Hello guys,
i'd appreciate if you could spare some advice (for ldap newb) :-).
What i'd like to achieve (and failed so far):
Multimaster scenario, where, two 389-DS servers are suppliers/consumers
at the same time.
my scenario in my testing environment:
2x testing RHEL 6.6 server with 2x 389-DS server and 2x Samba server
Both 389-DS standalone servers work fine (over LDAPS) and i can create
users there directly over 389-console or through smbldap-tools, i can
join computers authenticate users to windows domain through samba...
So each 389-DS server can act as authentification backend to Samba
server and SSSD damon (for unix authentications) over LDAPS (636 port).
My Multimaster replication setup STEPS:
1. create user for replication authentication - in my case eg.:
uid=repmandir1,cn=config (and uid=repmandir2,cn=config on other server)
2. via 389-console: configuration -> replication -> "enable changelog"
with default database directory
3. via 389-console: configuration -> replication -> userRoot -> "enable
replica" (i supply here all needed info, replica ID, Supplier DN)
4. (HERE I GOT STUCK):
via 389-console: configuration -> replication -> userRoot -> New Repl.
agreement
i fill in:
-supplier server port 636
-consumer server port 636
connection:
use: TLS/SSL (tls/ssl encr. with ldaps)
authentication mechanism:
-simple (filled in with replication authentication user DN and credentials)
Clicking the "Next" button ends:
Consumer server unreachable or invalid credentials supplied...
Now ...:
1.
i'm sure servers are both interchangeably reachable on both ports 389
and 636 (i can telnet there on those ports from each other, i can also
verify samba users via ldaps etc)
2. also i can contine and go farther and setup replication - but only
with 389 port with option "Use LDAP - no encryption), so it works - but
not over the 636 ...
3.
i'm almost sure that this has some connection with certificates - and
this is my downfall, because certification procedures is not my 'strong
suite'.
I generated the SSL certificates for both 389-DS servers via this script
(recommended by fedora wiki):
https://github.com/richm/scripts/blob/master/setupssl2.sh
So my question -is - how to make (in my case) the replication work (with
ssl/tls)? I think i should somehow let each other server know of it's
respective 'counterpart' certificates - but how?
Sorry if my q. is trivial, but i searched web on and off for past 10
days and cant come with clear directive.
Thanks for any advice,
best regards,
Karel
--
*Karel Lang*
*Unix/Linux Administration*
lang@xxxxxx | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
