I had to put a "-x" after ldapmodify to make it use simple authentication
versus SASL. My 389 DS is not SASL enabled, but it does have a
self-signed CA certificate. When I tried to just set TLS_REQCERT never,
it did not work. I haven't tried testing the TLS_CACERT variable, where I
set exactly what the cacert.asc is. Could there be a problem of creating
the certificate with certutil versus openSSL (certutil results in .asc
file)?
Look forward to thoughts,
R
On 3/6/14 1:04 PM, "Chaudhari, Rohit K." <Rohit.Chaudhari(a)jhuapl.edu>
wrote:
Okay, I will take a look and report back.
Thanks,
Rohit
On 3/6/14 12:58 PM, "Morgan Jones" <morgan(a)morganjones.org> wrote:
>For testing I know "TLS_REQCERT never" works.
>
>For production I use:
>TLS_REQCERT demand
>TLS_CACERT /path/to/ca_cert.pem
>
>If TLS_REQCERT never works then there's something wrong with your cert
>most likely. Though I'd expect a generic connection error if were just
>having a problem verifying the certificate. Does ldapsearch/ldapmodify
>work for other operations?
>
>Otherwise maybe send us the exact command you're running?
>
>-morgan
>
>
>On Mar 6, 2014, at 12:29 PM, Justin Edmands <shockwavecs(a)gmail.com>
>wrote:
>
>> On Thu, Mar 6, 2014 at 12:19 PM, Chaudhari, Rohit K.
>><Rohit.Chaudhari(a)jhuapl.edu> wrote:
>> Hi All,
>>
>> I am trying to create multi-master replication in 389. But I am having
>> trouble using ldapmodify to create a replication manager DN account
>>
>> I get the following error:
>>
>> Additional info: TLS error -8157: Certificate extension not found
>>
>> I went on the web and some people suggested I have a TLS_REQCERT=none
>>line
>> in /etc/openldap/ldap.conf, but this did not fix it either.
>>
>> My certificate in /etc/openldap/cacerts is called cacert.asc.
>>
>> Does anyone know how I can fix my problem?
>>
>> Thanks,
>>
>> R
>>
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> Not totally sure, but don't use the "="
>>
>> here is mine:
>>
>> URI ldaps://baldirsrv ldaps://hqdirsrv ldaps://stldirsrv
>> BASE ou=People,dc=domain,dc=com
>> TLS_CACERTDIR /etc/openldap/cacerts
>> # TLS_CACERT /etc/openldap/cacerts/cacert.asc
>> TLS_REQCERT allow
>>
>> you can set it to "TLS_REQCERT never" as well.
>>
>> Also consider setting the TLS_CACERTDIR and TLS_CACERT
>>
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>--
>389 users mailing list
>389-users(a)lists.fedoraproject.org
>https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users