[389-users] Problems with replication over SSL

Dan Weintraub dweintraub+fds at vecna.com
Wed Jun 10 20:31:51 UTC 2009 

Thanks, that's exactly what I was following. Now that I've got the port 
corrected I'm getting a certificate error despite having the correct 
certificates setup (or so I thought...) I'll read through that 
documentation you posted and see if I can sort it out.

Thanks,
Dan

PS
NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind failed, 
LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime 
error -8172 (Peer's certificate issuer has been marked as not trusted by 
the user.)

John A. Sullivan III wrote:
> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote:
>> Hi all,
>>
>> I'm trying to setup replication over ssl and am running into problems. I
>> first tried it unencrypted and all worked fine. I then copied over the
>> consumer's CA certificate and set up replication with SSL and Simple
>> Authentication. It doesn't work and I now get the following errors:
>>
>> When I set it up:
>> supplier error log:
>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One"
>> (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP
>> server), Netscape Portable Runtime error -5938 (Encountered end of file.)
>>
>> these appear thereafter:
>> consumer access log:
>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from
>> 10.1.1.100 to 10.1.1.101
>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71
>> (Protocol error) - B1
>>
>> consumer error log:
>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message (tag
>> 0x80, expected 0x30)
>>
>> Versions:
>> Supplier:
>> fedora-ds-1.1.2-1.fc6
>> fedora-ds-dsgw-1.1.1-1.fc6
>> fedora-ds-base-1.1.3-2.fc6
>> fedora-ds-admin-1.1.6-1.fc6
>> fedora-ds-admin-console-1.1.2-1.fc6
>> fedora-ds-console-1.1.2-1.fc6
>>
>> Consumer:
>> fedora-ds-admin-1.1.7-3.fc6
>> fedora-ds-admin-console-1.1.3-1.fc6
>> fedora-ds-base-1.2.0-2.fc6
>> fedora-ds-dsgw-1.1.2-1.fc6
>> fedora-ds-console-1.2.0-1.fc6
>> fedora-ds-1.1.3-1.fc6
>>
>> I'm at a loss as to how to proceed with troubleshooting and would
>> appreciate any suggestions.
>>
>> Thanks,
>> Dan Weintraub
> <snip>
> Hi, Dan. Here is a snippet from our internal documentation.  I apologize
> that I don't have time to customize it or analyze your issue more deeply
> but perhaps our findings will help you in your environment.  Given
> Rich's comment, I wonder if you were stung by the same error in
> documentation we noted below:
> 
>         Go back to the centos-idm-console on ldap1
>         Go to the Configuration tab, select the userRoot under the
>         Replication
>         object in the left panel.  Left/right client and choose New
>         Replication
>         Agreement
>         The name is "mycompany.com ldap1->ldap2" and the Description is
>         "Replicates mycompany.com from ldap1 to ldap2".  Click Next.
>         Set the Consumer to ldap2.mycompany.com:389 from the drop down
>         box (389 is correct even though we are really using 636) - Oops!
>         That is not true despite what the documentation says.  Click
>         other and create a new entry for ldap2.mycompany.com on port
>         636.
>         Enable the SSL connection.
>         Enter cn=repuser,cn=config for the Bind As and enter the
>         password.
>         Click Next and then Next again.
>         We will always keep directories in sync so click Next again.
>         Choose Initialize Consumer Now and click Next
>         Click Done
> 
> If you need more details, e.g., about how we set up SSL, I posted most
> of our internal procedure a day or two ago on this mailing list in
> response to a post entitled "Developting a CentOS-DS setup".  You can
> find much more detail there.
> 
> Good luck - John

More information about the 389-users mailing list