On 08/20/2014 03:58 PM, Elizabeth Jones wrote: > additional info - > I increased logging on my supplier and see this error now - > > TLS: hostname does not match CN in peer certificate > > When I created the replication agreement, it is giving me a default > consumer, I don't know why. The default is ldap1.mycompany.com:389. > > The certificate from ldap1 has just ldap1 as the name. I entered ldap1 > and port 636 when I created the agreement, but after I do this it becomes > ldap1.mycompany.com:636. Would this be why its failing, it wants the > certificate to have ldap1.mycompany.com in it rather than ldap1? Correct, you need to use the fully qualified domain name for certificates. Regards, Mark > > thanks, > EJ > > >> I have multimaster replication set up on 4 LDAP servers but can't get >> secure replication working on one of the servers. The setup is like this >> -- >> >> data center 1 data center 2 >> >> ldap1 <-------> ldap1 >> >> ^ | ^ | >> / | | | >> | v | v >> >> ldap2 ldap2 >> >> >> each server has its own self-signed cert. >> >> I can successfully replicate in all the directions indicated except for >> replication from data center1 ldap2 to data center1 ldap1. >> >> I know that I have the right certificate on ldap2. I can ldapsearch -ZZ >> from ldap2 to ldap1 successfully using this certificate. I can >> successfully replicate from data center 2 ldap1 to data center1 ldap1 >> using this certificate. But replication refuses to work from DC1 ldap2 to >> DC1 ldap1!!!! >> >> The logs say LDAP error: Can't contact LDAP server. Error Code: -1. >> >> I've disabled iptables on both data center 1 ldaps. I've rebuilt the >> replication agreement a dozen times. I've ldapsearch -zz'ed a dozen times. >> I've reinstalled the CA certificate (using the one from my openldap >> directory, so I know that it is the same one that is working for >> ldapsearch -ZZ, as well as exporting it from ldap1 again and reinstalling >> it). What else can I possibly do to get this working? >> >> These are my rpms - >> # rpm -qa | grep 389 >> 389-ds-base-libs-1.2.11.25-1.el6.x86_64 >> 389-ds-console-1.2.6-1.el6.noarch >> 389-admin-1.1.35-1.el6.x86_64 >> 389-ds-base-1.2.11.25-1.el6.x86_64 >> 389-admin-console-1.1.8-1.el6.noarch >> 389-console-1.1.7-1.el6.noarch >> 389-adminutil-1.1.19-1.el6.x86_64 >> openssl-1.0.1e-16.el6_5.4.x86_64 >> >> # uname -a >> Linux dc1-ldap2 2.6.32-431.5.1.el6.x86_64 >> >> >> >> >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
