[389-users] Problems with replication over SSL

Jean-Noel.Chardron at dr15.cnrs.fr (jean-Noël Chardron) · Thu, 11 Jun 2009 09:44:00 +0200



hi,

Dan Weintraub a ?crit :
> Thanks, that's exactly what I was following. Now that I've got the 
> port corrected I'm getting a certificate error despite having the 
> correct certificates setup (or so I thought...) I'll read through that 
> documentation you posted and see if I can sort it out.
>
> Thanks,
> Dan
>
> PS
> NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind failed, 
> LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable 
> Runtime error -8172

> (Peer's certificate issuer has been marked as not trusted by the user.)
>
Can you post the output of the command :
#certutil -L -d /path/of/directory/where/is/the/certificate/

The path of the directory where is the certificate has 2 files : key3.db 
and cert8.db

For example, on my server the output is :
# certutil -L -d /etc/dirsrv/slapd-aragon/
Certificate Nickname                                         Trust 
Attributes
                                                             
SSL,S/MIME,JAR/XPI

CNRS2-Standard                                               CT,C,C
aragon.dr15.cnrs.fr Cert                                     u,u,u
CNRS-Standard                                                CT,C,C
CNRS                                                         CT,C,C
CNRS2                                                        CT,C,C

I suppose (it's a hypothesis) that  your certificate doesn't have the 
tag u,u,u or something like this or the CA can't trust the certificate

> John A. Sullivan III wrote:

>> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote:
>>> Hi all,
>>>
>>> I'm trying to setup replication over ssl and am running into 
>>> problems. I
>>> first tried it unencrypted and all worked fine. I then copied over the
>>> consumer's CA certificate and set up replication with SSL and Simple
>>> Authentication. It doesn't work and I now get the following errors:
>>>
>>> When I set it up:
>>> supplier error log:
>>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One"
>>> (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP
>>> server), Netscape Portable Runtime error -5938 (Encountered end of 
>>> file.)
>>>
>>> these appear thereafter:
>>> consumer access log:
>>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from
>>> 10.1.1.100 to 10.1.1.101
>>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71
>>> (Protocol error) - B1
>>>
>>> consumer error log:
>>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message 
>>> (tag
>>> 0x80, expected 0x30)
>>>
>>> Versions:
>>> Supplier:
>>> fedora-ds-1.1.2-1.fc6
>>> fedora-ds-dsgw-1.1.1-1.fc6
>>> fedora-ds-base-1.1.3-2.fc6
>>> fedora-ds-admin-1.1.6-1.fc6
>>> fedora-ds-admin-console-1.1.2-1.fc6
>>> fedora-ds-console-1.1.2-1.fc6
>>>
>>> Consumer:
>>> fedora-ds-admin-1.1.7-3.fc6
>>> fedora-ds-admin-console-1.1.3-1.fc6
>>> fedora-ds-base-1.2.0-2.fc6
>>> fedora-ds-dsgw-1.1.2-1.fc6
>>> fedora-ds-console-1.2.0-1.fc6
>>> fedora-ds-1.1.3-1.fc6
>>>
>>> I'm at a loss as to how to proceed with troubleshooting and would
>>> appreciate any suggestions.
>>>
>>> Thanks,
>>> Dan Weintraub
>> <snip>
>> Hi, Dan. Here is a snippet from our internal documentation.  I apologize
>> that I don't have time to customize it or analyze your issue more deeply
>> but perhaps our findings will help you in your environment.  Given
>> Rich's comment, I wonder if you were stung by the same error in
>> documentation we noted below:
>>
>>         Go back to the centos-idm-console on ldap1
>>         Go to the Configuration tab, select the userRoot under the
>>         Replication
>>         object in the left panel.  Left/right client and choose New
>>         Replication
>>         Agreement
>>         The name is "mycompany.com ldap1->ldap2" and the Description is
>>         "Replicates mycompany.com from ldap1 to ldap2".  Click Next.
>>         Set the Consumer to ldap2.mycompany.com:389 from the drop down
>>         box (389 is correct even though we are really using 636) - Oops!
>>         That is not true despite what the documentation says.  Click
>>         other and create a new entry for ldap2.mycompany.com on port
>>         636.
>>         Enable the SSL connection.
>>         Enter cn=repuser,cn=config for the Bind As and enter the
>>         password.
>>         Click Next and then Next again.
>>         We will always keep directories in sync so click Next again.
>>         Choose Initialize Consumer Now and click Next
>>         Click Done
>>
>> If you need more details, e.g., about how we set up SSL, I posted most
>> of our internal procedure a day or two ago on this mailing list in
>> response to a post entitled "Developting a CentOS-DS setup".  You can
>> find much more detail there.
>>
>> Good luck - John
>
> -- 
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users


-- 
Jean-Noel Chardron
D?l?gation CNRS Aquitaine et Limousin
Service du Traitement de l'Information
Avenue des Arts et m?tiers
BP 105
33402 TALENCE - FRANCE
t?l : (33) 5.57.35.58.41
fax : (33) 5.57.35.58.01
MSN : jnc at dr15.cnrs.fr