On 08/20/2014 03:58 PM, Elizabeth Jones wrote:
additional info -
I increased logging on my supplier and see this error now -
TLS: hostname does not match CN in peer certificate
When I created the replication agreement, it is giving me a default
consumer, I don't know why. The default is ldap1.mycompany.com:389.
The certificate from ldap1 has just ldap1 as the name. I entered ldap1
and port 636 when I created the agreement, but after I do this it becomes
ldap1.mycompany.com:636. Would this be why its failing, it wants the
certificate to have
ldap1.mycompany.com in it rather than ldap1?
Correct, you need
to use the fully qualified domain name for certificates.
Regards,
Mark
thanks,
EJ
> I have multimaster replication set up on 4 LDAP servers but can't get
> secure replication working on one of the servers. The setup is like this
> --
>
> data center 1 data center 2
>
> ldap1 <-------> ldap1
>
> ^ | ^ |
> / | | |
> | v | v
>
> ldap2 ldap2
>
>
> each server has its own self-signed cert.
>
> I can successfully replicate in all the directions indicated except for
> replication from data center1 ldap2 to data center1 ldap1.
>
> I know that I have the right certificate on ldap2. I can ldapsearch -ZZ
> from ldap2 to ldap1 successfully using this certificate. I can
> successfully replicate from data center 2 ldap1 to data center1 ldap1
> using this certificate. But replication refuses to work from DC1 ldap2 to
> DC1 ldap1!!!!
>
> The logs say LDAP error: Can't contact LDAP server. Error Code: -1.
>
> I've disabled iptables on both data center 1 ldaps. I've rebuilt the
> replication agreement a dozen times. I've ldapsearch -zz'ed a dozen times.
> I've reinstalled the CA certificate (using the one from my openldap
> directory, so I know that it is the same one that is working for
> ldapsearch -ZZ, as well as exporting it from ldap1 again and reinstalling
> it). What else can I possibly do to get this working?
>
> These are my rpms -
> # rpm -qa | grep 389
> 389-ds-base-libs-1.2.11.25-1.el6.x86_64
> 389-ds-console-1.2.6-1.el6.noarch
> 389-admin-1.1.35-1.el6.x86_64
> 389-ds-base-1.2.11.25-1.el6.x86_64
> 389-admin-console-1.1.8-1.el6.noarch
> 389-console-1.1.7-1.el6.noarch
> 389-adminutil-1.1.19-1.el6.x86_64
> openssl-1.0.1e-16.el6_5.4.x86_64
>
> # uname -a
> Linux dc1-ldap2 2.6.32-431.5.1.el6.x86_64
>
>
>
>
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users