Re: [389-users] Multi-Master Replication Issue
On Thu, Mar 6, 2014 at 12:19 PM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: Hi All, I am trying to create multi-master replication in 389. But I am having trouble using ldapmodify to create a replication manager DN account I get the following error: Additional info: TLS error -8157: Certificate extension not found I went on the web and some people suggested I have a TLS_REQCERT=none line in /etc/openldap/ldap.conf, but this did not fix it either. My certificate in /etc/openldap/cacerts is called cacert.asc. Does anyone know how I can fix my problem? Thanks, R -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users Not totally sure, but don't use the = here is mine: URI ldaps://baldirsrv ldaps://hqdirsrv ldaps://stldirsrv BASE ou=People,dc=domain,dc=com TLS_CACERTDIR /etc/openldap/cacerts # TLS_CACERT /etc/openldap/cacerts/cacert.asc TLS_REQCERT allow you can set it to TLS_REQCERT never as well. Also consider setting the TLS_CACERTDIR and TLS_CACERT -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Multi-Master Replication Issue
For testing I know TLS_REQCERT never works. For production I use: TLS_REQCERT demand TLS_CACERT /path/to/ca_cert.pem If TLS_REQCERT never works then there's something wrong with your cert most likely. Though I'd expect a generic connection error if were just having a problem verifying the certificate. Does ldapsearch/ldapmodify work for other operations? Otherwise maybe send us the exact command you're running? -morgan On Mar 6, 2014, at 12:29 PM, Justin Edmands shockwav...@gmail.com wrote: On Thu, Mar 6, 2014 at 12:19 PM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: Hi All, I am trying to create multi-master replication in 389. But I am having trouble using ldapmodify to create a replication manager DN account I get the following error: Additional info: TLS error -8157: Certificate extension not found I went on the web and some people suggested I have a TLS_REQCERT=none line in /etc/openldap/ldap.conf, but this did not fix it either. My certificate in /etc/openldap/cacerts is called cacert.asc. Does anyone know how I can fix my problem? Thanks, R -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users Not totally sure, but don't use the = here is mine: URI ldaps://baldirsrv ldaps://hqdirsrv ldaps://stldirsrv BASE ou=People,dc=domain,dc=com TLS_CACERTDIR /etc/openldap/cacerts # TLS_CACERT /etc/openldap/cacerts/cacert.asc TLS_REQCERT allow you can set it to TLS_REQCERT never as well. Also consider setting the TLS_CACERTDIR and TLS_CACERT -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Multi-Master Replication Issue
Okay, I will take a look and report back. Thanks, Rohit On 3/6/14 12:58 PM, Morgan Jones mor...@morganjones.org wrote: For testing I know TLS_REQCERT never works. For production I use: TLS_REQCERT demand TLS_CACERT /path/to/ca_cert.pem If TLS_REQCERT never works then there's something wrong with your cert most likely. Though I'd expect a generic connection error if were just having a problem verifying the certificate. Does ldapsearch/ldapmodify work for other operations? Otherwise maybe send us the exact command you're running? -morgan On Mar 6, 2014, at 12:29 PM, Justin Edmands shockwav...@gmail.com wrote: On Thu, Mar 6, 2014 at 12:19 PM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: Hi All, I am trying to create multi-master replication in 389. But I am having trouble using ldapmodify to create a replication manager DN account I get the following error: Additional info: TLS error -8157: Certificate extension not found I went on the web and some people suggested I have a TLS_REQCERT=none line in /etc/openldap/ldap.conf, but this did not fix it either. My certificate in /etc/openldap/cacerts is called cacert.asc. Does anyone know how I can fix my problem? Thanks, R -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users Not totally sure, but don't use the = here is mine: URI ldaps://baldirsrv ldaps://hqdirsrv ldaps://stldirsrv BASE ou=People,dc=domain,dc=com TLS_CACERTDIR /etc/openldap/cacerts # TLS_CACERT /etc/openldap/cacerts/cacert.asc TLS_REQCERT allow you can set it to TLS_REQCERT never as well. Also consider setting the TLS_CACERTDIR and TLS_CACERT -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Multi-Master Replication Issue
I had to put a -x after ldapmodify to make it use simple authentication versus SASL. My 389 DS is not SASL enabled, but it does have a self-signed CA certificate. When I tried to just set TLS_REQCERT never, it did not work. I haven't tried testing the TLS_CACERT variable, where I set exactly what the cacert.asc is. Could there be a problem of creating the certificate with certutil versus openSSL (certutil results in .asc file)? Look forward to thoughts, R On 3/6/14 1:04 PM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: Okay, I will take a look and report back. Thanks, Rohit On 3/6/14 12:58 PM, Morgan Jones mor...@morganjones.org wrote: For testing I know TLS_REQCERT never works. For production I use: TLS_REQCERT demand TLS_CACERT /path/to/ca_cert.pem If TLS_REQCERT never works then there's something wrong with your cert most likely. Though I'd expect a generic connection error if were just having a problem verifying the certificate. Does ldapsearch/ldapmodify work for other operations? Otherwise maybe send us the exact command you're running? -morgan On Mar 6, 2014, at 12:29 PM, Justin Edmands shockwav...@gmail.com wrote: On Thu, Mar 6, 2014 at 12:19 PM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: Hi All, I am trying to create multi-master replication in 389. But I am having trouble using ldapmodify to create a replication manager DN account I get the following error: Additional info: TLS error -8157: Certificate extension not found I went on the web and some people suggested I have a TLS_REQCERT=none line in /etc/openldap/ldap.conf, but this did not fix it either. My certificate in /etc/openldap/cacerts is called cacert.asc. Does anyone know how I can fix my problem? Thanks, R -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users Not totally sure, but don't use the = here is mine: URI ldaps://baldirsrv ldaps://hqdirsrv ldaps://stldirsrv BASE ou=People,dc=domain,dc=com TLS_CACERTDIR /etc/openldap/cacerts # TLS_CACERT /etc/openldap/cacerts/cacert.asc TLS_REQCERT allow you can set it to TLS_REQCERT never as well. Also consider setting the TLS_CACERTDIR and TLS_CACERT -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users