[389-users] check hostname option

Alberto Viana albertocrj at gmail.com
Thu Dec 5 18:02:14 UTC 2013 

Rich,

I'm running on ubuntu. Pretty much the same.

test environment:
dpkg -l | grep -i nss
ii  libnss3                             3.13.1.with.ckbi.1.88-1ubuntu6
Network Security Service libraries
ii  libnss3-1d                          3.13.1.with.ckbi.1.88-1ubuntu6
Network Security Service libraries
ii  libnss3-dev                         3.13.1.with.ckbi.1.88-1ubuntu6
Development files for the Network Security Service libraries

production environment:
dpkg -l | grep -i nss
ii  libnss3                              3.13.1.with.ckbi.1.88-1ubuntu6
 Network Security Service libraries
ii  libnss3-1d                           3.13.1.with.ckbi.1.88-1ubuntu6
 Network Security Service libraries
ii  libnss3-dev                          3.13.1.with.ckbi.1.88-1ubuntu6
 Development files for the Network Security Service libraries


and mod_nss-1.0.8 on both.


On Thu, Dec 5, 2013 at 3:18 PM, Rich Megginson <rmeggins at redhat.com> wrote:

>  On 12/05/2013 10:12 AM, Alberto Viana wrote:
>
>  I have 2 389 running (389-Directory/1.3.2.6 and 389-Directory/1.3.1.3)
> with multiple master configuration.
>
>  When I set the option "check hostname against name in certificate for
> outbound SSL connections" the agreement does not work and shows me this
> error:
>
>  [05/Dec/2013:14:35:55 -0200] slapi_ldap_bind - Error: could not send
> bind request for id [uid=app.389.w,cn=config] authentication mechanism
> [SIMPLE]: error -1 (Can't contact LDAP server), system error -5987 (Invalid
> function argument.), network error 115 (Operation now in progress, host
> "hmg2.homolog.rnp")
> [05/Dec/2013:14:35:55 -0200] NSMMReplicationPlugin - agmt="cn=389-HMG2"
> (hmg2:636): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't
> contact LDAP server) ((unknown error code))
>
>
>  When I unset the option, everything works as expected.
>
>  Here's the subject of my certificates:
> Subject: C=BR, ST=Rio de Janeiro, L=Rio de Janeiro, O=Rede Nacional de
> Ensino e Pesquisa, OU=GTI, CN=hmg3.homolog.rnp
>
>  Subject: C=BR, ST=Rio de Janeiro, L=Rio de Janeiro, O=Rede Nacional de
> Ensino e Pesquisa, OU=GTI, CN=hmg2.homolog.rnp
>
>  My DNS is configured correctly (the reverse too).
>
>  In my production enviroment this options works fine, but it's a little
> bit old (389-Directory/1.2.10.12)
>
>
> What version of NSS do you have in your production environment?
> What version of NSS do you have in your test environment?
>
> rpm -q nss
>
>
>  Any clues?
>
>
> --
> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20131205/985e9185/attachment.html>

More information about the 389-users mailing list