[389-users] Re: SSL replication error
So I finally made it work. I tried with F28 and I got the error message "system error -8157 (Certificate extension not found.)”. After some investigations, I realized that one of certs in my certificate chain was incorrectly imported (under wrong nickname, thus not imported at all). After fixing that, it worked. Then, I tried the same setup with Ubuntu 18.04 (389-ds 1.3.7.10, ldap-utils 2.4.45+dfsg-1ubuntu1) and it works. It’s still broken with 16.04 though (389 1.3.4.9-1, ldap-utils 2.4.42+dfsg-2ubuntu3.2) Thanks for all your effort, Michal > On 5 Jun 2018, at 15:41, Mark Reynolds wrote: > > What version of openldap is on your system? There is known issue fixed in > openldap-2.4.23-31 and up > > Can you do a ldapsearch from one system to the the other? > > ldapsearch -ZZ -xLLL -h HOST -p PORT -b "" -s base > > Then check the DS access and errors logs. There should be more info there > for the failure. > > I just setup self-signed certs on a F28 and everything works for me (with > host name checking set to "on"). > > > - > [root@ibm-ls22-04 slapd-localhost]# certutil -d . -L > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > CA certificate CTu,Cu,Cu > Server-Cert u,u,Pu > -- > > Can you run "certutil -L" on your cert db? Do your trust attrs match mine? > > Maybe your cert is missing the basic constraints extension (See my CA cert > for an example)? > > > > Here is my info: > > > Server Cert: > > > # certutil -d /etc/dirsrv/slapd-HOST -L -n Server-Cert > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1001 (0x3e9) > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: "CN=CAcert" > Validity: > Not Before: Tue Jun 05 11:19:13 2018 > Not After : Mon Jun 05 11:19:13 2028 > Subject: "CN=ibm-ls22-04.rhts.eng.brq.redhat.com,OU=389 Directory > Server" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > cb:16:8f:2d:72:66:b3:35:83:35:ce:df:48:b1:82:cd: > a3:ee:95:5d:a5:21:62:ae:a9:55:52:bb:f3:03:5c:cf: > f0:51:64:83:17:44:1a:58:70:e7:57:9b:5d:3e:6d:0a: > f4:a2:96:28:10:82:03:9c:4a:5c:a1:cf:27:5f:97:62: > d6:c3:57:5f:0d:ca:c1:62:41:43:47:59:5c:b0:31:c6: > f7:fe:18:d9:2d:14:ac:08:c8:82:a3:97:66:bf:b5:6d: > d9:99:9a:7a:19:4e:94:01:52:b5:02:2f:46:70:08:25: > 81:7f:82:13:27:95:04:04:1f:2b:4d:21:f9:3e:1c:3d: > 19:82:de:d3:8e:7b:80:5c:ff:12:42:19:fa:60:e6:c1: > d4:62:8b:00:21:5a:91:e6:12:b7:82:67:3c:14:18:59: > 43:4d:9d:cb:f8:d7:85:a3:26:f3:19:68:96:47:38:c3: > c9:c2:7a:9d:0d:b6:86:a4:f7:bd:7e:f8:5e:a5:a3:b1: > 82:f6:b0:f2:e0:18:83:90:95:20:52:5b:73:d6:6d:70: > 8d:ad:55:79:43:ba:04:21:aa:e3:e8:9b:24:81:5d:f3: > dd:8d:e0:2c:8f:c9:28:ec:ff:24:d4:ac:85:d1:2b:4e: > 03:9d:f8:77:4f:09:88:25:65:27:98:55:a2:30:35:65 > Exponent: 65537 (0x10001) > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 4a:06:4d:21:b4:be:fe:5f:47:3d:6f:0d:e6:8d:10:52: > 0c:74:61:33:e5:f2:4f:68:13:7f:e4:b4:0b:b2:39:52: > 79:ca:6e:1c:ce:df:02:a1:01:3b:0d:cd:39:d2:aa:42: > bc:17:2c:29:bf:08:25:dd:3e:8c:24:6b:80:bd:59:f9: > 0b:91:2b:f7:41:81:4f:42:7f:1e:30:b5:4e:7b:47:67: > 08:58:87:0d:93:76:9a:04:d0:ee:fd:f5:9f:b7:2c:9e: > 1e:a5:6f:69:4d:d9:3c:a6:cd:5f:a6:7d:b9:9a:cc:43: > ef:ab:1d:38:b1:9f:33:cd:2e:84:5a:96:38:9d:99:a6: > 1a:29:ec:f2:16:2f:e7:a0:8f:56:6d:a5:62:b2:59:3a: > b4:2c:d4:c8:b3:30:1d:23:f6:0a:e7:6d:9b:e1:d5:5c: > c7:27:36:52:33:88:75:1a:be:0d:8e:70:fc:25:75:2f: > 6a:70:d4:36:81:81:87:ec:ea:53:f0:22:8f:e0:6c:26: > 40:54:ec:29:b9:c9:e3:73:3c:d9:cd:50:b5:45:51:fd: > 1f:cb:71:e9:ae:01:65:31:f5:b1:b7:13:3d:63:b7:20: > 1c:72:4c:2d:50:2a:be:f7:77:e2:fb:0f:09:59:4a:0c: > ba:83:a6:72:d4:96:77:36:28:bf:56:18:2c:e9:75:6d > Fingerprint (SHA-256): > > D9:DB:31:8F:A7:57:03:8F:28:9D:53:C1:32:AE:28:B3:02:F5:CE:E7:72:62:A8:BF:DD:92:39:A9:FD:98:05:C0 > Fingerprint (SHA1): > 85:C4:0B:3F:FC:A3:57:FB:90:D5:BE:B7:E5:8A:9A:B6:48:CB:63:4C > > Mozilla-CA-Policy: false (attribute missing) > Certificate Trust Flags: > SSL
[389-users] Re: SSL replication error
What version of openldap is on your system? There is known issue fixed in openldap-2.4.23-31 and up Can you do a ldapsearch from one system to the the other? ldapsearch -ZZ -xLLL -h HOST -p PORT -b "" -s base Then check the DS access and errors logs. There should be more info there for the failure. I just setup self-signed certs on a F28 and everything works for me (with host name checking set to "on"). - [root@ibm-ls22-04 slapd-localhost]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CTu,Cu,Cu Server-Cert u,u,Pu -- Can you run "certutil -L" on your cert db? Do your trust attrs match mine? Maybe your cert is missing the basic constraints extension (See my CA cert for an example)? Here is my info: Server Cert: # certutil -d /etc/dirsrv/slapd-HOST -L -n Server-Cert Certificate: Data: Version: 3 (0x2) Serial Number: 1001 (0x3e9) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CAcert" Validity: Not Before: Tue Jun 05 11:19:13 2018 Not After : Mon Jun 05 11:19:13 2028 Subject: "CN=ibm-ls22-04.rhts.eng.brq.redhat.com,OU=389 Directory Server" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: cb:16:8f:2d:72:66:b3:35:83:35:ce:df:48:b1:82:cd: a3:ee:95:5d:a5:21:62:ae:a9:55:52:bb:f3:03:5c:cf: f0:51:64:83:17:44:1a:58:70:e7:57:9b:5d:3e:6d:0a: f4:a2:96:28:10:82:03:9c:4a:5c:a1:cf:27:5f:97:62: d6:c3:57:5f:0d:ca:c1:62:41:43:47:59:5c:b0:31:c6: f7:fe:18:d9:2d:14:ac:08:c8:82:a3:97:66:bf:b5:6d: d9:99:9a:7a:19:4e:94:01:52:b5:02:2f:46:70:08:25: 81:7f:82:13:27:95:04:04:1f:2b:4d:21:f9:3e:1c:3d: 19:82:de:d3:8e:7b:80:5c:ff:12:42:19:fa:60:e6:c1: d4:62:8b:00:21:5a:91:e6:12:b7:82:67:3c:14:18:59: 43:4d:9d:cb:f8:d7:85:a3:26:f3:19:68:96:47:38:c3: c9:c2:7a:9d:0d:b6:86:a4:f7:bd:7e:f8:5e:a5:a3:b1: 82:f6:b0:f2:e0:18:83:90:95:20:52:5b:73:d6:6d:70: 8d:ad:55:79:43:ba:04:21:aa:e3:e8:9b:24:81:5d:f3: dd:8d:e0:2c:8f:c9:28:ec:ff:24:d4:ac:85:d1:2b:4e: 03:9d:f8:77:4f:09:88:25:65:27:98:55:a2:30:35:65 Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 4a:06:4d:21:b4:be:fe:5f:47:3d:6f:0d:e6:8d:10:52: 0c:74:61:33:e5:f2:4f:68:13:7f:e4:b4:0b:b2:39:52: 79:ca:6e:1c:ce:df:02:a1:01:3b:0d:cd:39:d2:aa:42: bc:17:2c:29:bf:08:25:dd:3e:8c:24:6b:80:bd:59:f9: 0b:91:2b:f7:41:81:4f:42:7f:1e:30:b5:4e:7b:47:67: 08:58:87:0d:93:76:9a:04:d0:ee:fd:f5:9f:b7:2c:9e: 1e:a5:6f:69:4d:d9:3c:a6:cd:5f:a6:7d:b9:9a:cc:43: ef:ab:1d:38:b1:9f:33:cd:2e:84:5a:96:38:9d:99:a6: 1a:29:ec:f2:16:2f:e7:a0:8f:56:6d:a5:62:b2:59:3a: b4:2c:d4:c8:b3:30:1d:23:f6:0a:e7:6d:9b:e1:d5:5c: c7:27:36:52:33:88:75:1a:be:0d:8e:70:fc:25:75:2f: 6a:70:d4:36:81:81:87:ec:ea:53:f0:22:8f:e0:6c:26: 40:54:ec:29:b9:c9:e3:73:3c:d9:cd:50:b5:45:51:fd: 1f:cb:71:e9:ae:01:65:31:f5:b1:b7:13:3d:63:b7:20: 1c:72:4c:2d:50:2a:be:f7:77:e2:fb:0f:09:59:4a:0c: ba:83:a6:72:d4:96:77:36:28:bf:56:18:2c:e9:75:6d Fingerprint (SHA-256): D9:DB:31:8F:A7:57:03:8F:28:9D:53:C1:32:AE:28:B3:02:F5:CE:E7:72:62:A8:BF:DD:92:39:A9:FD:98:05:C0 Fingerprint (SHA1): 85:C4:0B:3F:FC:A3:57:FB:90:D5:BE:B7:E5:8A:9A:B6:48:CB:63:4C Mozilla-CA-Policy: false (attribute missing) Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: Terminal Record Trusted User CA Cert: = Certificate: Data: Version: 3 (0x2) Serial Number: 1000 (0x3e8) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=CAcert" Validity: Not Before: Tue Jun 05 11:19:12 2018 Not After : Mon Jun 05 11:19:12 2028 Subject: "CN=CAcert" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: df:92:6d:6c:82:26:6b:5d:f3:09:d8:68:30:e6:79:24: ab:34:ec:33:ed:a5:cc:c4:22:c3:ca:d7:b8:3e:cf:27: 70:66:02:37:e5:0f:44:e7:8c:6a:81:44:63:b1:07:98: 1c:15:e1:73:2
[389-users] Re: replicating specific attributes from AD to DS
Thx Carne_de_Passaro for you reply. what if you try doing it using plugins? is it possible? if so, what plugin? basically I need to sync, beside basic user's info, the password policy and others attributes like EmployeeType. does anyone have any idea in how doing it? I could use another piece of software as mentioned by carne_de_passaro (LSC) ..but would be nice having all within 389ds. thx once more Em qui, 24 de mai de 2018 às 16:49, carne_de_passaro < carnedepass...@gmail.com> escreveu: > I'm affraid that 388ds doesn't support this. > We are using LSC here to do this. > > Em qui, 24 de mai de 2018 13:48, Paulo Cast > escreveu: > >> hi guys, >> >> just wondering how to get specific attributes from AD >> (cn=users,dc=domain,dc=com) replicated to DS (389-ds-base-1.3.8.1-1.fc27). >> I already have the Windos Sync Agreement working so far but I can't get >> few extra attributes like EmployeeID, EmployeeNumber, etc. Or nor can get >> the password policy replicated. Any ideas in how to do it? >> >> thx, >> >> sergio >> ___ >> 389-users mailing list -- 389-users@lists.fedoraproject.org >> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/message/UAMSPNY5Z46TNPIMECJZGXTWH4IL6DIP/ >> > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/message/HTXMZES44LR2GSESST3FHVDDHBLVFST5/ > ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/message/TH7UCSE34MBPHZNAQ47JWL2AEFRTTLN4/
[389-users] Re: tls encryption and key changes: symmetric key failed to unwrap
Hi Mark, Am 01.06.2018 um 15:24 schrieb Mark Reynolds: > You have 50 backends on a single instance of DS? It's a kolab Groupware with about 50 domains. This is the default setup on kolab to have a backend for each domain. Maybe not ideal e.g. in this case. > Also, this is something you could script to make the task much easier, Yes - but already the idea that every two month 50 databases are reimported - shrinks me back. I'm not shure what happens with replication in this situation and so on. > but... These errors are harmless if you are not using attribute > encryption. So in your case you can just ignore the messages even > though they are annoying & alarming. Once I got the situation - why ever - that I could't start dirsrv before I delted the key entries. But it didn't happen again until yet. Maybe the error was in fact somewhere else. So: probably I'll ignore it. Thanks and regards Jan ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/message/X5NZACAKYH75RWYHAEQXW6LAD7UHACFP/