[389-users] Problems with replication over SSL

John A. Sullivan III jsullivan at opensourcedevel.com
Tue Jun 9 20:46:30 UTC 2009 

On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote:
> Hi all,
> 
> I'm trying to setup replication over ssl and am running into problems. I
> first tried it unencrypted and all worked fine. I then copied over the
> consumer's CA certificate and set up replication with SSL and Simple
> Authentication. It doesn't work and I now get the following errors:
> 
> When I set it up:
> supplier error log:
> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One"
> (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP
> server), Netscape Portable Runtime error -5938 (Encountered end of file.)
> 
> these appear thereafter:
> consumer access log:
> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from
> 10.1.1.100 to 10.1.1.101
> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71
> (Protocol error) - B1
> 
> consumer error log:
> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message (tag
> 0x80, expected 0x30)
> 
> Versions:
> Supplier:
> fedora-ds-1.1.2-1.fc6
> fedora-ds-dsgw-1.1.1-1.fc6
> fedora-ds-base-1.1.3-2.fc6
> fedora-ds-admin-1.1.6-1.fc6
> fedora-ds-admin-console-1.1.2-1.fc6
> fedora-ds-console-1.1.2-1.fc6
> 
> Consumer:
> fedora-ds-admin-1.1.7-3.fc6
> fedora-ds-admin-console-1.1.3-1.fc6
> fedora-ds-base-1.2.0-2.fc6
> fedora-ds-dsgw-1.1.2-1.fc6
> fedora-ds-console-1.2.0-1.fc6
> fedora-ds-1.1.3-1.fc6
> 
> I'm at a loss as to how to proceed with troubleshooting and would
> appreciate any suggestions.
> 
> Thanks,
> Dan Weintraub
<snip>
Hi, Dan. Here is a snippet from our internal documentation.  I apologize
that I don't have time to customize it or analyze your issue more deeply
but perhaps our findings will help you in your environment.  Given
Rich's comment, I wonder if you were stung by the same error in
documentation we noted below:

        Go back to the centos-idm-console on ldap1
        Go to the Configuration tab, select the userRoot under the
        Replication
        object in the left panel.  Left/right client and choose New
        Replication
        Agreement
        The name is "mycompany.com ldap1->ldap2" and the Description is
        "Replicates mycompany.com from ldap1 to ldap2".  Click Next.
        Set the Consumer to ldap2.mycompany.com:389 from the drop down
        box (389 is correct even though we are really using 636) - Oops!
        That is not true despite what the documentation says.  Click
        other and create a new entry for ldap2.mycompany.com on port
        636.
        Enable the SSL connection.
        Enter cn=repuser,cn=config for the Bind As and enter the
        password.
        Click Next and then Next again.
        We will always keep directories in sync so click Next again.
        Choose Initialize Consumer Now and click Next
        Click Done

If you need more details, e.g., about how we set up SSL, I posted most
of our internal procedure a day or two ago on this mailing list in
response to a post entitled "Developting a CentOS-DS setup".  You can
find much more detail there.

Good luck - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

More information about the 389-users mailing list