William thank you for reply, bellow is output for certl cmd for this host with error( Failed to get the default state of cipher) To deploy almost identical ldap hosts , the Sys Admin here is using Puppet but unfortunelly are always issues with rpms version mismatch and cfg , can you suggest another solution to deploy multiple ldap hosts all running same version and almost same cfg , only diff in ldap hosts is the name of DS instance aka :ldap*
Here is the output s per your request: certutil -L -d /etc/dirsrv/slapd-ldap2/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
n1-2.xxx.xxx.xx u,u,u XX Internal Root CA CT,, XX Internal CA CT,,
Regards Isabella
From: William Brown wbrown@suse.de Subject: [389-users] Re: 389-DS Failed to get the default state of cipher To: "389-users@lists.fedoraproject.org" 389-users@lists.fedoraproject.org Message-ID: 87B2EB8A-BA13-4F9B-979E-252D5423C0C1@suse.de Content-Type: text/plain; charset=utf-8
we have another host with same version and suppose same cfg but never saw the error,
[24/Jun/2020:09:22:54.687024072 -0700] - ERR - Security Initialization
- _conf_setallciphers - Failed to get the default state of cipher
(null)
I'm curious - how did you make a host with the same config? Normally with 389 you need to configure both individually to look the same but you can't copy-paste config files etc.
My guess here is that perhaps your nss db isn't configured properly, so I'd want to see the output of certutil -L -d /etc/dirsrv/slapd-<instance>/ on the affected host.
- Sincerely,
William Brown
On 26 Jun 2020, at 05:08, Ghiurea, Isabella Isabella.Ghiurea@nrc-cnrc.gc.ca wrote:
William thank you for reply, bellow is output for certl cmd for this host with error( Failed to get the default state of cipher) To deploy almost identical ldap hosts , the Sys Admin here is using Puppet but unfortunelly are always issues with rpms version mismatch and cfg , can you suggest another solution to deploy multiple ldap hosts all running same version and almost same cfg , only diff in ldap hosts is the name of DS instance aka :ldap*
Yeah, you can't do that easily.
If you want "repeatable" installs, you should look at docker images for 389 instead, because you can just add files into /data/config after the first run, or you'll need to run dscreate on every host. Else we can't guarantee you've "taken all the steps" properly, which leaves your instance in unknown or unsupportable configurations like this :(
For example, in your nssdb there are hidden generated secrets that 389 uses to encrypt attributes like replication secrets. So copying dse.ldif from one host to another means you won't be able to access those secrets because the nss db may differ. There are stacks of other examples like this.
Alternately, you need puppet to run dscreate and use from-file + a series of post install dsctl commands.
In the past I considered making an ansible module, but the interest evaporated really.
:( sorry about that,
Here is the output s per your request: certutil -L -d /etc/dirsrv/slapd-ldap2/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
n1-2.xxx.xxx.xx u,u,u XX Internal Root CA CT,, XX Internal CA CT,,
Regards Isabella
From: William Brown wbrown@suse.de Subject: [389-users] Re: 389-DS Failed to get the default state of cipher To: "389-users@lists.fedoraproject.org" 389-users@lists.fedoraproject.org Message-ID: 87B2EB8A-BA13-4F9B-979E-252D5423C0C1@suse.de Content-Type: text/plain; charset=utf-8
we have another host with same version and suppose same cfg but never saw the error,
[24/Jun/2020:09:22:54.687024072 -0700] - ERR - Security Initialization
- _conf_setallciphers - Failed to get the default state of cipher
(null)
I'm curious - how did you make a host with the same config? Normally with 389 you need to configure both individually to look the same but you can't copy-paste config files etc.
My guess here is that perhaps your nss db isn't configured properly, so I'd want to see the output of certutil -L -d /etc/dirsrv/slapd-<instance>/ on the affected host.
— Sincerely,
William Brown
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
389-users@lists.fedoraproject.org