[389-users] Setting up multi master replication error 81
Rich Megginson
rmeggins at redhat.com
Wed Aug 31 18:24:21 UTC 2011
On 08/31/2011 10:47 AM, David Hoskinson wrote:
>
> I hope I have replied correctly this time.
>
> Yes I created the certs on both machines using this link:
>
> http://xilab.net/blog/389-directory-server-ssl
>
> walking through each step one at a time. As you see I created a
> Server-Cert and the serial number 1000,1001,1002 for both servers. I
> can understand if I should have put 1000,1001,1002 for 1 machine and
> 1100,1101,1102 for other machine. I followed the instructions on the
> link you sent me to delete existing cert and replace with my new one
> for server b which was exported from server a. This time I did not
> receive error messages when importing, however I still get the message
> 81 can't contact ldap server.
>
You can use mozldap ldapsearch to troubleshoot setting up SSL:
/usr/lib64/mozldap/ldapsearch -h fqdn -ZZZ -P
/etc/dirsrv/slapd-NAME/cert8.db -s base -b "" "objectclass=*"
>
> Hope this information helps helps me understand how this works better
> as this is the last step.
>
>
> On 08/31/2011 09:12 AM, David Hoskinson wrote:
>
> This seems to be getting me somewhere.... Thanks for the quick
> response ....
>
> I have run the following commands on the master
>
> $ certutil -S -n "consumer-Cert" -s "cn=xxx.stag.cle.us" -c "CA
> certificate" -t "u,u,u" -m 999 -v 120 -d . -k rsa
>
> Do you have another cert (server cert or ca cert) with the same -m
> value? The value given to the -m argument must be unique for every cert.
>
> $ pk12util -d . -o consumer-cert.p12 -n Server-Cert
>
> And then copied consumer.p12 and cacert.asc to /tmp on server B
>
> When I tried to import the replication consumer cert into other 389 DS
> I receive the following error
>
> [root at xxx302 slapd-adm302]# pk12util -d . -i /tmp/consumer-cert.p12
>
> Enter Password or Pin for "NSS Certificate DB":
>
> Enter Password or Pin for "NSS Certificate DB":
>
> Enter password for PKCS12 file:
>
> pk12util: using nickname: xxx.stag.cle.us
>
> pk12util: PKCS12 decode import bags failed: You are attempting to
> import a cert with the same issuer/serial as an existing cert, but
> that is not the same cert.
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Wednesday, August 31, 2011 10:51 AM
> *To:* General discussion list for the 389 Directory server project.
> *Cc:* David Hoskinson
> *Subject:* Re: [389-users] Setting up multi master replication error 81
>
> On 08/31/2011 08:45 AM, David Hoskinson wrote:
>
> I have setup 2 servers running the following versions of 389 Directory
> server
>
> 389-adminutil-1.1.13-1.el5
>
> 389-admin-1.1.16-1.el5
>
> 389-dsgw-1.1.6-1.el5
>
> 389-ds-1.2.1-1.el5
>
> 389-ds-base-1.2.8.3-1.el5
>
> 389-admin-console-1.1.7-1.el5
>
> 389-console-1.1.4-1.el5
>
> 389-admin-console-doc-1.1.7-1.el5
>
> 389-ds-base-libs-1.2.8.3-1.el5
>
> 389-ds-console-1.2.5-1.el5
>
> 389-ds-console-doc-1.2.5-1.el5
>
> I have also enabled ssl and created the appropriate certs for each
> machine. I am able to set each machine as a client so I can test that
> from server A, I can login to server A while being authenticated by
> server B and vice versa.
>
> The last problem that I seem to be having is setting up replication.
> I have enabled the changelog, created a replication account, and
> enabled replica. When I create my replication agreement on the
> userRoot, the supplier shows as server A port 389 and the consumer
> shows as server B 636. I am using Use TLS with ldaps, and simple bind
> with my replication account and password. I next leave enable
> fractional replication unchecked, always keep directories in sync and
> initialize consumer... this is on server A and done. I get the
> following error message. Consumer initialization has unsuccessfully
> completed. The error received by the replica is '81 -- LDAP error:
> Can't contact LDAP server'
>
> I believe I am reading that in some manner the cacert.asc from server
> A has to be on server B and the cacert B has to be on server A
>
>
> Correct.
> http://directory.fedoraproject.org/wiki/Howto:SSL#Exporting_the_certs_for_use_with_other_apps
>
>
>
> but am not sure and having problems with this.
>
> Any help with this would be appreciated and can provide additional
> information if needed...
>
> David Hoskinson | *DATATRAK*International
> Systems Engineer
> Mayfield Heights, Ohio, USA
> +1.440.443.0082 x 124 (p) | +1.319.471.3689 (m)
> david.hoskinson at datatrak.net <mailto:david.hoskinson at datatrak.net> |
> www.datatrak.net <http://www.datatrak.net/>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> David Hoskinson | *DATATRAK*International
> Systems Engineer
> Mayfield Heights, Ohio, USA
> +1.440.443.0082 x 124 (p) | +1.319.471.3689 (m)
> david.hoskinson at datatrak.net <mailto:david.hoskinson at datatrak.net> |
> www.datatrak.net <http://www.datatrak.net/>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110831/ebd3f1d4/attachment.html>
More information about the 389-users
mailing list