Wednesday, July 20, 2022

[389-users] Re: Replcation failing since update to 389-ds-base-2.0.15-1.module_el8+14185+adb3f555.x86_64

Hi Brian,

I can think about several possibilities:
   [1] the value of nsslapd-validate-cert config attribute may have changed
   (i.e: now the certificate chain is verified while it was not the case before)
     Turning off nsslapd-validate-cert should then solve the issue.
   [2] DNS resolution issue: i.e:  fully qualified hostname associated with the supplier ip address differs on both machines (But upgrading RHDS should not impact the DNS resolution ... )
   [3] Problem in the way the certificate gets generated ... 
           certutil -L -d /etc/dirsrv/slapd-inst  [name]    is your friend to display the certificate(s).

Good luck !

On Tue, Jul 19, 2022 at 9:52 PM Brian Collins <> wrote:
Good day,

We have an LDAP cluster on RHEL 8.  We were running and recently updated to 2.0.15-1.module_el8+14185+adb3f555.x86_64.

Since then, replication fails from any server to any other server.  What I am seeing in /var/log/dirsrv/slapd-pro01/errors is:
[19/Jul/2022:15:20:20.174222661 -0400] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=pro01topro02" (pro02:636) - Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) (TLS: hostname does not match subjectAltName in peer certificate)
[19/Jul/2022:15:46:41.092806631 -0400] - ERR - slapi_ldap_bind - Could not send bind request for id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -5987 (Invalid function argument.), network error 0 (Unknown error, host "")

I regenerated and reinstalled the certs for pro01 and pro02, adding the SAN.  But that did not help things any.

Did I miss something in the update to v2?
Thanks in advance,
Brian Collins
389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam on the list, report it:


389 Directory Server Development Team

No comments:

Post a Comment