[Date Prev][Date Next] [Chronological] [Thread] [Top]

Failed replicating to Active Directory

To: OpenLDAP-software@OpenLDAP.org
Subject: Failed replicating to Active Directory
From: Harry Sufehmi <milis-2@harrysufehmi.com>
Date: Thu, 18 Nov 2004 15:35:58 +0000
User-agent: Mozilla Thunderbird 0.8 (Windows/20040913)

Thanks everyone for the useful responses. I've documented this topic here:
http://www.harrysufehmi.com/phpwiki/index.php/OpenLDAPinteroperability#ol-to-ad

However, I still have one problem with it - slurpd failed to replicate with the following error message:

"TLS certificate verification: Error, unable to get local issuer certificate"

More details attached to this post.

The following is the relevant parts of my slapd.conf :
=======================
TLSCipherSuite          HIGH:MEDIUM:+SSLv3
TLSCertificateFile      /etc/keys/openldap1-server-crt.pem
TLSCertificateKeyFile   /etc/keys/private/openldap1-server-key.pem
TLSCACertificateFile    /etc/keys/cacert.pem
TLSVerifyClient allow

replica         uri=ldaps://10.11.20.13:636
                binddn="cn=administrator,cn=users,dc=bcc,dc=test"
                bindmethod=sasl saslmech=GSSAPI
replogfile      /usr/local/openldap/var/openldap-replog
=======================

The CA certificate is in /etc/keys/cacert.pem, with 644 permission.

According to various sources on Internet, that error message means that slurpd wasn't able to find the CA certificate. However: # it's in the right location # it's got the right permission # I'm quite sure that it's the right certificate extracted from the Certificate Authority

I'm fresh out of ideas at the moment, so I really appreciate it if anyone can throw some more clues to my direction.

Thanks in advance.


cheers,
Harry

=======================
output of: slurpd -d 65535 -o -r

Config: ** configuration file successfully read and parsed Config: (pidfile /usr/local/openldap/var/run/slapd.pid) Config: (argsfile /usr/local/openldap/var/run/slapd.args) Config: (TLSCipherSuite HIGH:MEDIUM:+SSLv3) Config: (TLSCertificateFile /etc/keys/openldap1-server-crt.pem) Config: (TLSCertificateKeyFile /etc/keys/private/openldap1-server-key.pem) Config: (TLSCACertificateFile /etc/keys/cacert.pem) Config: (TLSVerifyClient allow) Config: (allow bind_v2) Config: (database bdb) Config: (suffix "o=airius.com") Config: (rootdn "cn=admin, o=Airius.com") Config: (directory /usr/local/openldap/var/testdata) Config: (index objectClass eq) Config: (database bdb) Config: (suffix "dc=bcc,dc=test") Config: (rootdn "cn=administrator,cn=users,dc=bcc,dc=test") Config: (directory /usr/local/openldap/var/adtest-data) Config: (index objectClass eq) Config: (replica uri=ldaps://10.11.20.13:636 binddn="cn=administrator,cn=users,dc=bcc,dc=test" bindmethod=sasl saslmech=GSSAPI ) ldap_url_parse_ext(ldaps://10.11.20.13:636) Config: ** successfully added replica "10.11.20.13:636" Config: (replogfile /usr/local/openldap/var/replog-bcc-test) Config: (database bdb) Config: (suffix "dc=testlab,dc=pri") Config: (rootdn "cn=admin,dc=testlab,dc=pri") Config: (directory /usr/local/openldap/var/openldap-data) Config: (index objectClass eq) Config: ** configuration file successfully read and parsed Processing in one-shot mode: 1 total replication records in file, 1 replication records to process. begin replication thread for 10.11.20.13:636 Initializing session to ldaps://10.11.20.13:636 ldap_create ldap_url_parse_ext(ldaps://10.11.20.13:636) bind to 10.11.20.13 as - via GSSAPI (SASL) ldap_sasl_interactive_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP 10.11.20.13:636 ldap_new_socket: 6 ldap_prepare_socket: 6 ldap_connect_to_host: Trying 10.11.20.13:636 ldap_connect_timeout: fd: 6 tm: -1 async: 0 ldap_ndelay_on: 6 ldap_is_sock_ready: 6 ldap_ndelay_off: 6 TLS trace: SSL_connect:before/connect initialization tls_write: want=142, written=142 0000: 80 8c 01 03 01 00 63 00 00 00 20 00 00 39 00 00 ......c... ..9.. <<<----- hex output deleted ------>>> 0080: ff a0 3f 8c cc 48 9c e0 d0 14 31 84 3a e4 ..?..H....1.:.

TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
  0000:  16 03 01 0f a3 02 00                               .......
tls_read: want=4001, got=4001

0000: 00 46 03 01 41 9c a5 55 29 b7 c8 07 c4 b3 3b c2 .F..A..U).....;. <<<----- hex output deleted ------>>> 0f90: 62 65 72 54 72 75 73 74 20 52 6f 6f 74 0e 00 00 berTrust Root... 0fa0: 00 .

TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=open-pri-dc.bcc.test, issuer: /emailAddress=harry_sufehmi@mydomain.com/C=US/ST=Midlands/L=Nham/O=BCC/OU=Testlab/CN=Testlab BCC TLS certificate verification: Error, unable to get local issuer certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0

TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_err2string
Error: LDAP SASL for 10.11.20.13:636 failed: Can't contact LDAP server
ldap_unbind

Follow-Ups:
- Re: Failed replicating to Active Directory
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Web Interface to add new users..
Next by Date: Re: Failed replicating to Active Directory
Index(es):
- Chronological
- Thread