[389-users] Re: 389 and TLS woes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

----- On 17 Jan, 2016, at 14:48, Rob Crittenden rcritten@xxxxxxxxxx wrote:

> Phil Daws wrote:
>> Hello all:
>> 
>> Have tried to get my lab set up with 389 and secure connections multiple times
>> now with disasterous results; and yes have tried to follow
>> http://www.port389.org/docs/389ds/howto/howto-ssl.html
>> 
>> Here is a very brief walkthrough of what I did:
>> 
>> * from my PKI created four certificates - node1 admin and node2 directory +
>> node2 admin and node2 directory certificates
>> * on both node1 and node2 installed the following packages:
>> 
>> [root@ads01 ~]# rpm -qa | grep 389
>> 389-adminutil-1.1.22-1.el7.x86_64
>> 389-ds-base-1.3.4.0-21.el7_2.x86_64
>> 389-admin-console-1.1.10-1.el7.noarch
>> 389-console-1.1.9-1.el7.noarch
>> 389-ds-base-libs-1.3.4.0-21.el7_2.x86_64
>> 389-admin-1.1.42-1.el7.x86_64
>> 389-ds-console-1.2.12-1.el7.noarch
>> 
>> * on node1 ran setup-ds-admin.pl and configured the initial directory server
>> * on node1 configured the admin to use TLS + the directory server so that it
>> bound to 636
>> * on node2 ran setup-ds-admin.pl and joined the directory server on node1
>> * on node2 configured the admin to use TLS
>> * on node2 launch 389-console using https and then try to connect too the
>> directory server on node2 and it just hangs and fails with an SSL error over
>> and over:
>> 
>> [Fri Jan 15 17:22:14.391824 2016] [:crit] [pid 705:tid 140640199088192] sslinit:
>> NSS is required to use LDAPS, but security initialization failed [-8015:The
>> certificate/key database is in an old, unsupported format or failed to open.].
> 
> Double-check that the user that 389-ds runs as has read permissions to
> the NSS database.
> 

Permissions look fine with 0440 and owned by the user that slapd is running under.
>> 
>> How does one perform an install, with two nodes, that each has an administration
>> instance plus a directory server running TLS on 636 ??  Have not even been able
>> to attempt multi-master replication yet :(
>> 
>> All help appreciated.  Thanks, Phil

--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux