Safonov Alexey wrote:
Is ad-cert the certificate of the AD server or the certificate of the CA that issued the AD cert? An SSL client only needs to trust the CA cert of the issuer of the server certs it wants to use.Thanks Richard!Now I start so: [EMAIL PROTECTED] bin]# ./ldapsearch -Z -P /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -K /opt/fedora-ds/alias/slapd-asterisk1-key3.db -h rv-vm1.mup-example.vrn.ru -p 636 -D "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w mupAdmin02 -s base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*" -v Also I receive a error: ldapsearch: started Fri Jul 28 16:21:39 2006 ldap_init( srv-vm1.mup-example.vrn.ru, 636 ) ldaptool_getcertpath -- /opt/fedora-ds/alias/slapd-asterisk1-cert8.db ldaptool_getkeypath -- /opt/fedora-ds/alias/slapd-asterisk1-key3.db ldaptool_getmodpath -- (null) ldaptool_getdonglefilename -- (null) ldap_simple_bind: Can't contact LDAP server SSL error -8156 (Issuer certificate is invalid.) Though the certificate ad-cert (from Windows DC) is established. The utility certutil and Fedora Management Console (Manage Certificates) shows it. [EMAIL PROTECTED] alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P slapd-asterisk1- CA certificate CTu,u,u server-cert u,u,u Server-Cert u,u,u ad-cert CT,C,C Help my!
Safonov Alexey -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Richard Megginson Sent: Thursday, July 27, 2006 7:36 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Error at work of the utility ldapsearch. Safonov Alexey wrote:Hi ! I ask to help to solve a problem with the utility ldapsearch. is a problem to carry out synchronization between FDS and AD. Has made the following: 1) Install FDS 2) Configuring SSL Enabled FDS. For this purpose has started script setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) from HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL) 3) Restart FDS. netstat -atupn | grep ns- tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd 4) Enable SSL on AD. Install Certificate Service Check util ldp.exe: Connected param: Server- srv-vm1.mup-example.vrn.ru Port - 636 Checkbox "SSL" ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1); Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3); Error <0x0> = ldap_connect(hLdap, NULL); Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); Host supports SSL, SSL cipher strength = 128 bits Established connection to srv-vm1.mup-example.vrn.ru. Retrieving base DSA information... ..... 5) Import AD CA certificate in DER mode. 6) Copy, convert (PEM) and install AD CA certificate in FDS. Check: [EMAIL PROTECTED] alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P slapd-asterisk1- CA certificate CTu,u,u server-cert u,u,u Server-Cert u,u,u ad-cert CT,C,C <- install this 6) [EMAIL PROTECTED] alias]# ldapsearch -Z -P /opt/fedora-ds/alias/slapd-asterisk1-cert8.db -h rv-vm1.mup-example.vrn.ru -p 636 -D "cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"That's /usr/bin/ldapsearch, which is openldap ldapsearch, which uses openssl for crypto, which is completely different than NSS. You need to use the ldapsearch in /opt/fedora-ds/shared/bin e.g. cd /opt/fedora-ds/shared/bin ; ./ldapsearch ....Error: ldapsearch: unabel to parse protocol version "/opt/fedora-ds/alias/slapd-asterisk1-cert8.db" Help my! Thanks ------------------------------------------------------ My Setup: Fedora Core 5 (i386) Fedora Directory Server 1.0.2 Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru) ------------------------------------------------------ -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
