Thanks, that's exactly what I was following. Now that I've got the port corrected I'm getting a certificate error despite having the correct certificates setup (or so I thought...) I'll read through that documentation you posted and see if I can sort it out. Thanks, Dan PS NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -8172 (Peer's certificate issuer has been marked as not trusted by the user.) John A. Sullivan III wrote: > On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote: >> Hi all, >> >> I'm trying to setup replication over ssl and am running into problems. I >> first tried it unencrypted and all worked fine. I then copied over the >> consumer's CA certificate and set up replication with SSL and Simple >> Authentication. It doesn't work and I now get the following errors: >> >> When I set it up: >> supplier error log: >> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One" >> (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP >> server), Netscape Portable Runtime error -5938 (Encountered end of file.) >> >> these appear thereafter: >> consumer access log: >> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from >> 10.1.1.100 to 10.1.1.101 >> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71 >> (Protocol error) - B1 >> >> consumer error log: >> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message (tag >> 0x80, expected 0x30) >> >> Versions: >> Supplier: >> fedora-ds-1.1.2-1.fc6 >> fedora-ds-dsgw-1.1.1-1.fc6 >> fedora-ds-base-1.1.3-2.fc6 >> fedora-ds-admin-1.1.6-1.fc6 >> fedora-ds-admin-console-1.1.2-1.fc6 >> fedora-ds-console-1.1.2-1.fc6 >> >> Consumer: >> fedora-ds-admin-1.1.7-3.fc6 >> fedora-ds-admin-console-1.1.3-1.fc6 >> fedora-ds-base-1.2.0-2.fc6 >> fedora-ds-dsgw-1.1.2-1.fc6 >> fedora-ds-console-1.2.0-1.fc6 >> fedora-ds-1.1.3-1.fc6 >> >> I'm at a loss as to how to proceed with troubleshooting and would >> appreciate any suggestions. >> >> Thanks, >> Dan Weintraub > <snip> > Hi, Dan. Here is a snippet from our internal documentation. I apologize > that I don't have time to customize it or analyze your issue more deeply > but perhaps our findings will help you in your environment. Given > Rich's comment, I wonder if you were stung by the same error in > documentation we noted below: > > Go back to the centos-idm-console on ldap1 > Go to the Configuration tab, select the userRoot under the > Replication > object in the left panel. Left/right client and choose New > Replication > Agreement > The name is "mycompany.com ldap1->ldap2" and the Description is > "Replicates mycompany.com from ldap1 to ldap2". Click Next. > Set the Consumer to ldap2.mycompany.com:389 from the drop down > box (389 is correct even though we are really using 636) - Oops! > That is not true despite what the documentation says. Click > other and create a new entry for ldap2.mycompany.com on port > 636. > Enable the SSL connection. > Enter cn=repuser,cn=config for the Bind As and enter the > password. > Click Next and then Next again. > We will always keep directories in sync so click Next again. > Choose Initialize Consumer Now and click Next > Click Done > > If you need more details, e.g., about how we set up SSL, I posted most > of our internal procedure a day or two ago on this mailing list in > response to a post entitled "Developting a CentOS-DS setup". You can > find much more detail there. > > Good luck - John
