On 05/09/2018 05:56 AM, Michal Medvecky
wrote:
Under cn=config, what is
"nsslapd-ssl-check-hostname" set to? Try
setting it to "off" to see if it makes a difference.
Ok, this “helped”, but I have no idea why?
The server uses the openldap client libraries for replication
connections. Setting nsslapd-ssl-check-hostname sets these flags on
the connection as follows:
For server authentication it sets this flag:
LDAPSSL_AUTH_CNCHECK --> This checks the hostname in the
certificate subject to that of the host
For SSL client auth it sets this flag:
LDAP_OPT_X_TLS_HARD
So the issue here is either openldap is not finding the correct
hostname, or the hostname in the certificate subject is wrong.
To check the subject of the certificate use certutil. Here is an
example:
Get the names of the certificates in the in the security database:
# certutil -L -d /etc/dirsrv/slapd-localhost
Find the server's certificate name (server-cert in this example) and
run the command below:
# certutil -L -d /etc/dirsrv/slapd-localhost -n server-cert | grep
Subject
The subject should start with "CN=<FQDN>, ...". Is this host
name complete and correct?
When googling for ‘nsslapd-ssl-check-hostname’, I found this:
> nsslapd-ssl-check-hostname (Verify Hostname for
OutboundConnections)Specifies whether an SSL-enabled Directory
Server (with certificate based client authentication turned on)
should verify authenticity of a request by matching the hostname
against the value assigned to the Common Name (CN) attributeof
the subject name in the certificate being presented.
Two arguments:
- I’m _not_ using certificate based client authentications
- my hostnames are valid
What I’m confused with is the error log on ldap-master-b01:
[09/May/2018:11:27:21 +0200] NSMMReplicationPlugin -
agmt="cn= rw-to-ldap-master-b02.example.com"
(ldap-master-b02:636): Unable to acquire replica: there is no
replicated area “dc=example,dc=com" on the consumer server.
Replication is aborting.
This means you do not have replication setup for that suffix on the
consumer. Replication will not work until this is done.
[09/May/2018:11:27:21 +0200] NSMMReplicationPlugin -
agmt="cn= rw-to-ldap-master-b02.example.com"
(ldap-master-b02:636): Incremental update failed and requires
administrator action [09/May/2018:11:36:07 +0200] NSMMReplicationPlugin -
agmt_delete: begin
[09/May/2018:11:36:11 +0200] NSMMReplicationPlugin - Need
to create replication keep alive entry <cn=repl keep alive
37642,dc=example,dc=com>
[09/May/2018:11:36:11 +0200] NSMMReplicationPlugin - add
dn: cn=repl keep alive 37642,dc=example,dc=com
On the fifth line of the log, you can see
“ldap-master-b02:636” instead of the full hostname “ ldap-master-b02.example.com”,
but, as seen in my previous e-mail, the nsDS5ReplicaHost
points to the full hostname.
This is a red herring, the server prints the hostname not the FQDN
just in the logging.
Mark
|
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
