Hi All,
I am trying to create multi-master replication in 389. But I am having trouble using ldapmodify to create a replication manager DN account
I get the following error:
Additional info: TLS error -8157: Certificate extension not found
I went on the web and some people suggested I have a TLS_REQCERT=none line in /etc/openldap/ldap.conf, but this did not fix it either.
My certificate in /etc/openldap/cacerts is called cacert.asc.
Does anyone know how I can fix my problem?
Thanks,
R
On Thu, Mar 6, 2014 at 12:19 PM, Chaudhari, Rohit K. < Rohit.Chaudhari@jhuapl.edu> wrote:
Hi All,
I am trying to create multi-master replication in 389. But I am having trouble using ldapmodify to create a replication manager DN account
I get the following error:
Additional info: TLS error -8157: Certificate extension not found
I went on the web and some people suggested I have a TLS_REQCERT=none line in /etc/openldap/ldap.conf, but this did not fix it either.
My certificate in /etc/openldap/cacerts is called cacert.asc.
Does anyone know how I can fix my problem?
Thanks,
R
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Not totally sure, but don't use the "="
here is mine:
URI ldaps://baldirsrv ldaps://hqdirsrv ldaps://stldirsrv BASE ou=People,dc=domain,dc=com TLS_CACERTDIR /etc/openldap/cacerts # TLS_CACERT /etc/openldap/cacerts/cacert.asc TLS_REQCERT allow
you can set it to "TLS_REQCERT never" as well.
Also consider setting the TLS_CACERTDIR and TLS_CACERT
For testing I know "TLS_REQCERT never" works.
For production I use: TLS_REQCERT demand TLS_CACERT /path/to/ca_cert.pem
If TLS_REQCERT never works then there's something wrong with your cert most likely. Though I'd expect a generic connection error if were just having a problem verifying the certificate. Does ldapsearch/ldapmodify work for other operations?
Otherwise maybe send us the exact command you're running?
-morgan
On Mar 6, 2014, at 12:29 PM, Justin Edmands shockwavecs@gmail.com wrote:
On Thu, Mar 6, 2014 at 12:19 PM, Chaudhari, Rohit K. Rohit.Chaudhari@jhuapl.edu wrote: Hi All,
I am trying to create multi-master replication in 389. But I am having trouble using ldapmodify to create a replication manager DN account
I get the following error:
Additional info: TLS error -8157: Certificate extension not found
I went on the web and some people suggested I have a TLS_REQCERT=none line in /etc/openldap/ldap.conf, but this did not fix it either.
My certificate in /etc/openldap/cacerts is called cacert.asc.
Does anyone know how I can fix my problem?
Thanks,
R
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Not totally sure, but don't use the "="
here is mine:
URI ldaps://baldirsrv ldaps://hqdirsrv ldaps://stldirsrv BASE ou=People,dc=domain,dc=com TLS_CACERTDIR /etc/openldap/cacerts # TLS_CACERT /etc/openldap/cacerts/cacert.asc TLS_REQCERT allow
you can set it to "TLS_REQCERT never" as well.
Also consider setting the TLS_CACERTDIR and TLS_CACERT
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Okay, I will take a look and report back.
Thanks,
Rohit
On 3/6/14 12:58 PM, "Morgan Jones" morgan@morganjones.org wrote:
For testing I know "TLS_REQCERT never" works.
For production I use: TLS_REQCERT demand TLS_CACERT /path/to/ca_cert.pem
If TLS_REQCERT never works then there's something wrong with your cert most likely. Though I'd expect a generic connection error if were just having a problem verifying the certificate. Does ldapsearch/ldapmodify work for other operations?
Otherwise maybe send us the exact command you're running?
-morgan
On Mar 6, 2014, at 12:29 PM, Justin Edmands shockwavecs@gmail.com wrote:
On Thu, Mar 6, 2014 at 12:19 PM, Chaudhari, Rohit K. Rohit.Chaudhari@jhuapl.edu wrote: Hi All,
I am trying to create multi-master replication in 389. But I am having trouble using ldapmodify to create a replication manager DN account
I get the following error:
Additional info: TLS error -8157: Certificate extension not found
I went on the web and some people suggested I have a TLS_REQCERT=none line in /etc/openldap/ldap.conf, but this did not fix it either.
My certificate in /etc/openldap/cacerts is called cacert.asc.
Does anyone know how I can fix my problem?
Thanks,
R
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Not totally sure, but don't use the "="
here is mine:
URI ldaps://baldirsrv ldaps://hqdirsrv ldaps://stldirsrv BASE ou=People,dc=domain,dc=com TLS_CACERTDIR /etc/openldap/cacerts # TLS_CACERT /etc/openldap/cacerts/cacert.asc TLS_REQCERT allow
you can set it to "TLS_REQCERT never" as well.
Also consider setting the TLS_CACERTDIR and TLS_CACERT
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
I had to put a "-x" after ldapmodify to make it use simple authentication versus SASL. My 389 DS is not SASL enabled, but it does have a self-signed CA certificate. When I tried to just set TLS_REQCERT never, it did not work. I haven't tried testing the TLS_CACERT variable, where I set exactly what the cacert.asc is. Could there be a problem of creating the certificate with certutil versus openSSL (certutil results in .asc file)?
Look forward to thoughts,
R
On 3/6/14 1:04 PM, "Chaudhari, Rohit K." Rohit.Chaudhari@jhuapl.edu wrote:
Okay, I will take a look and report back.
Thanks,
Rohit
On 3/6/14 12:58 PM, "Morgan Jones" morgan@morganjones.org wrote:
For testing I know "TLS_REQCERT never" works.
For production I use: TLS_REQCERT demand TLS_CACERT /path/to/ca_cert.pem
If TLS_REQCERT never works then there's something wrong with your cert most likely. Though I'd expect a generic connection error if were just having a problem verifying the certificate. Does ldapsearch/ldapmodify work for other operations?
Otherwise maybe send us the exact command you're running?
-morgan
On Mar 6, 2014, at 12:29 PM, Justin Edmands shockwavecs@gmail.com wrote:
On Thu, Mar 6, 2014 at 12:19 PM, Chaudhari, Rohit K. Rohit.Chaudhari@jhuapl.edu wrote: Hi All,
I am trying to create multi-master replication in 389. But I am having trouble using ldapmodify to create a replication manager DN account
I get the following error:
Additional info: TLS error -8157: Certificate extension not found
I went on the web and some people suggested I have a TLS_REQCERT=none line in /etc/openldap/ldap.conf, but this did not fix it either.
My certificate in /etc/openldap/cacerts is called cacert.asc.
Does anyone know how I can fix my problem?
Thanks,
R
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Not totally sure, but don't use the "="
here is mine:
URI ldaps://baldirsrv ldaps://hqdirsrv ldaps://stldirsrv BASE ou=People,dc=domain,dc=com TLS_CACERTDIR /etc/openldap/cacerts # TLS_CACERT /etc/openldap/cacerts/cacert.asc TLS_REQCERT allow
you can set it to "TLS_REQCERT never" as well.
Also consider setting the TLS_CACERTDIR and TLS_CACERT
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org
-
Chaudhari, Rohit K. -
Justin Edmands -
Morgan Jones