Wednesday, March 30, 2016

[389-users] Re: Replication + SSLCLIENTAUTH failure: setup_ol_tls_conn - failed: unable to create new TLS context

How does your Replication Manager on the slave server look like?

ldapsearch -x -h <slavehost> -p <slaveport> [...] -b "cn=Replication
Manager,cn=config"

Also, could you share your certmap.conf on the slave server? And the
Subject in the cert?


On 03/30/2016 10:30 AM, Graham Leggett wrote:
> Hi all,
>
> I have tried to set up a replication agreement on a 389ds master to send updates to a 389ds slave. The master is configure to use client certs for authentication.
>
> The 389ds master fails each time it attempts to contact the slave with the following message, and tcpdump shows no traffic flowing over the wire:
>
> [30/Mar/2016:17:19:19 +0000] setup_ol_tls_conn - failed: unable to create new TLS context
> [30/Mar/2016:17:19:19 +0000] slapi_ldap_bind - Error: could not configure the server for cert auth - error -1 - make sure the server is correctly configured for SSL/TLS
> [30/Mar/2016:17:19:19 +0000] NSMMReplicationPlugin - agmt="cn=Agreement ldap.example.com" (ldap:636): Replication bind with EXTERNAL auth failed: LDAP error 0 (Success) ()
>
> The server is correctly configured for SSL/TLS, and I am able to bind to both the master and the slave over SSL port 636.
>
> The replication agreement looks as follows:
>
> dn: cn=Agreement ldap.example.com,cn=replica,cn=dc\3Dexample\,dc\3Dcom,cn=mapping tree,cn=config
> objectClass: nsds5replicationagreement
> objectClass: top
> cn: Agreement ldap.example.com
> description: Replication agreement to ldap.example.com
> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
> nsDS5ReplicaBindMethod: SSLCLIENTAUTH
> nsds5replicaChangesSentSinceStartup:
> nsDS5ReplicaHost: ldap.example.com
> nsds5replicaLastInitEnd: 0
> nsds5replicaLastInitStart: 20160330162755Z
> nsds5replicaLastInitStatus: 255 Replication error acquiring replica: unknown
> error
> nsds5replicaLastUpdateEnd: 0
> nsds5replicaLastUpdateStart: 0
> nsds5replicaLastUpdateStatus: 255 Replication error acquiring replica: unkno
> wn error - Unable to acquire replica
> nsDS5ReplicaPort: 636
> nsDS5ReplicaRoot: dc=example,dc=com
> nsDS5ReplicaTransportInfo: SSL
> nsds5replicaUpdateInProgress: FALSE
>
> Is there anything I can do to coax a useful error message out of the master server? "LDAP error 0 (Success)" tells me this is a bug of some kind, as why would it fail saying success?
>
> This is 389ds on Ubuntu 14.04:
>
> ii 389-ds-base 1.3.2.16-0ubuntu1 amd64 389 Directory Server suite - server
>
> Regards,
> Graham
> —
> --
> 389 users mailing list
> 389-users@%(host_name)s
> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)