hi,
In reply to my own question (presented as topic no. 1 in vol.125 -see
below- chainmail):
It is solved, problem is the script, that is recommended by fedora wiki
(setupssl2.sh) as a way for automatic SSL generation for 389-DS server,
is not suitable for setting up multimaster, nor master/slave scenarios.
It is Ok to use the script for SSL generation and enabling for single
389 sever, but not for replications, as servers do not trust each other
(even after importing the CA certificate to each other one), because
there is number of errors to deal with - like - same serialno. of
certifictes, parameters of generated CA cert etc.
I had to delete those script generated SSL certs on both servers,
manually create my own company CA key and then sign with this key my own
company CA certificate.
Then create CSR file from each 389-DS server, sign this CSR files with
the CA company cert and import the created *CRT keys to each server (for
directory server and administration dir server separately ofc).
After that, all worked without problems.
So as conclusion, script is OK for testing purposes and quick server
setups, but not really for live or more complicated scenarios.
But anyway kudos to anyone who wrote it, because i 'gutted' it in order
to better understand the whole proces.
cheers,
--
*Karel Lang*
*Unix/Linux Administration*
lang@xxxxxx | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz
On 10/02/2015 07:07 PM, 389-users-request@xxxxxxxxxxxxxxxxxxxxxxx wrote:
Send 389-users mailing list submissions to
389-users@xxxxxxxxxxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
https://admin.fedoraproject.org/mailman/listinfo/389-users
or, via email, send a message with subject or body 'help' to
389-users-request@xxxxxxxxxxxxxxxxxxxxxxx
You can reach the person managing the list at
389-users-owner@xxxxxxxxxxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of 389-users digest..."
Today's Topics:
1. help needed with multimaster replication setup (tls/ssl encr.
with ldaps) (Karel Lang AFD)
2. Re: Random dirsrv freezes and high CLOSE_WAITs (Prashant Bapat)
----------------------------------------------------------------------
Message: 1
Date: Fri, 2 Oct 2015 18:35:36 +0200
From: Karel Lang AFD <lang@xxxxxx>
To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
Subject: help needed with multimaster replication setup
(tls/ssl encr. with ldaps)
Message-ID: <560EB258.7070108@xxxxxx>
Content-Type: text/plain; charset=utf-8; format=flowed
Hello guys,
i'd appreciate if you could spare some advice (for ldap newb) :-).
What i'd like to achieve (and failed so far):
Multimaster scenario, where, two 389-DS servers are suppliers/consumers
at the same time.
my scenario in my testing environment:
2x testing RHEL 6.6 server with 2x 389-DS server and 2x Samba server
Both 389-DS standalone servers work fine (over LDAPS) and i can create
users there directly over 389-console or through smbldap-tools, i can
join computers authenticate users to windows domain through samba...
So each 389-DS server can act as authentification backend to Samba
server and SSSD damon (for unix authentications) over LDAPS (636 port).
My Multimaster replication setup STEPS:
1. create user for replication authentication - in my case eg.:
uid=repmandir1,cn=config (and uid=repmandir2,cn=config on other server)
2. via 389-console: configuration -> replication -> "enable changelog"
with default database directory
3. via 389-console: configuration -> replication -> userRoot -> "enable
replica" (i supply here all needed info, replica ID, Supplier DN)
4. (HERE I GOT STUCK):
via 389-console: configuration -> replication -> userRoot -> New Repl.
agreement
i fill in:
-supplier server port 636
-consumer server port 636
connection:
use: TLS/SSL (tls/ssl encr. with ldaps)
authentication mechanism:
-simple (filled in with replication authentication user DN and credentials)
Clicking the "Next" button ends:
Consumer server unreachable or invalid credentials supplied...
Now ...:
1.
i'm sure servers are both interchangeably reachable on both ports 389
and 636 (i can telnet there on those ports from each other, i can also
verify samba users via ldaps etc)
2. also i can contine and go farther and setup replication - but only
with 389 port with option "Use LDAP - no encryption), so it works - but
not over the 636 ...
3.
i'm almost sure that this has some connection with certificates - and
this is my downfall, because certification procedures is not my 'strong
suite'.
I generated the SSL certificates for both 389-DS servers via this script
(recommended by fedora wiki):
https://github.com/richm/scripts/blob/master/setupssl2.sh
So my question -is - how to make (in my case) the replication work (with
ssl/tls)? I think i should somehow let each other server know of it's
respective 'counterpart' certificates - but how?
Sorry if my q. is trivial, but i searched web on and off for past 10
days and cant come with clear directive.
Thanks for any advice,
best regards,
Karel
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
