[389-users] new dirsrv with RHEL9
Hi, I am having a problem with a new dirsrv setup, getting a linux client to authenticate with LDAP. I have done all the usual things to troubleshoot, if anyone has seen this or knows what can be done I would sure appreciate any help. Here's what i'm noticing: - I need to have the bind_dn of Directory Manager specified to lookup almost anything in LDAP, not sure why this is? - sssd can find a sample user I created but still there seems to be a problem, it looks like PAM but I did use authselect to use the sss profile: $ *ldapsearch -x -LLL -D "cn=Directory Manager" -W -b ou=people,o=solarflow -H ldap://dev2.local '(uid=john)' cn gidNumber userPassword* Enter LDAP Password: dn: uid=john,ou=people,o=solarflow cn: John Smith gidNumber: 10001 userPassword:: e1BCS0RGMixxx...xxx== *$ sssctl domain-status ldap* Online status: Online Active servers: LDAP: dev2.local Discovered LDAP servers: - dev2.local localhost ~* $ sssctl user-checks john* user: john action: acct service: system-auth sss_getpwnam_r failed with [0]. User name lookup with [john] failed. SSSD InfoPipe user lookup result: - name: john - uidNumber: 10001 - gidNumber: 10001 - gecos: John Smith - homeDirectory: /home/john - loginShell: /bin/bash testing pam_acct_mgmt pam_acct_mgmt: User not known to the underlying authentication module PAM Environment: - no env - localhost ~ *$ getent passwd john* localhost ~ *$ id john* id: ‘john’: no such user *$ authselect current* Profile ID: sssd Enabled features: - with-mkhomedir - with-pamaccess - with-sudo *Here is my sssd.conf:* [sssd] config_file_version = 2 domains = LDAP #services=pam debug_level = 6 [domain/LDAP] id_provider = ldap auth_provider = ldap #chpass_provider = ldap ldap_uri = ldap://dev2.local ldap_search_base = o=solarflow ldap_default_bind_dn = cn=Directory Manager ldap_default_authtok = my_secret_password cache_credentials = True debug_level = 6 ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: [389-users] Stop user being replicated with Active Directory
Is this any help: http://directory.fedoraproject.org/wiki/One_Way_Active_Directory_Sync 2011/12/12 Juan Asensio Sánchez > Hi > > After one user has been replicated from 389 DS to Active Directory, is > there any way to stop replicating it? I want the user, after deleting > some attrs in 389 DS (ntUser objectClass, ...), be deleted in Active > Directory, but already exists in 389 DS. Is this possible? > > Thanks in advance. > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Sync OU from Active Directory
You can create the OU's manually in 389, then any objects in them should come. 2011/12/5 Walter Neu > Hi, > > is it possible to sync a complete LDAP tree from an Active Directory or > only user and group entries? > > My problem is, that I have to build the complete tree from our AD server > on my 389ds to sync the user entries, because OUs are not synced. > > Thanks in advance > > > > > > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Sync UNIX Attributes from AD to 389ds
I meant to say: can't use the windows password hash On Tue, Nov 15, 2011 at 12:43 AM, solarflow99 wrote: > I had a similar setup as yours, for #1 I think I did have to use 389 > console to enable posix attributes so the user could login to linux, i'm > not sure how to make this automatic. For #2 this is because windows > passwords are encrypted differently, and linux can use the windows password > hash. > > hope this helps.. > > > 2011/11/15 Walter Neu > >> Hi all, >> >> I have installed a 389ds which sync entries from an Active Directory >> running on Windows 2008 R2 Enterprise Server. Everything works fine even >> Password Sync. But I have still 2 problems I don't get solved: >> >> 1.It's not possible to sync the UNIX attributes from AD to 389ds. Any >> hints? >> 2.Passwords are not synced during an initial full re-syncronization. >> Only password changes on an AD are synced. So I have to reset a user's >> password and after that the password will be transmitted to the 389ds. >> >> Best regards >> >> >> -- >> 389 users mailing list >> 389-users@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> > > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Sync UNIX Attributes from AD to 389ds
I had a similar setup as yours, for #1 I think I did have to use 389 console to enable posix attributes so the user could login to linux, i'm not sure how to make this automatic. For #2 this is because windows passwords are encrypted differently, and linux can use the windows password hash. hope this helps.. 2011/11/15 Walter Neu > Hi all, > > I have installed a 389ds which sync entries from an Active Directory > running on Windows 2008 R2 Enterprise Server. Everything works fine even > Password Sync. But I have still 2 problems I don't get solved: > > 1.It's not possible to sync the UNIX attributes from AD to 389ds. Any > hints? > 2.Passwords are not synced during an initial full re-syncronization. > Only password changes on an AD are synced. So I have to reset a user's > password and after that the password will be transmitted to the 389ds. > > Best regards > > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] 389 server on production
Since i've been using it, its been flawless. Its a scalable implementation, 389-console was great for providing a refined way to setup replication, SSL certs, etc. You might want to use a better front end to administer users, groups, etc. I'd recommend it for production. If you need commercial support, there's Redhat directory Server. hope this helps.. 2011/10/20 Alex Pershyn > ** > > Hi all, > > Can anybody tell me about using 389 in production environment? Is it > stable? Were there many issues with it? Is there any support in case of > production trouble? > > Thanks, > > **Alex Pershyn**, > > Application architect, Enabil Solutions Ltd > > ** ** > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Certificate based authentication
These 2 links should help, 389 has its own cert management, so it is a bit different at first, you can probably use pk12util and certutil to do most of the cert handling. http://directory.fedoraproject.org/wiki/FAQ#Can_389_use_OpenSSL_or_GnuTLS.3F http://directory.fedoraproject.org/wiki/Howto:SSL 2011/10/11 Gerhardus Geldenhuis > Hi > > I am looking at doing certifcate based authentication using 389. The > company where I am working currently issues a certificate for every new > starter and these certs are well managed with regards to sensible expiry > dates etc. This cert is your key to the whole environment and a lot of the > applications like jira/confluence authenticate you based on > your certificate. > > I have read through the documentation: > > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_SSL.html > > and it seems to suggest that it is nessesary to convert the user > certificate and upload it into 389 db. This seems a bit of a duplication. Is > there anyway to "talk" to the certificate provider to ascertain the validity > or not of a certificate and obtain any other required information, rather > than having a copy of the certificate in the database. The documentation > also does not say whether this is the public or private part of > the certificate that needs to be uploaded. I am assuming it is the public > part. > > The second part of the question is how would this work with regards to ssh > authentication. Somehow via pam and ssh the certificate must be passed on to > 389 when the authentication happens. I am not sure this is currently > possible with pam but would be interested in any suggestions to achieve > something like this. > > Regards > > -- > Gerhardus Geldenhuis > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] ad nested objects sync
On Fri, Sep 16, 2011 at 11:01 AM, Rich Megginson wrote: > On 09/16/2011 08:55 AM, Vasil Mikhalenya wrote: > > hi all, > > > > can windows sync agreement replicate nested objects ? like > > cn=user1,ou=location1,ou=Root,dc=domain ? > > when i specify ou=Root,dc=domain in sync agreement - it replicates > > only objects under ou=Root,dc=domain itself like > > cn=user_in_root,ou=Root,dc=domain but neither > > cn=user1,ou=location1,ou=Root,dc=domain nor > > ou=location1,ou=Root,dc=domain > > > > Is it possible at all? > No. > Try manually creating the OU subcontainers in 389. I can't remember exactly how I did it, but I remember doing what you're trying to do. I think I had to put the users and groups OU under a common OU per replication agreement however. Hope this helps.. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] 389-DS vs windows 2008 - Replication
I remember looking over those links and didn't find them very useful either. I've had that error message before too, it means it doesn't have the CA to recognize the cert. I think you have to import the windows CA into 389, I had better luck with the command line. There was a thread on this subject a few months back for reference, I found the best info available was from: http://directory.fedoraproject.org/wiki/Howto:WindowsSync hope this helps.. 2011/8/6 Édnei > ** > Hello Guys. > My doubt is the certificates. How to create the certificates correctly ? I > follow this guide: http://www.linuxmail.info/install-ssl-certificate-fds/and > this > http://www.linuxmail.info/389-directory-active-directory-ssl-synch/ > But i have the same error: LDAP erro 81 - Peer's Certificate issuer is not > recognized > > I believe that i am failing to create the certificates and submit it to the > 389-ds. > > Can anyone point me somewhere where I could find a solution ? > > > Thanks in advance for any return, > Édnei. > > > > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Centos 6?
On Mon, Aug 1, 2011 at 9:54 PM, Penedo wrote: > On 2 August 2011 09:17, Rich Megginson wrote: > > So, to summarize, if you want the full 389 ds/admin/console on EL6: > > 1) you must use EL 6.1 or later > > 2) you must use 389-ds-base from the fedorapeople.org repo > > 3) you must use EPEL6 for the other packages > > Thanks for the summary. This should probably be copied into the > Wiki/FAQ section, IMHO. > > Does the requirement for a payment for the replication feature mean > that I should start looking elsewhere for my LDAP needs, if I want to > stick to FOSS CentOS and robust LDAP solutions? Or will the people in > this forum keep maintaining a fully-functional open-source version? > > 389's multi-master replication and general stability are a killer > feature from my perspective. > sure, I can add this is the FAQ. I am surprised that 389 has such issues in rhel6, I thought it was only Redhat Directory Server (the paid supported version of 389) that would have extras and optional features. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Centos 6?
Just try and locate the repo with those missing packages, unless centos6 hasn't built them or something wierd like that. 2011/7/28 夜神 岩男 > On 07/29/2011 05:14 AM, Brett Dikeman wrote: > > Greetings, > > > > I'm trying to install 389 on Centos 6, following this: > > > > http://directory.fedoraproject.org/wiki/Install_Guide#New_Install > > > > The guide makes it out to be as simple as "configure EPEL, then > > execute yum install 389-ds". > > > > Instead, the install dies with yum not able to find a dozen or two > > dependencies, all of them perl, it looks like: > > > > -perl(Setup) > > -perl (Mozilla::LDAP::Utils) > > -perl(Resource) > > > > ...and so on (Dialog, DSMigration, Migration, DSUpdate etc.) > > > > I've tried both EPEL release, and EPEL testing. I can't seem to find > > anyone else complaining about these issues, so I'm guessing I'm > > missing something. Any suggestions? > > Same thing happening here, on SL6 and CentOS6. So its not just you. > Unfortunately I've had to switch to OpenLDAP for a bit until I can get > this resolved (probably not for another month...). The weird thing is a > lot of 389-ds packages are built and sitting in the EPEL repo, but > 389-ds-base isn't present and all that perl madness is just missing. I > did find the lack of discussion a little odd -- seems like people would > notice this missing. > > If anyone knows a magical workaround that would permit a proper 389 > install it would be greatly appreciated (like "Geeze, get with it you > knuckleheads, its been relabeled to the 390-ds now, duh."). > > -Iwao > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Centos 6?
I think those should pull in from the centos repo shouldn't it? On Thu, Jul 28, 2011 at 4:14 PM, Brett Dikeman wrote: > Greetings, > > I'm trying to install 389 on Centos 6, following this: > > http://directory.fedoraproject.org/wiki/Install_Guide#New_Install > > The guide makes it out to be as simple as "configure EPEL, then > execute yum install 389-ds". > > Instead, the install dies with yum not able to find a dozen or two > dependencies, all of them perl, it looks like: > > -perl(Setup) > -perl (Mozilla::LDAP::Utils) > -perl(Resource) > > ...and so on (Dialog, DSMigration, Migration, DSUpdate etc.) > > I've tried both EPEL release, and EPEL testing. I can't seem to find > anyone else complaining about these issues, so I'm guessing I'm > missing something. Any suggestions? > > Thanks! > Brett > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Howto setup the 389 server to be its own client (caution n00b!)
sounds like you want users created in 389dirsrv to log into the system? Just run the "setup" command and select authentication, there you can chose ldap and supply the base DN, etc. hope this helps.. On Thu, Jul 28, 2011 at 12:57 PM, Bill Crowell wrote: > All, > > I've successfully installed 389 and configured it on my Linode server with > FC15. I'm impressed at how well it installs compared to LDAP. > > I'm able to access it using a notebook running FC using the 389 admin tool. > Again, nice. > > What I'm searching for is how to make the directory server also the > application server and have the users added to the directory show up on the > same virtual machine. Admittedly, I'm a bit spoiled by Apple's OpenDirectory > and having users created on the same machine as the directory. > > As my firm expands, we will have more replicants and additional servers > holding application data. For now, just one server. > > I presume there is a setting to tell this server to authenticate back to > its own 389 server instead of simply the default shadow passwords? > > TIA > > Bill > > Bill Crowell, President > Pavuk Systems > 318 Queens Road Suite 6 > Charlotte, NC 28204 > Office +1 704.248.0024 > Mobile +1 704.607.6077 > Skype pavuk.com > > > > > > > > > > > > > > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Newbie question: Which distro?
That will work, you can have a master and slave to do this, since 389 is in EPEL, I think you're best to use rhel/centos for the server. hope this helps.. 2011/7/21 Steven Santos > I would like to set up an instance of 389DS for my school. > > This LDAP server would be used to authenticate users on our old > file/database/local web server, our desktop machines, our WIFI, and for a > number of web applications. Total users is about 300, though the vast > majority (~275) would only authenticate/sign in to our SIS about once a > week. > > Our 2 servers are an old CentOS file/SQL server and a Fedora web server > > We have 7 different linux workstations (mostly Ubuntu 10.10 and 11.x), 3 > Windows boxes (2 Vista and 1 W7) and 1 Mac OSX box. > > We currently use a number of local web apps (Koha, Moodle, Wordpress, our > SIS), all of which have LDAP plug-ins. > > We would like to eventually also run an ldap server in a hosted VPS that > would get updates from our local LDAP server, and authenticate users to our > various public facing web services, as well as google apps and our paid > databases, though this is a future project. > > So what distribution is best supported, and will be supported the longest? > > --- > Steven Santos > Director > P: 617-527-0667 > F: 617-934-1870 > E: ste...@simplycircus.com > > Simply Circus, Inc. > 86 Los Angeles Street > Newton, MA 02462 > > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] SSL certificate issue
I had this error, and it was the CA not being imported correctly as you mentioned. I used the certutil and pk12util commands to import and export all the certs: http://directory.fedoraproject.org/wiki/Howto:SSL#Create_and_Export_a_Replication_Consumer_cert 2011/7/13 s.varadha rajan > Hi, > > I am trying to implement, two 389-ds with ssl replication.Replication is > working without ssl. when i try to configure ssl enabled 389-ds, i am > getting the error as, > > "[13/Jul/2011:17:38:37 +051800] - SSL alert: CERT_VerifyCertificateNow: > verify certificate failed for cert Server-Cert of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - > Peer's Certificate issuer is not recognized.) > [13/Jul/2011:17:38:37 +051800] - SSL failure: None of the cipher are valid" > > *I did the following as per my environment;* > * > * > 1.my system name is varad.india.xxx.com. we have a certificate > star.india.xxx.com and .pem files,which is used commonly for Apache and > other related services.so i am planning to import that certificate to my > fedora-ds system, > > A).openssl pkcs12 -export -inkey star_dot_india_xxx_key.pem -in > star_dot_india_xxx_cert.crt -out crt.p12 -nodes -name 'Server-Cert' ==> > command went fine > > B).pk12util -i /crt.p12 -d . ==> command went fine > > C).As per the fedora doc, they specified as "certutil -d > /etc/dirsrv/slapd-INSTANCE -A -n "My Local CA" -t CT,, -a -i > /path/to/ca.pem".so tried this option as , > > #root@varad:/home/sslforldap# certutil -d /etc/dirsrv/slapd-varad -A -n > "Server-Cert" -t u,u,u -a -i star_dot_india_xxx_cert.crt > got an error ==>certutil: function failed: security library: bad database. > > and then tried as > > #certutil -d /etc/dirsrv/slapd-varad -A -n "Server-Cert" -t u,u,u -a -i > star_dot_india_xxx_cert.crt ==> went fine > > D).Added the relevant details in the dse.ldif and restarted the dirsrv.but > i got the above error. > > E).For your information, > > root@varad:/home/sslforldap# certutil -L -d . > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > XXX XXX CA u,u,u > > > How can i proceed further ? > > Regards, > Varad > > > > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Is there a known memory leak?
I never saw that before, you have all your updates applied right? Which process does ps aux show is taking all the ram? 2011/7/11 Gioachino Bartolotta > Hi all, > > I have a problem with the 389-ds > I setup the machine (CentOS 5.6 amd64) with 4 GB RAM and 4 GB Swap, 2 > cores and installed > > 389-ds-console-1.2.5-1.el5 > 389-ds-base-libs-1.2.8.3-1.el5 > 389-ds-base-1.2.8.3-1.el5 > 389-dsgw-1.1.6-1.el5 > 389-ds-1.2.1-1.el5 > 389-ds-console-doc-1.2.5-1.el5 > > Set up also samba from sernet repos (samba 3.4) > Anyway is consuming a lot of memory even if there is no one using it > (this picture has been taken yesterday with no one in office) > > Is there something I have to see to reduce the memory usage, or it's a > known bug? > > Actually I restart the dirsrv when it consumes all the ram available. > > Thanks > -- > --- > Gioachino Bartolotta > ICQ #: 9103167 > MSN Messenger: astrar...@email.it > Yahoo & Skype: gioachino_bartolotta > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] question syncing with AD
>From my tests, no. OU's have to created and deleted manually in 389. For passwords, they have to be reset in AD since only passsync can pick them up. You can replicate any OU, just create the sub containers first and initiate a full resynchronization. On Mon, Jun 27, 2011 at 4:16 PM, solarflow99 wrote: > > > On Mon, Jun 27, 2011 at 4:08 PM, Mi Zhou wrote: > >> Thanks Rich for the answer. A few more questions: >> >> Does existing password get synced during the initial full >> re-sychronization? or does it only sync changes? >> >> Does container entries got synced as well? Say, if a new OU was created >> on AD, will that be synced on 389? >> > > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] win sync error
I'm using self signed certs, did I miss something? Probably. There are many steps involved in getting winsync to use TLS/SSL >> to talk to AD, and getting AD PassSync to use TLS/SSL to talk to DS. Which >> > > From the Docs listed online: > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html > > and I went over everything else I could possibly find too. It seems in the > case of self signed certificates, the windows CA has to exported as a .cer > file, and imported in 389 with: certutil -d . -A -n "AD Cert" -t "CTu,u,u" > -i ad-cert.cer > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] configuring SSL for windows replication
For self signed certs, as I understand it, the 389 supplier that has the CA must create a server cert for the windows host? How can this cert be exported/imported since windows doesn't use pk12util? Has anyone set this up, and can say the steps on windows 2008? I see there are many options for installing IIS and Microsoft CA. Thanks, -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] ssl replication
I'm trying to configure replication over SSL using StartTLS, I don't see any example of how to export/import self signed certs into the slave. Here's what I did: created a CA cert and server cert on the master, everything is fine. exported the CA cert and copied it to the slave: [root@ldapslave]# certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc [root@ldapslave]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CT,, What is next? I tried everything I could think of.. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] windows sync question
I have a question about windows sync, in the docs it says the replica role should be single or multi master, but with single master you can't set update settings for the bind DN. Will this still work? Is there a way to sync 1 way, from windows AD -> dirsrv only? Thanks, -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] replication with ssl
This is the latest: 389-ds-base-1.2.8.2-1.el5 I think its something simple, since I have it working, but just not over startTLS on port 389. When I change the replication agreement to: use StartTLS, the replication status shows: LDAP error: Protocol Error. Error code: 2 The docs didn't say much about this, can't dirsrv use default certs from /etc/pki like apache ssl and ssh use for this? Thanks, On Wed, May 18, 2011 at 11:26 AM, Rich Megginson wrote: > On 05/18/2011 08:35 AM, solarflow99 wrote: > > I just wonder why i'm getting: RESULT err=2 when I try to use replication > over simple SSL. The replication agreement works when I use ldap with no > encryption, but when I select SSL encryption with ldap it just gives that > error. I'm not looking to use certificates, just simple bind DN/password. > > What platform? What version of 389-ds-base? What does it say in the > errors log? > What replication configuration did you do to use SSL? > Have you installed the CA cert? > > > > > -- > 389 users mailing > list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users > > > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] replication with ssl
I just wonder why i'm getting: RESULT err=2 when I try to use replication over simple SSL. The replication agreement works when I use ldap with no encryption, but when I select SSL encryption with ldap it just gives that error. I'm not looking to use certificates, just simple bind DN/password. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] creating certs
oh, i'm surprised I didn't see that too. Thanks... On Mon, May 9, 2011 at 5:01 PM, Rich Megginson wrote: > On 05/09/2011 02:58 PM, solarflow99 wrote: > > Hi, i'm trying to setup replication, and was wondering how we can create > self signed certs? The docs only say to send it to a CA, but not how to do > it yourself. I don't see where the private key is for me to do it from the > command line. > > If you just want to create some self signed certs for internal/testing > purposes - http://directory.fedoraproject.org/wiki/Howto:SSL > > > Thanks, > > > -- > 389 users mailing > list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users > > > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
