<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";
        color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:"Courier New";
        color:black;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
.MsoChpDefault
        {mso-style-type:export-only;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>I hope I have replied correctly this time.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Yes I created the certs on both machines using this link:<o:p></o:p></p><p class=MsoNormal><a href="http://xilab.net/blog/389-directory-server-ssl">http://xilab.net/blog/389-directory-server-ssl</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>walking through each step one at a time. As you see I created a Server-Cert and the serial number 1000,1001,1002 for both servers. I can understand if I should have put 1000,1001,1002 for 1 machine and 1100,1101,1102 for other machine. I followed the instructions on the link you sent me to delete existing cert and replace with my new one for server b which was exported from server a. This time I did not receive error messages when importing, however I still get the message 81 can’t contact ldap server.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hope this information helps helps me understand how this works better as this is the last step.<o:p></o:p></p><p class=MsoNormal><br>On 08/31/2011 09:12 AM, David Hoskinson wrote: <o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>This seems to be getting me somewhere…. Thanks for the quick response ….</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>I have run the following commands on the master</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>$ certutil -S -n "consumer-Cert" -s "cn=xxx.stag.cle.us" -c "CA certificate" -t "u,u,u" -m 999 -v 120 -d . -k rsa</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Do you have another cert (server cert or ca cert) with the same -m value? The value given to the -m argument must be unique for every cert.<br><br><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>$ pk12util -d . -o consumer-cert.p12 -n Server-Cert</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>And then copied consumer.p12 and cacert.asc to /tmp on server B</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>When I tried to import the replication consumer cert into other 389 DS I receive the following error</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>[root@xxx302 slapd-adm302]# pk12util -d . -i /tmp/consumer-cert.p12</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Enter Password or Pin for "NSS Certificate DB":</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Enter Password or Pin for "NSS Certificate DB":</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Enter password for PKCS12 file: </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>pk12util: using nickname: xxx.stag.cle.us</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>pk12util: PKCS12 decode import bags failed: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Rich Megginson [<a href="mailto:rmeggins@redhat.com">mailto:rmeggins@redhat.com</a>] <br><b>Sent:</b> Wednesday, August 31, 2011 10:51 AM<br><b>To:</b> General discussion list for the 389 Directory server project.<br><b>Cc:</b> David Hoskinson<br><b>Subject:</b> Re: [389-users] Setting up multi master replication error 81</span><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>On 08/31/2011 08:45 AM, David Hoskinson wrote: <o:p></o:p></p><p class=MsoNormal>I have setup 2 servers running the following versions of 389 Directory server<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>389-adminutil-1.1.13-1.el5<o:p></o:p></p><p class=MsoNormal>389-admin-1.1.16-1.el5<o:p></o:p></p><p class=MsoNormal>389-dsgw-1.1.6-1.el5<o:p></o:p></p><p class=MsoNormal>389-ds-1.2.1-1.el5<o:p></o:p></p><p class=MsoNormal>389-ds-base-1.2.8.3-1.el5<o:p></o:p></p><p class=MsoNormal>389-admin-console-1.1.7-1.el5<o:p></o:p></p><p class=MsoNormal>389-console-1.1.4-1.el5<o:p></o:p></p><p class=MsoNormal>389-admin-console-doc-1.1.7-1.el5<o:p></o:p></p><p class=MsoNormal>389-ds-base-libs-1.2.8.3-1.el5<o:p></o:p></p><p class=MsoNormal>389-ds-console-1.2.5-1.el5<o:p></o:p></p><p class=MsoNormal>389-ds-console-doc-1.2.5-1.el5<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>I have also enabled ssl and created the appropriate certs for each machine. I am able to set each machine as a client so I can test that from server A, I can login to server A while being authenticated by server B and vice versa.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The last problem that I seem to be having is setting up replication. I have enabled the changelog, created a replication account, and enabled replica. When I create my replication agreement on the userRoot, the supplier shows as server A port 389 and the consumer shows as server B 636. I am using Use TLS with ldaps, and simple bind with my replication account and password. I next leave enable fractional replication unchecked, always keep directories in sync and initialize consumer… this is on server A and done. I get the following error message. Consumer initialization has unsuccessfully completed. The error received by the replica is ’81 – LDAP error: Can’t contact LDAP server’<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>I believe I am reading that in some manner the cacert.asc from server A has to be on server B and the cacert B has to be on server A<o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><br>Correct.<br><a href="http://directory.fedoraproject.org/wiki/Howto:SSL#Exporting_the_certs_for_use_with_other_apps">http://directory.fedoraproject.org/wiki/Howto:SSL#Exporting_the_certs_for_use_with_other_apps</a><br><br><br><br></span><o:p></o:p></p><p class=MsoNormal>but am not sure and having problems with this.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Any help with this would be appreciated and can provide additional information if needed… <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>David Hoskinson | <b><span style='color:blue'>DATATRAK</span></b><span style='color:blue'> International</span><br>Systems Engineer<br>Mayfield Heights, Ohio, USA <br>+1.440.443.0082 x 124 (p) | +1.319.471.3689 (m)<br><a href="mailto:david.hoskinson@datatrak.net" title="blocked::mailto:anna.lyatkher@datatrak.net">david.hoskinson@datatrak.net</a> | <a href="http://www.datatrak.net/" title="blocked::http://www.datatrak.net/ http://www.datatrak.net/">www.datatrak.net</a></span><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre><pre>--<o:p></o:p></pre><pre>389 users mailing list<o:p></o:p></pre><pre><a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><o:p></o:p></pre><pre><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><o:p></o:p></pre><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>David Hoskinson | </span><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:blue'>DATATRAK</span></b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:blue'> International</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><br>Systems Engineer<br>Mayfield Heights, Ohio, USA <br>+1.440.443.0082 x 124 (p</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>) | +1.319<span style='color:black'>.471.3689 (m)<br><a href="mailto:david.hoskinson@datatrak.net" title="blocked::mailto:anna.lyatkher@datatrak.net"><span style='color:blue'>david.hoskinson@datatrak.net</span></a> | <a href="http://www.datatrak.net/" title="blocked::http://www.datatrak.net/ http://www.datatrak.net/"><span style='color:blue'>www.datatrak.net</span></a></span></span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>