[389-users] Setting up multi master replication error 81

Rich Megginson rmeggins at redhat.com
Wed Aug 31 18:24:21 UTC 2011 

On 08/31/2011 10:47 AM, David Hoskinson wrote:
>
> I hope I have replied correctly this time.
>
> Yes I created the certs on both machines using this link:
>
> http://xilab.net/blog/389-directory-server-ssl
>
> walking through each step one at a time.  As you see I created a 
> Server-Cert and the serial number 1000,1001,1002 for both servers.  I 
> can understand if I should have put 1000,1001,1002 for 1 machine and 
> 1100,1101,1102 for other machine.  I followed the instructions on the 
> link you sent me to delete existing cert and replace with my new one 
> for server b which was exported from server a.  This time I did not 
> receive error messages when importing, however I still get the message 
> 81 can't contact ldap server.
>
You can use mozldap ldapsearch to troubleshoot setting up SSL:

/usr/lib64/mozldap/ldapsearch -h fqdn -ZZZ -P 
/etc/dirsrv/slapd-NAME/cert8.db -s base -b "" "objectclass=*"
>
> Hope this information helps helps me understand how this works better 
> as this is the last step.
>
>
> On 08/31/2011 09:12 AM, David Hoskinson wrote:
>
> This seems to be getting me somewhere.... Thanks for the quick 
> response ....
>
> I have run the following commands on the master
>
> $ certutil -S -n "consumer-Cert" -s "cn=xxx.stag.cle.us" -c "CA 
> certificate" -t "u,u,u" -m 999 -v 120 -d . -k rsa
>
> Do you have another cert (server cert or ca cert) with the same -m 
> value?  The value given to the -m argument must be unique for every cert.
>
> $ pk12util -d . -o consumer-cert.p12 -n Server-Cert
>
> And then copied consumer.p12 and cacert.asc to /tmp on server B
>
> When I tried to import the replication consumer cert into other 389 DS 
> I receive the following error
>
> [root at xxx302 slapd-adm302]# pk12util -d . -i /tmp/consumer-cert.p12
>
> Enter Password or Pin for "NSS Certificate DB":
>
> Enter Password or Pin for "NSS Certificate DB":
>
> Enter password for PKCS12 file:
>
> pk12util: using nickname: xxx.stag.cle.us
>
> pk12util: PKCS12 decode import bags failed: You are attempting to 
> import a cert with the same issuer/serial as an existing cert, but 
> that is not the same cert.
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Wednesday, August 31, 2011 10:51 AM
> *To:* General discussion list for the 389 Directory server project.
> *Cc:* David Hoskinson
> *Subject:* Re: [389-users] Setting up multi master replication error 81
>
> On 08/31/2011 08:45 AM, David Hoskinson wrote:
>
> I have setup 2 servers running the following versions of 389 Directory 
> server
>
> 389-adminutil-1.1.13-1.el5
>
> 389-admin-1.1.16-1.el5
>
> 389-dsgw-1.1.6-1.el5
>
> 389-ds-1.2.1-1.el5
>
> 389-ds-base-1.2.8.3-1.el5
>
> 389-admin-console-1.1.7-1.el5
>
> 389-console-1.1.4-1.el5
>
> 389-admin-console-doc-1.1.7-1.el5
>
> 389-ds-base-libs-1.2.8.3-1.el5
>
> 389-ds-console-1.2.5-1.el5
>
> 389-ds-console-doc-1.2.5-1.el5
>
> I have also enabled ssl and created the appropriate certs for each 
> machine.  I am able to set each machine as a client so I can test that 
> from server A, I can login to server A while being authenticated by 
> server B and vice versa.
>
> The last problem that I seem to be having is setting up replication.  
> I have enabled the changelog, created a replication account, and 
> enabled replica.  When I create my replication agreement on the 
> userRoot, the supplier shows as server A port 389 and the consumer 
> shows as server B 636.  I am using Use TLS with ldaps, and simple bind 
> with my replication account and password.  I next leave enable 
> fractional replication unchecked, always keep directories in sync and 
> initialize consumer... this is on server A and done.  I get the 
> following error message.  Consumer initialization has unsuccessfully 
> completed.  The error received by the replica is '81 -- LDAP error: 
> Can't contact LDAP server'
>
> I believe I am reading that in some manner the cacert.asc from server 
> A has to be on server B and the cacert B has to be on server A
>
>
> Correct.
> http://directory.fedoraproject.org/wiki/Howto:SSL#Exporting_the_certs_for_use_with_other_apps
>
>
>
> but am not sure and having problems with this.
>
> Any help with this would be appreciated and can provide additional 
> information if needed...
>
> David Hoskinson | *DATATRAK*International
> Systems Engineer
> Mayfield Heights, Ohio, USA
> +1.440.443.0082 x 124 (p) | +1.319.471.3689 (m)
> david.hoskinson at datatrak.net <mailto:david.hoskinson at datatrak.net> | 
> www.datatrak.net <http://www.datatrak.net/>
>
>   
>   
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org  <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> David Hoskinson | *DATATRAK*International
> Systems Engineer
> Mayfield Heights, Ohio, USA
> +1.440.443.0082 x 124 (p) | +1.319.471.3689 (m)
> david.hoskinson at datatrak.net <mailto:david.hoskinson at datatrak.net> | 
> www.datatrak.net <http://www.datatrak.net/>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110831/ebd3f1d4/attachment.html>

More information about the 389-users mailing list