Wednesday, March 30, 2016

[389-users] Replication + SSLCLIENTAUTH failure: setup_ol_tls_conn - failed: unable to create new TLS context

Hi all,

I have tried to set up a replication agreement on a 389ds master to send updates to a 389ds slave. The master is configure to use client certs for authentication.

The 389ds master fails each time it attempts to contact the slave with the following message, and tcpdump shows no traffic flowing over the wire:

[30/Mar/2016:17:19:19 +0000] setup_ol_tls_conn - failed: unable to create new TLS context
[30/Mar/2016:17:19:19 +0000] slapi_ldap_bind - Error: could not configure the server for cert auth - error -1 - make sure the server is correctly configured for SSL/TLS
[30/Mar/2016:17:19:19 +0000] NSMMReplicationPlugin - agmt="cn=Agreement ldap.example.com" (ldap:636): Replication bind with EXTERNAL auth failed: LDAP error 0 (Success) ()

The server is correctly configured for SSL/TLS, and I am able to bind to both the master and the slave over SSL port 636.

The replication agreement looks as follows:

dn: cn=Agreement ldap.example.com,cn=replica,cn=dc\3Dexample\,dc\3Dcom,cn=mapping tree,cn=config
objectClass: nsds5replicationagreement
objectClass: top
cn: Agreement ldap.example.com
description: Replication agreement to ldap.example.com
nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
nsDS5ReplicaBindMethod: SSLCLIENTAUTH
nsds5replicaChangesSentSinceStartup:
nsDS5ReplicaHost: ldap.example.com
nsds5replicaLastInitEnd: 0
nsds5replicaLastInitStart: 20160330162755Z
nsds5replicaLastInitStatus: 255 Replication error acquiring replica: unknown
error
nsds5replicaLastUpdateEnd: 0
nsds5replicaLastUpdateStart: 0
nsds5replicaLastUpdateStatus: 255 Replication error acquiring replica: unkno
wn error - Unable to acquire replica
nsDS5ReplicaPort: 636
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaTransportInfo: SSL
nsds5replicaUpdateInProgress: FALSE

Is there anything I can do to coax a useful error message out of the master server? "LDAP error 0 (Success)" tells me this is a bug of some kind, as why would it fail saying success?

This is 389ds on Ubuntu 14.04:

ii 389-ds-base 1.3.2.16-0ubuntu1 amd64 389 Directory Server suite - server

Regards,
Graham

--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)