nsds5replicaLastInitStatus nsds5BeginReplicaRefresh"
        [14/Oct/2008:08:37:27 -0700] conn=3 op=125 RESULT err=0
        tag=101 nentries=1 etime=0
        [14/Oct/2008:08:37:31 -0700] conn=3 op=126 SRCH
        base="cn=replication,cn=config" scope=2
        filter="(objectClass=*)" attrs=ALL[14/Oct/2008:08:37:31
        -0700] conn=3 op=126 RESULT err=0 tag=101 nentries=1 etime=0
        [14/Oct/2008:08:37:31 -0700] conn=3 op=127 MOD
        dn="cn=Vedant, cn=replica,
        cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config"
        [14/Oct/2008:08:37:31 -0700] conn=3 op=127 RESULT err=0
        tag=103 nentries=0 etime=0[14/Oct/2008:08:37:31 -0700]
        conn=3 op=128 MOD dn="cn=Vedant, cn=replica,
        cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config"
        [14/Oct/2008:08:37:31 -0700] conn=3 op=128 RESULT err=0
        tag=103 nentries=0 etime=0
        [14/Oct/2008:08:37:37 -0700] conn=4 op=176 SRCH
        base="ou=People, dc=tf-lab,dc=test,dc=com" scope=1
        filter="(objectClass=*)" attrs="objectClass"
        [14/Oct/2008:08:37:37 -0700] conn=4 op=176 RESULT err=0
        tag=101 nentries=18 etime=0
        ------


        thanks in Adv...





    -- 
    Regards

    Vipul Ramani




-- 
Regards

Vipul Ramani

-- Regards

Vipul Ramani

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Vipul Ramani wrote:

Hi Rich ,

But i can login and changed the password of ADC users. :(

is there any other way to debug in to the deep ??? Kindly suggest i am ready ....

I don't know.

I'm not sure, but I think this means that there were no passwords to sync from AD to Fedora DS. It keeps a queue of passwords to send in a file (encrypted).

Regards Vipul Ramani

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

On Thu, Oct 16, 2008 at 10:10 AM, Eric Beda ebeda@udsm.ac.tz wrote:

Hi,

I've lost my directory server admin password, how do i recover it ?, so that i can manage the DS via GUI interface on the machine

If you mean the directory manager password check this link :

http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword

If you remember the password of your directory manager password you can log with directory manager through the console and change the admin user under o=netscaperoot or you can perform the following :

$ slappasswd -v -c '$1$%.8s' -h {CRYPT} run the above command and supply your new password, then copy the output

Then issue ldapmodify command:

$ ldapmodify -x -h localhost -D"cn=Directory Manager" -W dn : uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot changetype: modify replace: userPassword userPassword: 'paste clipboard'

Help Please

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

-- Diaa Radwan

http://fossology.net

Vipul Ramani wrote:

I enabled logleve 8192 in error log of FDS

linux2.test2.com http://linux2.test2.com is FDS and LABDC01 is ADC

I created sync aggrement between LDAP:636 and ADC:636 , but in logs it shows still *ldap://linux2.test2.com:389 http://linux2.test2.com:389

---

That's just the "name" of the agreement not the actual protocol and port used to connect. It looks as though the code is successfully connecting to AD.

---- error of FDS ----

16/Oct/2008:07:33:15 -0700] - acquire_replica, supplier RUV is newer [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): Cancelling linger on the connection [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - windows_acquire_replica returned success (101) [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): State: ready_to_acquire_replica -> sending_updates[16/Oct/2008:07:33:15 -0700] - csngen_adjust_time: gen state before 48f750ab0003:1224167595:0:0 [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay (agmt="cn=Vedant" (LABDC01:636)): Consumer RUV: [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): {replicageneration} 48f373b90000014d0000[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin

• agmt="cn=Vedant" (LABDC01:636): {replica 333

ldap://linux2.test2.com:389 http://linux2.test2.com:389} 48f3772f0000014d0000 48f74f7b0013014d0000 48f74f7b [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay (agmt="cn=Vedant" *(LABDC01:636)*): Supplier RUV:[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): {replicageneration} 48f373b90000014d0000 [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): {replica 333 *ldap://linux2.test2.com:389 http://linux2.test2.com:389*} 48f3772f0000014d0000 48f750ab0001014d0000 48f750ab [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - session start: anchorcsn=48f74f7b0013014d0000 [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - changelog program

• agmt="cn=Vedant" (LABDC01:636): CSN 48f74f7b0013014d0000 found

, position set for replay [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - load=1 rec=1 csn=48f750ab0001014d0000[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): windows_replay_update: Looking at modify operation local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" (ours,user,not group) [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=vramani,ou=People, dc=tf-lab,dc=test2,dc=com" guid="f96921fe188c4b47a243ab088512103d" [16/Oct/2008:07:33:15 -0700] - Calling windows entry search request plugin[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): Linger timeout has expired on the connection [16/Oct/2008:07:33:15 -0700] - windows_search_entry: recieved 2 messages, 1 entries, 0 references [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): map_entry_dn_outbound: return code 0 from search f or AD entry dn="<GUID=f96921fe188c4b47a243ab088512103d>" or dn="CN=vipul r,CN=Users,DC=tf-lab,DC=test2,DC=com" [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): windows_replay_update: Processing modify operation local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" remote dn="<GUID=f96921fe188c4b47a243ab088512103d>" [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - clcache_load_buffer: rc=-30989

---

i see this *" Linger time out has expired the connection " *

16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): Beginning linger on the connection [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): State: sending_updates -> wait_for_changes [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): *Linger timeout has expired on the connection* [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): Disconnected from the consumer

Any any clue

That's normal. I don't see any errors here.

On Wed, Oct 15, 2008 at 2:15 PM, Vipul Ramani <vipulramani@gmail.com mailto:vipulramani@gmail.com> wrote:

Hi  Rich ,

But i can login and changed the password of ADC users.  :(

is there any other way to debug in to the deep ??? Kindly suggest
i am ready  ....


I'm not sure, but I think this means that there were no passwords
to sync from AD to Fedora DS. It keeps a queue of passwords to
send in a file (encrypted).







Regards
Vipul Ramani

-- Regards

Vipul Ramani

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Vipul Ramani wrote:

Hey Rich ,

Do really need *Password policy @ Active directory and Password policy @ FDS needs to be same .... is that i am missing ...

If you don't manually make them the same, then you run the risk that a password accepted on AD will be rejected on FDS, or vice versa.

On Thu, Oct 16, 2008 at 2:44 PM, Vipul Ramani <vipulramani@gmail.com mailto:vipulramani@gmail.com> wrote:

I enabled logleve 8192 in error log of FDS 

linux2.test2.com <http://linux2.test2.com> is FDS and  LABDC01 is ADC

I created sync aggrement between LDAP:636 and ADC:636 , but in
logs it shows still *ldap://linux2.test2.com:389
<http://linux2.test2.com:389> ---

---- error of FDS ----
*

16/Oct/2008:07:33:15 -0700] - acquire_replica, supplier RUV is newer
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant" (LABDC01:636): Cancelling linger on the connection
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin -
windows_acquire_replica returned success (101)
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant" (LABDC01:636): State: ready_to_acquire_replica ->
sending_updates[16/Oct/2008:07:33:15 -0700] - csngen_adjust_time:
gen state before 48f750ab0003:1224167595:0:0
[16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay
(agmt="cn=Vedant" (LABDC01:636)): Consumer RUV:
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant" (LABDC01:636): {replicageneration}
48f373b90000014d0000[16/Oct/2008:07:33:15 -0700]
NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): {replica
333 ldap://linux2.test2.com:389 <http://linux2.test2.com:389>}
48f3772f0000014d0000 48f74f7b0013014d0000 48f74f7b
[16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay
(agmt="cn=Vedant" *(LABDC01:636)*): Supplier
RUV:[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant" (LABDC01:636): {replicageneration}
48f373b90000014d0000
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant" (LABDC01:636): {replica 333
*ldap://linux2.test2.com:389 <http://linux2.test2.com:389>*}
48f3772f0000014d0000 48f750ab0001014d0000 48f750ab
[16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) -
session start: anchorcsn=48f74f7b0013014d0000
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - changelog
program - agmt="cn=Vedant" (LABDC01:636): CSN 48f74f7b0013014d0000
found
, position set for replay
[16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) -
load=1 rec=1 csn=48f750ab0001014d0000[16/Oct/2008:07:33:15 -0700]
NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636):
windows_replay_update: Looking at modify operation
 local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com"
(ours,user,not group) [16/Oct/2008:07:33:15 -0700]
NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636):
map_entry_dn_outbound: looking for AD entry for DS
 dn="uid=vramani,ou=People, dc=tf-lab,dc=test2,dc=com"
guid="f96921fe188c4b47a243ab088512103d"
[16/Oct/2008:07:33:15 -0700] - Calling windows entry search
request plugin[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant" (LABDC01:636): Linger timeout has expired on the
connection
[16/Oct/2008:07:33:15 -0700] - windows_search_entry: recieved 2
messages, 1 entries, 0 references
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant" (LABDC01:636): map_entry_dn_outbound: return code
0 from search f
or AD entry dn="<GUID=f96921fe188c4b47a243ab088512103d>" or
dn="CN=vipul r,CN=Users,DC=tf-lab,DC=test2,DC=com"
[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant" (LABDC01:636): windows_replay_update: Processing
modify operation
 local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" remote
dn="<GUID=f96921fe188c4b47a243ab088512103d>"
[16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) -
clcache_load_buffer: rc=-30989


-----

i see this *" Linger time out has expired the connection " *

16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant" (LABDC01:636): Beginning linger on the connection
[16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant" (LABDC01:636): State: sending_updates ->
wait_for_changes
[16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant" (LABDC01:636): *Linger timeout has expired on the
connection*
[16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin -
agmt="cn=Vedant" (LABDC01:636): Disconnected from the consumer


Any any clue



On Wed, Oct 15, 2008 at 2:15 PM, Vipul Ramani
<vipulramani@gmail.com <mailto:vipulramani@gmail.com>> wrote:



    Hi  Rich ,

    But i can login and changed the password of ADC users.  :(

    is there any other way to debug in to the deep ??? Kindly
    suggest i am ready  ....


    I'm not sure, but I think this means that there were no
    passwords to sync from AD to Fedora DS. It keeps a queue of
    passwords to send in a file (encrypted).







    Regards
    Vipul Ramani




-- 
Regards

Vipul Ramani

-- Regards

Vipul Ramani

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Vipul Ramani wrote:

Hi Rich ,

i have done setup from scratch ... again ...acutally this is my ( 9th time i am testing... )

for CA - i generated certification of requst from FDS and and that CSR is signed by ADC - CA . Then i installed @ CA @ FDS ..

------------ error -- ------------- NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple bind failed , LDAP sdk error 91 ( Can't connect to the LDAP server ) , Netscape Portable Runtime error - 8179 ( Peer's Certificate issuer is not recoginzed )

How did you install the MS CA cert into Fedora DS? certutil -L -d /etc/dirsrv/slapd-instancename

---

I have one question - I ADC it installted i think StandAlone CA - not Enterprise CA ( i am not Windows Admin and i dont know much about ADC ) ...

so , to work PassSYN - FDS CSR must be signed by *" Enterprise CA "* ???

*and Any tip how to do i check on win2003 ( x64 edition ) Enterprise CA is installed or not ???? ...

I've only used Enterprise CA, because if you do that, AD will automatically get an SSL server cert. Otherwise, I'm not sure how to configure AD to be an SSL server.

Note that we only provide a 32-bit binary for passsync. I have no idea if it will work on 64-bit Windows - we've never tested that.

The code is all open source though, and should be buildable with the free microsoft visual studio C++.

thanks in adv to all ... FDS users ...

Regards Vipul Ramani

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Vipul Ramani wrote:

Hi Rich ,

I installed from Fedora console - i copied MS CA on Window box then i did install using Fedora directory Console.

certutil -L -d /etc/dirsrv/slapd-instancename

Vipul Ramani wrote:

Hi Rich ,



i have done setup from scratch ... again ...acutally this is my (
9th time i am testing... ) for CA - i generated certification of
requst from FDS and and that CSR is signed by ADC - CA . Then i
installed @ CA @ FDS ..

------------ error -- -------------


NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple
bind failed , LDAP sdk error 91 ( Can't connect to the LDAP server
) , Netscape Portable Runtime error - 8179 ( Peer's Certificate
issuer is not recoginzed ) 

How did you install the MS CA cert into Fedora DS? certutil -L -d /etc/dirsrv/slapd-instancename

------------



I have one question - I ADC it installted i think StandAlone CA -
not Enterprise CA ( i am not Windows Admin and i dont know much
about ADC ) ...

so , to work PassSYN - FDS CSR must be signed by  *" Enterprise CA "* ???



*and Any tip how to do i check on win2003 ( x64 edition )
Enterprise CA is installed or not ???? ...

*

I've only used Enterprise CA, because if you do that, AD will automatically get an SSL server cert. Otherwise, I'm not sure how to configure AD to be an SSL server. Note that we only provide a 32-bit binary for passsync. I have no idea if it will work on 64-bit Windows

• we've never tested that. The code is all open source though, and

should be buildable with the free microsoft visual studio C++.

On Sun, Oct 19, 2008 at 10:21 PM, Vipul Ramani <vipulramani@gmail.com mailto:vipulramani@gmail.com> wrote:

Hi Rich ,

i have done setup from scratch ... again ...acutally this is my  (
9th time i am testing... ) 

for CA - i generated  certification of requst from FDS and and
that  CSR is signed by ADC - CA .  Then i installed @ CA @ FDS ..

------------ error -- -------------
 NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) :
simple bind failed , LDAP sdk error 91  ( Can't connect to the
LDAP server ) ,  Netscape Portable Runtime error - 8179  ( Peer's
Certificate issuer is not recoginzed )

------------

I have one question  -  I ADC it installted  i think StandAlone CA
- not Enterprise CA ( i am not Windows Admin and i dont know much
about ADC ) ...

so , to work PassSYN - FDS CSR must be signed by  *" Enterprise CA
"* ???

*and Any tip how to do i check on win2003 ( x64 edition ) 
Enterprise CA is installed or not ???? ...
*


thanks in adv to all ... FDS users ...

Regards
Vipul Ramani 

-- Regards

Vipul Ramani

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Vipul Ramani wrote:

Vipul Ramani wrote:

Hi Rich ,


I installed from Fedora console - i copied MS CA on Window box then i did install using Fedora directory Console.

certutil -L -d /etc/dirsrv/slapd-instancename

[root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2

Certificate Nickname Trust Attributes

                                                         SSL,S/MIME,JAR/XPI

CA CTu,u,u Server-Cert u,u,u

linux2 CTu,u,u <-- this Cert is signed by ADC CA [root@linux2 ~]#

Which one is the MS CA cert? The MS CA cert is required.

And Sample profile which is replicated from ADC

dn: uid=vramani, ou=People, dc=tf-lab,dc=test2,dc=com

ntUniqueId: f6bcff406f334d46824236fc82f2b762 ntUserLastLogoff: 0 givenName: vipul sn: ramani ntUserParms:: bSAgICAgICAgICAgICAgICAgICAgIGQBICAgICAgICAgICAgICAgICAgICAgICA gUAQaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C

5EggBQ3R4U2hhZG9345Cw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44Sw objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetOrgPerson objectClass: ntUser uid: vramani

ntUserDeleteAccount: true cn: vipul ramani ntUserLastLogon: 128687513442500000 ntUserDomainId: vramani ntUserAcctExpires: 9223372036854775807 ntUserCodePage: 0

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Vipul Ramani wrote:

Rich ,

i tell you how i did

https://localhosts/certsrv/ ---> download cert in DER form and imported in FDS console ...

[root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

CA CTu,u,u

What is this CA? certutil -L -d /etc/dirsrv/slapd-linux2 -n "CA"

Server-Cert u,u,u linux2 CTu,u,u <-- this Cert is signed by ADC CA

certutil -L -d /etc/dirsrv/slapd-linux2 -n "linux2" Make sure the subjectDN starts with cn=fqdn where fqdn is the FQDN of linux2

*labdc01 CT,, <---- MS CA Cert *

sorry i missed last line ... last email .

But no Luck ...

A good way to test TLS/SSL is to use ldapsearch: /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P /etc/dirsrv/slapd-linux2 -3 -s base -b "" "objectclass=*"

If that works, then you have the CA installed correctly, and the AD server cert is correct.

On Mon, Oct 20, 2008 at 11:36 AM, Vipul Ramani <vipulramani@gmail.com mailto:vipulramani@gmail.com> wrote:

Vipul Ramani wrote:


    Hi Rich ,


    I installed from Fedora console - i copied MS CA on Window box then i did install using Fedora directory Console.



certutil -L -d /etc/dirsrv/slapd-instancename
[root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2

Certificate Nickname                                         Trust Attributes


                                                             SSL,S/MIME,JAR/XPI

CA                                                           CTu,u,u
Server-Cert                                                  u,u,u


linux2                                                       CTu,u,u  <-- this Cert is signed by ADC CA 
[root@linux2 ~]#


And Sample profile which is replicated from ADC 
dn: uid=vramani, ou=People, dc=tf-lab,dc=test2,dc=com

ntUniqueId: f6bcff406f334d46824236fc82f2b762
ntUserLastLogoff: 0
givenName: vipul
sn: ramani
ntUserParms:: bSAgICAgICAgICAgICAgICAgICAgIGQBICAgICAgICAgICAgICAgICAgICAgICA
 gUAQaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C


 5EggBQ3R4U2hhZG9345Cw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44Sw
objectClass: top objectClass: person objectClass:
organizationalperson objectClass: inetOrgPerson objectClass:
ntUser uid: vramani ntUserDeleteAccount: true
cn: vipul ramani
ntUserLastLogon: 128687513442500000
ntUserDomainId: vramani ntUserAcctExpires: 9223372036854775807
ntUserCodePage: 0

-- Regards

Vipul Ramani

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Vipul Ramani wrote:

CA is self-signed generated certificate . by Linux2 it self.

[root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "CA"

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

Certificate: Data: Version: 3 (0x2) Serial Number: 1000 (0x3e8) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=CAcert" Validity: Not Before: Fri Oct 17 15:11:18 2008 Not After : Wed Oct 17 15:11:18 2018 Subject: "CN=CAcert" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: c8:40:4b:86:0b:70:3d:5d:6a:f6:f4:a5:86:e9:1c:98: d0:dd:19:31:e3:b8:18:3b:0a:c8:9f:83:33:98:cd:98: 54:83:9d:73:97:69:04:26:b8:75:4a:95:7e:ed:92:62: 51:2c:70:8a:a6:f2:a6:8b:b5:c6:53:d3:f8:cc:01:c9: e8:78:55:1f:69:e3:c4:5c:5e:e8:a6:bf:dc:53:ac:a6: ce:75:14:98:2f:a7:c0:da:ae:be:5d:91:e6:f2:96:84: 02:a0:ec:df:e4:de:91:25:2d:65:d8:bd:79:3d:07:ea: 8c:9f:9e:5b:ee:04:a3:18:2e:98:c6:ab:15:a1:d5:d9 Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: 55:bd:f2:f7:37:e5:60:e0:87:20:a7:d7:69:b2:eb:79: e6:98:7e:72:f1:b1:dc:11:08:94:fd:c3:56:a8:14:37: 2b:1b:cd:bc:05:3d:54:45:73:7f:b2:dc:f8:f1:f4:44: 61:25:54:c6:e2:c2:68:1f:d7:cc:d3:37:16:37:98:b8: 37:c3:7e:49:48:12:58:17:26:fe:87:bc:d4:ef:ee:6b: 5d:35:1f:1f:72:a5:5e:6b:b7:94:e6:c3:63:7c:2a:24: 4c:43:39:cd:74:7b:56:08:15:f9:85:3f:ed:c9:ba:01: 88:d0:90:84:1d:e6:0e:84:7f:83:8e:bf:9e:9a:b2:a3 Fingerprint (MD5): 2C:77:B6:61:BA:3D:F0:E2:8E:EB:BA:4D:74:A4:E4:0C Fingerprint (SHA1): 06:FE:B9:62:26:E7:56:1E:2B:84:C0:5E:AC:DC:F7:1A:AE:A8:58:0E

Certificate Trust Flags:
    SSL Flags:
        Valid CA
        Trusted CA
        User
        Trusted Client CA
    Email Flags:
        User
    Object Signing Flags:
        User

[root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "linux2"

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

Certificate: Data: Version: 3 (0x2) Serial Number: 14:fc:4e:02:00:00:00:00:00:16 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=labdc01,DC=tf-lab,DC=test2,DC=com" Validity: Not Before: Fri Oct 17 23:35:13 2008 Not After : Sun Oct 17 23:35:13 2010 Subject: "CN=linux2,OU=Ops,O=Exponential,L=Emeryville,ST=California,C =US"

This is not correct. instead of CN=linux2, you should have CN=linux2.tf-lab.test2.com or whatever your domain is. Although I don't think this is the cause of the failure to connect.

    Subject Public Key Info:
        Public Key Algorithm: PKCS #1 RSA Encryption
        RSA Public Key:
            Modulus:
                da:db:9b:d8:c2:aa:42:4e:85:69:b2:0a:19:46:87:2d:
                67:e6:4b:9b:4d:97:96:6a:e3:bf:90:c2:ab:a7:0d:17:
                --removed-some-part---
                24:72:dc:18:5c:7e:1a:16:b3:bd:38:1b:0a:0f:a6:48:
                ae:4e:ef:5a:eb:cd:12:6f:5e:16:8f:6c:ce:ff:fa:71
            Exponent: 65537 (0x10001)
    Signed Extensions:
        Name: Certificate Subject Key ID
        Data:
            75:e0:f9:0d:9f:77:24:61:38:87:17:87:43:ee:25:5d:
            c0:b2:4f:d3

        Name: Certificate Authority Key Identifier
        Key ID:
            83:c2:a6:03:eb:b2:a8:ea:40:d0:63:42:01:68:8f:a8:
            11:9e:ec:f9

        Name: CRL Distribution Points
        URI: 

"ldap:///CN=labdc01,CN=labdc01,CN=CDP,CN=Public%20Key%20Serv ices,CN=Services,CN=Configuration,DC=tf-lab,DC=test2,D

C=com?certificateRevocationList?base?objectClass=cRLDistribut ionPoint" URI: "http://labdc01.tf-lab.test2.com/CertEnroll/labdc01.c rl"

        Name: Authority Information Access
        Method: PKIX CA issuers access method
        Location:
            URI: 

"ldap:///CN=labdc01,CN=AIA,CN=Public%20Key%20Services,CN =Services,CN=Configuration,DC=tf-lab,DC=test2,DC=c

om?cACertificate?base?objectClass=certificationAuthority" Method: PKIX CA issuers access method Location: URI: "*http://labdc01.tf-lab.test2.com*/CertEnroll/labdc 01.tf-lab.test2.com_labdc01.crt"

        Name: Microsoft Enrollment Cert Type Extension
        Data: "WebServer"

        Name: Certificate Basic Constraints
        Critical: True
        Data: Is not a CA.

        Name: Certificate Key Usage
        Usages: Digital Signature
                Key Encipherment

        Name: Extended Key Usage
            TLS Web Server Authentication Certificate

Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
    0b:f7:2f:25:e5:99:aa:27:59:5d:76:96:5a:64:0b:a7:
    91:7d:48:49:fd:a8:46:db:cc:39:7b:97:34:94:3c:0c:
    7c:fe:4d:f7:99:5e:da:a6:7d:53:5c:36:ba:ed:a7:05:
    60:04:2a:76:6e:02:75:a0:1c:59:bd:ad:82:db:fc:61:
    --removed some--part--
    6d:11:23:4c:77:60:18:ec:fd:47:63:72:d3:00:ee:04:
    c2:01:3a:d8:dc:f1:4b:55:c5:7a:39:09:83:9b:09:bd:
    65:64:4c:6f:8d:19:86:94:95:76:1b:07:08:ad:03:70
Fingerprint (MD5):
    BD:3D:31:6C:27:A8:82:1A:11:81:5B:F6:56:D7:FA:E3
Fingerprint (SHA1):
    89:45:EE:8E:7D:B7:01:EB:72:80:F2:86:91:B8:02:D4:60:3A:19:FA

Certificate Trust Flags:
    SSL Flags:
        Valid CA
        Trusted CA
        User
        Trusted Client CA
    Email Flags:
        User
    Object Signing Flags:
        User

*| /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P /etc/dirsrv/slapd-linux2 -3 -s base -b "" "objectclass=*" *

Sorry, try /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P /etc/dirsrv/slapd-linux2/cert8.db -3 -s base -b "" "objectclass=*"

*When i do this i am getting cordump ... :(( *

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Vipul Ramani wrote:

i think we are head to solutions ...

do i need to re-install certificate in passync again ??? after we install new CSR with FQDN ... ???

No, at least, not yet. The ldapsearch output below looks correct. In your sync agreement, did you use labdc01.tf-lab.test2.com or just labdc01? You have to use the FQDN.

Is /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db a symlink to /etc/dirsrv/slapd-linux2/cert8.db? What is the relationship between slapd-linux2cert8.db and cert8.db?

root@linux2 slapd-linux2]# /usr/lib/mozldap/ldapsearch -v -h labdc01.tf-lab.test2.com http://labdc01.tf-lab.test2.com -p 636 -Z -P /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db -3 -s base -b "" "objectclass=*" ldapsearch: started Mon Oct 20 06:18:20 2008

ldap_init( labdc01.tf-lab.test2.com http://labdc01.tf-lab.test2.com, 636 ) ldaptool_getcertpath -- /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db ldaptool_getkeypath -- /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db ldaptool_getmodpath -- (null) ldaptool_getdonglefilename -- (null) filter pattern: objectclass=* returning: ALL filter is: (objectclass=*) version: 1 dn: currentTime: 20081020202134.0Z subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=tf-lab,DC=tribal fusion,DC=com dsServiceName: CN=NTDS Settings,CN=LABDC01,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=tf-lab,DC=test2,DC=com namingContexts: DC=tf-lab,DC=test2,DC=com namingContexts: CN=Configuration,DC=tf-lab,DC=test2,DC=com namingContexts: CN=Schema,CN=Configuration,DC=tf-lab,DC=test2,DC=com namingContexts: DC=DomainDnsZones,DC=tf-lab,DC=test2,DC=com namingContexts: DC=ForestDnsZones,DC=tf-lab,DC=test2,DC=com defaultNamingContext: DC=tf-lab,DC=test2,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=tf-lab,DC=test2,DC=c om configurationNamingContext: CN=Configuration,DC=tf-lab,DC=test2,DC=com rootDomainNamingContext: DC=tf-lab,DC=test2,DC=com supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 1.2.840.113556.1.4.528 supportedControl: 1.2.840.113556.1.4.417 supportedControl: 1.2.840.113556.1.4.619 supportedControl: 1.2.840.113556.1.4.841 supportedControl: 1.2.840.113556.1.4.529 supportedControl: 1.2.840.113556.1.4.805 supportedControl: 1.2.840.113556.1.4.521 supportedControl: 1.2.840.113556.1.4.1948 supportedLDAPVersion: 3 supportedLDAPVersion: 2 supportedLDAPPolicies: MaxPoolThreads supportedLDAPPolicies: MaxDatagramRecv supportedLDAPPolicies: MaxReceiveBuffer supportedLDAPPolicies: InitRecvTimeout supportedLDAPPolicies: MaxConnections supportedLDAPPolicies: MaxConnIdleTime supportedLDAPPolicies: MaxPageSize supportedLDAPPolicies: MaxQueryDuration supportedLDAPPolicies: MaxTempTableSize supportedLDAPPolicies: MaxResultSetSize supportedLDAPPolicies: MaxNotificationPerConn supportedLDAPPolicies: MaxValRange highestCommittedUSN: 90680 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 dnsHostName: labdc01.tf-lab.test2.com http://labdc01.tf-lab.test2.com ldapServiceName: tf-lab.test2.com:labdc01$@TF-LAB.TEST2.COM http://TF-LAB.TEST2.COM serverName: CN=LABDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tf-lab,DC=test2,DC=com supportedCapabilities: 1.2.840.113556.1.4.800 supportedCapabilities: 1.2.840.113556.1.4.1670 supportedCapabilities: 1.2.840.113556.1.4.1791 isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 0 forestFunctionality: 0 domainControllerFunctionality: 2

root@linux2 slapd-linux2]# grep err /var/log/dirsrv/slapd-linux2/errors [root@linux2 slapd-linux2]#

On Mon, Oct 20, 2008 at 12:07 PM, Vipul Ramani <vipulramani@gmail.com mailto:vipulramani@gmail.com> wrote:

CA is self-signed generated certificate . by Linux2 it self.


[root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "CA"


Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=CAcert"
        Validity:
            Not Before: Fri Oct 17 15:11:18 2008
            Not After : Wed Oct 17 15:11:18 2018
        Subject: "CN=CAcert"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    c8:40:4b:86:0b:70:3d:5d:6a:f6:f4:a5:86:e9:1c:98:
                    d0:dd:19:31:e3:b8:18:3b:0a:c8:9f:83:33:98:cd:98:
                    54:83:9d:73:97:69:04:26:b8:75:4a:95:7e:ed:92:62:
                    51:2c:70:8a:a6:f2:a6:8b:b5:c6:53:d3:f8:cc:01:c9:
                    e8:78:55:1f:69:e3:c4:5c:5e:e8:a6:bf:dc:53:ac:a6:
                    ce:75:14:98:2f:a7:c0:da:ae:be:5d:91:e6:f2:96:84:
                    02:a0:ec:df:e4:de:91:25:2d:65:d8:bd:79:3d:07:ea:
                    8c:9f:9e:5b:ee:04:a3:18:2e:98:c6:ab:15:a1:d5:d9
                Exponent: 65537 (0x10001)
    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        55:bd:f2:f7:37:e5:60:e0:87:20:a7:d7:69:b2:eb:79:
        e6:98:7e:72:f1:b1:dc:11:08:94:fd:c3:56:a8:14:37:
        2b:1b:cd:bc:05:3d:54:45:73:7f:b2:dc:f8:f1:f4:44:
        61:25:54:c6:e2:c2:68:1f:d7:cc:d3:37:16:37:98:b8:
        37:c3:7e:49:48:12:58:17:26:fe:87:bc:d4:ef:ee:6b:
        5d:35:1f:1f:72:a5:5e:6b:b7:94:e6:c3:63:7c:2a:24:
        4c:43:39:cd:74:7b:56:08:15:f9:85:3f:ed:c9:ba:01:
        88:d0:90:84:1d:e6:0e:84:7f:83:8e:bf:9e:9a:b2:a3
    Fingerprint (MD5):
        2C:77:B6:61:BA:3D:F0:E2:8E:EB:BA:4D:74:A4:E4:0C
    Fingerprint (SHA1):
        06:FE:B9:62:26:E7:56:1E:2B:84:C0:5E:AC:DC:F7:1A:AE:A8:58:0E

    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            User
            Trusted Client CA
        Email Flags:
            User
        Object Signing Flags:
            User

[root@linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "linux2"


Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            14:fc:4e:02:00:00:00:00:00:16
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=labdc01,DC=tf-lab,DC=test2,DC=com"
        Validity:
            Not Before: Fri Oct 17 23:35:13 2008
            Not After : Sun Oct 17 23:35:13 2010
        Subject:
"CN=linux2,OU=Ops,O=Exponential,L=Emeryville,ST=California,C
            =US"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    da:db:9b:d8:c2:aa:42:4e:85:69:b2:0a:19:46:87:2d:
                    67:e6:4b:9b:4d:97:96:6a:e3:bf:90:c2:ab:a7:0d:17:
                    --removed-some-part---
                    24:72:dc:18:5c:7e:1a:16:b3:bd:38:1b:0a:0f:a6:48:
                    ae:4e:ef:5a:eb:cd:12:6f:5e:16:8f:6c:ce:ff:fa:71
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Key ID
            Data:
                75:e0:f9:0d:9f:77:24:61:38:87:17:87:43:ee:25:5d:
                c0:b2:4f:d3

            Name: Certificate Authority Key Identifier
            Key ID:
                83:c2:a6:03:eb:b2:a8:ea:40:d0:63:42:01:68:8f:a8:
                11:9e:ec:f9

            Name: CRL Distribution Points
            URI:
"ldap:///CN=labdc01,CN=labdc01,CN=CDP,CN=Public%20Key%20Serv
                ices,CN=Services,CN=Configuration,DC=tf-lab,DC=test2,D

C=com?certificateRevocationList?base?objectClass=cRLDistribut
                ionPoint"
            URI: "http://labdc01.tf-lab.test2.com/CertEnroll/labdc01.c
                rl"

            Name: Authority Information Access
            Method: PKIX CA issuers access method
            Location:
                URI:
"ldap:///CN=labdc01,CN=AIA,CN=Public%20Key%20Services,CN
                    =Services,CN=Configuration,DC=tf-lab,DC=test2,DC=c

om?cACertificate?base?objectClass=certificationAuthority"
            Method: PKIX CA issuers access method
            Location:
                URI:
"*http://labdc01.tf-lab.test2.com*/CertEnroll/labdc
                    01.tf-lab.test2.com_labdc01.crt"

            Name: Microsoft Enrollment Cert Type Extension
            Data: "WebServer"

            Name: Certificate Basic Constraints
            Critical: True
            Data: Is not a CA.

            Name: Certificate Key Usage
            Usages: Digital Signature
                    Key Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        0b:f7:2f:25:e5:99:aa:27:59:5d:76:96:5a:64:0b:a7:
        91:7d:48:49:fd:a8:46:db:cc:39:7b:97:34:94:3c:0c:
        7c:fe:4d:f7:99:5e:da:a6:7d:53:5c:36:ba:ed:a7:05:
        60:04:2a:76:6e:02:75:a0:1c:59:bd:ad:82:db:fc:61:
        --removed some--part--
        6d:11:23:4c:77:60:18:ec:fd:47:63:72:d3:00:ee:04:
        c2:01:3a:d8:dc:f1:4b:55:c5:7a:39:09:83:9b:09:bd:
        65:64:4c:6f:8d:19:86:94:95:76:1b:07:08:ad:03:70
    Fingerprint (MD5):
        BD:3D:31:6C:27:A8:82:1A:11:81:5B:F6:56:D7:FA:E3
    Fingerprint (SHA1):
        89:45:EE:8E:7D:B7:01:EB:72:80:F2:86:91:B8:02:D4:60:3A:19:FA

    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            User
            Trusted Client CA
        Email Flags:
            User
        Object Signing Flags:
            User




*| /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P
/etc/dirsrv/slapd-linux2 -3 -s base -b "" "objectclass=*" *

*When i do this i am getting cordump ...  :((  *

-- Regards

Vipul Ramani

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Vipul Ramani wrote:

HI Rich

The ldapsearch output below looks correct. In your sync agreement, did you use labdc01.tf-lab.test2.com http://labdc01.tf-lab.test2.com or just labdc01? You have to use the FQDN. Is

in winsync Aggreement i used FQDN ...

/etc/dirsrv/slapd-linux2/slapd-linux2cert8.db a symlink to /etc/dirsrv/slapd-linux2/cert8.db? What is the relationship between slapd-linux2cert8.db and cert8.db?

Yes you are right it is sym link. /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db a symlink to /etc/dirsrv/slapd-linux2/cert8.db ....

The original error is this: https://www.redhat.com/archives/fedora-directory-users/2008-October/msg00056... NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple bind failed , LDAP sdk error 91 ( Can't connect to the LDAP server ) , Netscape Portable Runtime error - 8179 ( Peer's Certificate issuer is not recoginzed )

That usually means that Fedora DS cannot verify the AD SSL server cert. This is usually because Fedora DS doesn't have or trust the CA cert of the CA that issued the AD SSL cert. The Peer in this case is the AD SSL server, the issuer is the CA that issued the AD SSL server cert. I'm not sure what the problem could be.

Regards Vipul Ramani

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Vipul Ramani wrote:

look new error ...

20/Oct/2008:06:36:22 -0700] conn=4 op=92 SRCH base="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test2,dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [20/Oct/2008:06:36:22 -0700] conn=4 op=92 RESULT err=0 tag=101 nentries=1 etime=0 [20/Oct/2008:06:37:12 -0700] conn=12 fd=68 slot=68 SSL connection from 192.168.1.200 http://192.168.1.200 to 192.168.1.210 http://192.168.1.210 *[20/Oct/2008:06:37:12 -0700] conn=12 op=-1 fd=68 closed - Peer does not recognize and trust the CA that issued your certificate*. [20/Oct/2008:06:37:13 -0700] conn=13 fd=68 slot=68 SSL connection from 192.168.1.200 http://192.168.1.200 to 192.168.1.210 http://192.168.1.210 *[20/Oct/2008:06:37:13 -0700] conn=13 op=-1 fd=68 closed - Peer does not recognize and trust the CA that issued your certificate.*

I'm not sure what this means - are you trying to use SSL client cert auth or simple bind?

[20/Oct/2008:06:44:34 -0700] conn=5 op=111 SRCH base="cn=RAS and IAS Servers, ou=People, dc=tf-lab,dc=test2,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [20/Oct/2008:06:44:34 -0700] conn=5 op=111 RESULT err=0 tag=101 nentries=1 etime=0 [20/Oct/2008:06:44:35 -0

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Vipul Ramani wrote:

Yes i am using simple authentication . NOT SSL based client auth ..

I don't understand why you're getting the peer cert error then. Try enabling the replication log level - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting - to get some more detail about the bind procedure

Any plans for PassSyn Support for 64 - bit OS ???

No. No plans currently.

-- Regards

Vipul Ramani

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Vipul Ramani wrote:

already enabled 8192 log-level !!! ...

And what does it mean 640-bit does not supported - does mean FDS community wont be able to support or PassSyn not work at all !!! Can you please explain ...

That means we don't have a 64-bit Windows development environment with which to develop and test 64-bit winsync. AFAIK, the code is 64-bit clean - it just needs to be built and tested.

do u know any other piece of code which will replace PassSync and i can come out of this 64-bit limitation ???

No, not that I know of.

On Mon, Oct 20, 2008 at 4:01 PM, Vipul Ramani <vipulramani@gmail.com mailto:vipulramani@gmail.com> wrote:

Yes i am using simple authentication  .  NOT SSL based client auth ..

Any plans for PassSyn Support for 64 - bit OS ???










-- 
Regards

Vipul Ramani

-- Regards

Vipul Ramani

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Vipul Ramani wrote:

Rich,

Any Luck ?? What to do now ..

I'm not sure. It seems like some sort of SSL cert issuance or CA trust issue.

is it possible to build 64-bit PassSync - i wish to use it ....

Yes, it is possible for you to build it.

-- Regards

Vipul Ramani

---

-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Rich ,

do you think this is problem due to password policy ?? - but if we disable password policy on FDS . It must copied data right ??? or it will failed .. ?? what do you say ...

Yes - we are getting error relatd to CA related .... [ it does not say anything about password policy related .... ]

Can we do initial winsync replication without same password policy @ ADC and @ FDS ?? - i guess it should - reason it is simple replication.

what is your view ???

As per document if password policy does not same @ FDS AND @ ADC , then if any password changed on ADC it wont replicated to FDS right .... ?