For testing I know "TLS_REQCERT never" works. For production I use: TLS_REQCERT demand TLS_CACERT /path/to/ca_cert.pem If TLS_REQCERT never works then there's something wrong with your cert most likely. Though I'd expect a generic connection error if were just having a problem verifying the certificate. Does ldapsearch/ldapmodify work for other operations? Otherwise maybe send us the exact command you're running? -morgan On Mar 6, 2014, at 12:29 PM, Justin Edmands <shockwavecs@xxxxxxxxx> wrote: > On Thu, Mar 6, 2014 at 12:19 PM, Chaudhari, Rohit K. <Rohit.Chaudhari@xxxxxxxxxx> wrote: > Hi All, > > I am trying to create multi-master replication in 389. But I am having > trouble using ldapmodify to create a replication manager DN account > > I get the following error: > > Additional info: TLS error -8157: Certificate extension not found > > I went on the web and some people suggested I have a TLS_REQCERT=none line > in /etc/openldap/ldap.conf, but this did not fix it either. > > My certificate in /etc/openldap/cacerts is called cacert.asc. > > Does anyone know how I can fix my problem? > > Thanks, > > R > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users > > Not totally sure, but don't use the "=" > > here is mine: > > URI ldaps://baldirsrv ldaps://hqdirsrv ldaps://stldirsrv > BASE ou=People,dc=domain,dc=com > TLS_CACERTDIR /etc/openldap/cacerts > # TLS_CACERT /etc/openldap/cacerts/cacert.asc > TLS_REQCERT allow > > you can set it to "TLS_REQCERT never" as well. > > Also consider setting the TLS_CACERTDIR and TLS_CACERT > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
