Re: secure replication failing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

additional info -
I increased logging on my supplier and see this error now -

TLS: hostname does not match CN in peer certificate

When I created the replication agreement, it is giving me a default
consumer, I don't know why. The default is ldap1.mycompany.com:389.

The certificate from ldap1 has just ldap1 as the name.  I entered ldap1
and port 636 when I created the agreement, but after I do this it becomes
ldap1.mycompany.com:636.  Would this be why its failing, it wants the
certificate to have ldap1.mycompany.com in it rather than ldap1?

thanks,
EJ


> I have multimaster replication set up on 4 LDAP servers but can't get
> secure replication working on one of the servers. The setup is like this
> --
>
>      data center 1                    data center 2
>
>        ldap1       <------->             ldap1
>
>         ^ |                              ^  |
>         / |                              |  |
>         | v                              |  v
>
>        ldap2                             ldap2
>
>
> each server has its own self-signed cert.
>
> I can successfully replicate in all the directions indicated except for
> replication from data center1 ldap2 to data center1 ldap1.
>
> I know that I have the right certificate on ldap2. I can ldapsearch -ZZ
> from ldap2 to ldap1 successfully using this certificate.  I can
> successfully replicate from data center 2 ldap1 to data center1 ldap1
> using this certificate. But replication refuses to work from DC1 ldap2 to
> DC1 ldap1!!!!
>
> The logs say LDAP error: Can't contact LDAP server. Error Code: -1.
>
> I've disabled iptables on both data center 1 ldaps. I've rebuilt the
> replication agreement a dozen times. I've ldapsearch -zz'ed a dozen times.
>  I've reinstalled the CA certificate (using the one from my openldap
> directory, so I know that it is the same one that is working for
> ldapsearch -ZZ, as well as exporting it from ldap1 again and reinstalling
> it). What else can I possibly do to get this working?
>
> These are my rpms -
> # rpm -qa | grep 389
> 389-ds-base-libs-1.2.11.25-1.el6.x86_64
> 389-ds-console-1.2.6-1.el6.noarch
> 389-admin-1.1.35-1.el6.x86_64
> 389-ds-base-1.2.11.25-1.el6.x86_64
> 389-admin-console-1.1.8-1.el6.noarch
> 389-console-1.1.7-1.el6.noarch
> 389-adminutil-1.1.19-1.el6.x86_64
> openssl-1.0.1e-16.el6_5.4.x86_64
>
> # uname -a
> Linux dc1-ldap2 2.6.32-431.5.1.el6.x86_64
>
>
>
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux