I had to put a "-x" after ldapmodify to make it use simple authentication versus SASL. My 389 DS is not SASL enabled, but it does have a self-signed CA certificate. When I tried to just set TLS_REQCERT never, it did not work. I haven't tried testing the TLS_CACERT variable, where I set exactly what the cacert.asc is. Could there be a problem of creating the certificate with certutil versus openSSL (certutil results in .asc file)? Look forward to thoughts, R On 3/6/14 1:04 PM, "Chaudhari, Rohit K." <Rohit.Chaudhari@xxxxxxxxxx> wrote: >Okay, I will take a look and report back. > >Thanks, > >Rohit > >On 3/6/14 12:58 PM, "Morgan Jones" <morgan@xxxxxxxxxxxxxxx> wrote: > >>For testing I know "TLS_REQCERT never" works. >> >>For production I use: >>TLS_REQCERT demand >>TLS_CACERT /path/to/ca_cert.pem >> >>If TLS_REQCERT never works then there's something wrong with your cert >>most likely. Though I'd expect a generic connection error if were just >>having a problem verifying the certificate. Does ldapsearch/ldapmodify >>work for other operations? >> >>Otherwise maybe send us the exact command you're running? >> >>-morgan >> >> >>On Mar 6, 2014, at 12:29 PM, Justin Edmands <shockwavecs@xxxxxxxxx> >>wrote: >> >>> On Thu, Mar 6, 2014 at 12:19 PM, Chaudhari, Rohit K. >>><Rohit.Chaudhari@xxxxxxxxxx> wrote: >>> Hi All, >>> >>> I am trying to create multi-master replication in 389. But I am having >>> trouble using ldapmodify to create a replication manager DN account >>> >>> I get the following error: >>> >>> Additional info: TLS error -8157: Certificate extension not found >>> >>> I went on the web and some people suggested I have a TLS_REQCERT=none >>>line >>> in /etc/openldap/ldap.conf, but this did not fix it either. >>> >>> My certificate in /etc/openldap/cacerts is called cacert.asc. >>> >>> Does anyone know how I can fix my problem? >>> >>> Thanks, >>> >>> R >>> >>> -- >>> 389 users mailing list >>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> >>> Not totally sure, but don't use the "=" >>> >>> here is mine: >>> >>> URI ldaps://baldirsrv ldaps://hqdirsrv ldaps://stldirsrv >>> BASE ou=People,dc=domain,dc=com >>> TLS_CACERTDIR /etc/openldap/cacerts >>> # TLS_CACERT /etc/openldap/cacerts/cacert.asc >>> TLS_REQCERT allow >>> >>> you can set it to "TLS_REQCERT never" as well. >>> >>> Also consider setting the TLS_CACERTDIR and TLS_CACERT >>> >>> -- >>> 389 users mailing list >>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >> >>-- >>389 users mailing list >>389-users@xxxxxxxxxxxxxxxxxxxxxxx >>https://admin.fedoraproject.org/mailman/listinfo/389-users > >-- >389 users mailing list >389-users@xxxxxxxxxxxxxxxxxxxxxxx >https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
