[389-users] Multi-Master Replication Issue
Chaudhari, Rohit K.
Rohit.Chaudhari at jhuapl.edu
Thu Mar 6 18:33:27 UTC 2014
I had to put a "-x" after ldapmodify to make it use simple authentication
versus SASL. My 389 DS is not SASL enabled, but it does have a
self-signed CA certificate. When I tried to just set TLS_REQCERT never,
it did not work. I haven't tried testing the TLS_CACERT variable, where I
set exactly what the cacert.asc is. Could there be a problem of creating
the certificate with certutil versus openSSL (certutil results in .asc
file)?
Look forward to thoughts,
R
On 3/6/14 1:04 PM, "Chaudhari, Rohit K." <Rohit.Chaudhari at jhuapl.edu>
wrote:
>Okay, I will take a look and report back.
>
>Thanks,
>
>Rohit
>
>On 3/6/14 12:58 PM, "Morgan Jones" <morgan at morganjones.org> wrote:
>
>>For testing I know "TLS_REQCERT never" works.
>>
>>For production I use:
>>TLS_REQCERT demand
>>TLS_CACERT /path/to/ca_cert.pem
>>
>>If TLS_REQCERT never works then there's something wrong with your cert
>>most likely. Though I'd expect a generic connection error if were just
>>having a problem verifying the certificate. Does ldapsearch/ldapmodify
>>work for other operations?
>>
>>Otherwise maybe send us the exact command you're running?
>>
>>-morgan
>>
>>
>>On Mar 6, 2014, at 12:29 PM, Justin Edmands <shockwavecs at gmail.com>
>>wrote:
>>
>>> On Thu, Mar 6, 2014 at 12:19 PM, Chaudhari, Rohit K.
>>><Rohit.Chaudhari at jhuapl.edu> wrote:
>>> Hi All,
>>>
>>> I am trying to create multi-master replication in 389. But I am having
>>> trouble using ldapmodify to create a replication manager DN account
>>>
>>> I get the following error:
>>>
>>> Additional info: TLS error -8157: Certificate extension not found
>>>
>>> I went on the web and some people suggested I have a TLS_REQCERT=none
>>>line
>>> in /etc/openldap/ldap.conf, but this did not fix it either.
>>>
>>> My certificate in /etc/openldap/cacerts is called cacert.asc.
>>>
>>> Does anyone know how I can fix my problem?
>>>
>>> Thanks,
>>>
>>> R
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>> Not totally sure, but don't use the "="
>>>
>>> here is mine:
>>>
>>> URI ldaps://baldirsrv ldaps://hqdirsrv ldaps://stldirsrv
>>> BASE ou=People,dc=domain,dc=com
>>> TLS_CACERTDIR /etc/openldap/cacerts
>>> # TLS_CACERT /etc/openldap/cacerts/cacert.asc
>>> TLS_REQCERT allow
>>>
>>> you can set it to "TLS_REQCERT never" as well.
>>>
>>> Also consider setting the TLS_CACERTDIR and TLS_CACERT
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>--
>>389 users mailing list
>>389-users at lists.fedoraproject.org
>>https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>--
>389 users mailing list
>389-users at lists.fedoraproject.org
>https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list