I hope I have replied correctly this time. Yes I created the certs on both machines using this link: http://xilab.net/blog/389-directory-server-ssl walking through each step one at a time. As you see I created a Server-Cert and the serial number 1000,1001,1002 for both servers. I can understand if I should have put 1000,1001,1002 for 1 machine and 1100,1101,1102 for other machine. I followed the instructions on the link you sent me to delete existing cert and replace with my new one for server b which was exported from server a. This time I did not receive error messages when importing, however I still get the message 81 can’t contact ldap server. Hope this information helps helps me understand how this works better as this is the last step.
This seems to be getting me somewhere…. Thanks for the quick response …. I have run the following commands on the master $ certutil -S -n "consumer-Cert" -s "cn=xxx.stag.cle.us" -c "CA certificate" -t "u,u,u" -m 999 -v 120 -d . -k rsa Do you have another cert (server cert or ca cert) with the same -m value? The value given to the -m argument must be unique for every cert. $ pk12util -d . -o consumer-cert.p12 -n Server-Cert And then copied consumer.p12 and cacert.asc to /tmp on server B When I tried to import the replication consumer cert into other 389 DS I receive the following error [root@xxx302 slapd-adm302]# pk12util -d . -i /tmp/consumer-cert.p12 Enter Password or Pin for "NSS Certificate DB": Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util: using nickname: xxx.stag.cle.us pk12util: PKCS12 decode import bags failed: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. From: Rich Megginson [mailto:rmeggins@xxxxxxxxxx] On 08/31/2011 08:45 AM, David Hoskinson wrote: I have setup 2 servers running the following versions of 389 Directory server 389-adminutil-1.1.13-1.el5 389-admin-1.1.16-1.el5 389-dsgw-1.1.6-1.el5 389-ds-1.2.1-1.el5 389-ds-base-1.2.8.3-1.el5 389-admin-console-1.1.7-1.el5 389-console-1.1.4-1.el5 389-admin-console-doc-1.1.7-1.el5 389-ds-base-libs-1.2.8.3-1.el5 389-ds-console-1.2.5-1.el5 389-ds-console-doc-1.2.5-1.el5 I have also enabled ssl and created the appropriate certs for each machine. I am able to set each machine as a client so I can test that from server A, I can login to server A while being authenticated by server B and vice versa. The last problem that I seem to be having is setting up replication. I have enabled the changelog, created a replication account, and enabled replica. When I create my replication agreement on the userRoot, the supplier shows as server A port 389 and the consumer shows as server B 636. I am using Use TLS with ldaps, and simple bind with my replication account and password. I next leave enable fractional replication unchecked, always keep directories in sync and initialize consumer… this is on server A and done. I get the following error message. Consumer initialization has unsuccessfully completed. The error received by the replica is ’81 – LDAP error: Can’t contact LDAP server’ I believe I am reading that in some manner the cacert.asc from server A has to be on server B and the cacert B has to be on server A
but am not sure and having problems with this. Any help with this would be appreciated and can provide additional information if needed… David Hoskinson | DATATRAK International -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users David Hoskinson | DATATRAK International |
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
