Fedora directory users - Jun 2009 - [389-users] Problems with replication over SSL

Hi all,

I''m trying to setup replication over ssl and am running into problems.
I
first tried it unencrypted and all worked fine. I then copied over the
consumer''s CA certificate and set up replication with SSL and Simple
Authentication. It doesn''t work and I now get the following errors:

When I set it up:
supplier error log:
[01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One"
(fds:389): Simple bind failed, LDAP sdk error 81 (Can''t contact LDAP
server), Netscape Portable Runtime error -5938 (Encountered end of file.)

these appear thereafter:
consumer access log:
[01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from
10.1.1.100 to 10.1.1.101
[01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71
(Protocol error) - B1

consumer error log:
[01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message (tag
0x80, expected 0x30)

Versions:
Supplier:
fedora-ds-1.1.2-1.fc6
fedora-ds-dsgw-1.1.1-1.fc6
fedora-ds-base-1.1.3-2.fc6
fedora-ds-admin-1.1.6-1.fc6
fedora-ds-admin-console-1.1.2-1.fc6
fedora-ds-console-1.1.2-1.fc6

Consumer:
fedora-ds-admin-1.1.7-3.fc6
fedora-ds-admin-console-1.1.3-1.fc6
fedora-ds-base-1.2.0-2.fc6
fedora-ds-dsgw-1.1.2-1.fc6
fedora-ds-console-1.2.0-1.fc6
fedora-ds-1.1.3-1.fc6

I''m at a loss as to how to proceed with troubleshooting and would
appreciate any suggestions.

Thanks,
Dan Weintraub

Dan Weintraub wrote:
> Hi all,
>
> I''m trying to setup replication over ssl and am running into
problems. I
> first tried it unencrypted and all worked fine. I then copied over the
> consumer''s CA certificate and set up replication with SSL and
Simple
> Authentication. It doesn''t work and I now get the following
errors:
>
> When I set it up:
> supplier error log:
> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin -
agmt="cn=One"
> (fds:389): Simple bind failed, LDAP sdk error 81 (Can''t contact
LDAP
> server), Netscape Portable Runtime error -5938 (Encountered end of file.)
>
> these appear thereafter:
> consumer access log:
> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from
> 10.1.1.100 to 10.1.1.101
> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71
> (Protocol error) - B1
>
> consumer error log:
> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message (tag
> 0x80, expected 0x30)
Looks like an attempt to use SSL on the non-SSL port (port
389)
>
> Versions:
> Supplier:
> fedora-ds-1.1.2-1.fc6
> fedora-ds-dsgw-1.1.1-1.fc6
> fedora-ds-base-1.1.3-2.fc6
> fedora-ds-admin-1.1.6-1.fc6
> fedora-ds-admin-console-1.1.2-1.fc6
> fedora-ds-console-1.1.2-1.fc6
>
> Consumer:
> fedora-ds-admin-1.1.7-3.fc6
> fedora-ds-admin-console-1.1.3-1.fc6
> fedora-ds-base-1.2.0-2.fc6
> fedora-ds-dsgw-1.1.2-1.fc6
> fedora-ds-console-1.2.0-1.fc6
> fedora-ds-1.1.3-1.fc6
>
> I''m at a loss as to how to proceed with troubleshooting and would
> appreciate any suggestions.
>
> Thanks,
> Dan Weintraub
>
>
>
> -- 
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote:
> Hi all,
> 
> I''m trying to setup replication over ssl and am running into
problems. I
> first tried it unencrypted and all worked fine. I then copied over the
> consumer''s CA certificate and set up replication with SSL and
Simple
> Authentication. It doesn''t work and I now get the following
errors:
> 
> When I set it up:
> supplier error log:
> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin -
agmt="cn=One"
> (fds:389): Simple bind failed, LDAP sdk error 81 (Can''t contact
LDAP
> server), Netscape Portable Runtime error -5938 (Encountered end of file.)
> 
> these appear thereafter:
> consumer access log:
> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from
> 10.1.1.100 to 10.1.1.101
> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71
> (Protocol error) - B1
> 
> consumer error log:
> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message (tag
> 0x80, expected 0x30)
> 
> Versions:
> Supplier:
> fedora-ds-1.1.2-1.fc6
> fedora-ds-dsgw-1.1.1-1.fc6
> fedora-ds-base-1.1.3-2.fc6
> fedora-ds-admin-1.1.6-1.fc6
> fedora-ds-admin-console-1.1.2-1.fc6
> fedora-ds-console-1.1.2-1.fc6
> 
> Consumer:
> fedora-ds-admin-1.1.7-3.fc6
> fedora-ds-admin-console-1.1.3-1.fc6
> fedora-ds-base-1.2.0-2.fc6
> fedora-ds-dsgw-1.1.2-1.fc6
> fedora-ds-console-1.2.0-1.fc6
> fedora-ds-1.1.3-1.fc6
> 
> I''m at a loss as to how to proceed with troubleshooting and would
> appreciate any suggestions.
> 
> Thanks,
> Dan Weintraub
<snip>
Hi, Dan. Here is a snippet from our internal documentation.  I apologize
that I don''t have time to customize it or analyze your issue more
deeply
but perhaps our findings will help you in your environment.  Given
Rich''s comment, I wonder if you were stung by the same error in
documentation we noted below:

        Go back to the centos-idm-console on ldap1
        Go to the Configuration tab, select the userRoot under the
        Replication
        object in the left panel.  Left/right client and choose New
        Replication
        Agreement
        The name is "mycompany.com ldap1->ldap2" and the
Description is
        "Replicates mycompany.com from ldap1 to ldap2".  Click Next.
        Set the Consumer to ldap2.mycompany.com:389 from the drop down
        box (389 is correct even though we are really using 636) - Oops!
        That is not true despite what the documentation says.  Click
        other and create a new entry for ldap2.mycompany.com on port
        636.
        Enable the SSL connection.
        Enter cn=repuser,cn=config for the Bind As and enter the
        password.
        Click Next and then Next again.
        We will always keep directories in sync so click Next again.
        Choose Initialize Consumer Now and click Next
        Click Done

If you need more details, e.g., about how we set up SSL, I posted most
of our internal procedure a day or two ago on this mailing list in
response to a post entitled "Developting a CentOS-DS setup".  You can
find much more detail there.

Good luck - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

Thanks, that''s exactly what I was following. Now that I''ve got
the port
corrected I''m getting a certificate error despite having the correct 
certificates setup (or so I thought...) I''ll read through that 
documentation you posted and see if I can sort it out.

Thanks,
Dan

PS
NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind failed, 
LDAP sdk error 81 (Can''t contact LDAP server), Netscape Portable
Runtime
error -8172 (Peer''s certificate issuer has been marked as not trusted
by
the user.)

John A. Sullivan III wrote:
> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote:
>> Hi all,
>>
>> I''m trying to setup replication over ssl and am running into
problems. I
>> first tried it unencrypted and all worked fine. I then copied over the
>> consumer''s CA certificate and set up replication with SSL and
Simple
>> Authentication. It doesn''t work and I now get the following
errors:
>>
>> When I set it up:
>> supplier error log:
>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin -
agmt="cn=One"
>> (fds:389): Simple bind failed, LDAP sdk error 81 (Can''t
contact LDAP
>> server), Netscape Portable Runtime error -5938 (Encountered end of
file.)
>>
>> these appear thereafter:
>> consumer access log:
>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from
>> 10.1.1.100 to 10.1.1.101
>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71
>> (Protocol error) - B1
>>
>> consumer error log:
>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message
(tag
>> 0x80, expected 0x30)
>>
>> Versions:
>> Supplier:
>> fedora-ds-1.1.2-1.fc6
>> fedora-ds-dsgw-1.1.1-1.fc6
>> fedora-ds-base-1.1.3-2.fc6
>> fedora-ds-admin-1.1.6-1.fc6
>> fedora-ds-admin-console-1.1.2-1.fc6
>> fedora-ds-console-1.1.2-1.fc6
>>
>> Consumer:
>> fedora-ds-admin-1.1.7-3.fc6
>> fedora-ds-admin-console-1.1.3-1.fc6
>> fedora-ds-base-1.2.0-2.fc6
>> fedora-ds-dsgw-1.1.2-1.fc6
>> fedora-ds-console-1.2.0-1.fc6
>> fedora-ds-1.1.3-1.fc6
>>
>> I''m at a loss as to how to proceed with troubleshooting and
would
>> appreciate any suggestions.
>>
>> Thanks,
>> Dan Weintraub
> <snip>
> Hi, Dan. Here is a snippet from our internal documentation.  I apologize
> that I don''t have time to customize it or analyze your issue more
deeply
> but perhaps our findings will help you in your environment.  Given
> Rich''s comment, I wonder if you were stung by the same error in
> documentation we noted below:
> 
>         Go back to the centos-idm-console on ldap1
>         Go to the Configuration tab, select the userRoot under the
>         Replication
>         object in the left panel.  Left/right client and choose New
>         Replication
>         Agreement
>         The name is "mycompany.com ldap1->ldap2" and the
Description is
>         "Replicates mycompany.com from ldap1 to ldap2".  Click
Next.
>         Set the Consumer to ldap2.mycompany.com:389 from the drop down
>         box (389 is correct even though we are really using 636) - Oops!
>         That is not true despite what the documentation says.  Click
>         other and create a new entry for ldap2.mycompany.com on port
>         636.
>         Enable the SSL connection.
>         Enter cn=repuser,cn=config for the Bind As and enter the
>         password.
>         Click Next and then Next again.
>         We will always keep directories in sync so click Next again.
>         Choose Initialize Consumer Now and click Next
>         Click Done
> 
> If you need more details, e.g., about how we set up SSL, I posted most
> of our internal procedure a day or two ago on this mailing list in
> response to a post entitled "Developting a CentOS-DS setup".  You
can
> find much more detail there.
> 
> Good luck - John

Hi, Dan.  My guess would be you do not have the CA cert in place and
hence the lack of trust - John

On Wed, 2009-06-10 at 16:31 -0400, Dan Weintraub wrote:
> Thanks, that''s exactly what I was following. Now that
I''ve got the port
> corrected I''m getting a certificate error despite having the
correct
> certificates setup (or so I thought...) I''ll read through that 
> documentation you posted and see if I can sort it out.
> 
> Thanks,
> Dan
> 
> PS
> NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind
failed,
> LDAP sdk error 81 (Can''t contact LDAP server), Netscape Portable
Runtime
> error -8172 (Peer''s certificate issuer has been marked as not
trusted by
> the user.)
> 
> John A. Sullivan III wrote:
> > On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote:
> >> Hi all,
> >>
> >> I''m trying to setup replication over ssl and am running
into problems. I
> >> first tried it unencrypted and all worked fine. I then copied over
the
> >> consumer''s CA certificate and set up replication with SSL
and Simple
> >> Authentication. It doesn''t work and I now get the
following errors:
> >>
> >> When I set it up:
> >> supplier error log:
> >> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin -
agmt="cn=One"
> >> (fds:389): Simple bind failed, LDAP sdk error 81 (Can''t
contact LDAP
> >> server), Netscape Portable Runtime error -5938 (Encountered end of
file.)
> >>
> >> these appear thereafter:
> >> consumer access log:
> >> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection
from
> >> 10.1.1.100 to 10.1.1.101
> >> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71
> >> (Protocol error) - B1
> >>
> >> consumer error log:
> >> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP
message (tag
> >> 0x80, expected 0x30)
> >>
> >> Versions:
> >> Supplier:
> >> fedora-ds-1.1.2-1.fc6
> >> fedora-ds-dsgw-1.1.1-1.fc6
> >> fedora-ds-base-1.1.3-2.fc6
> >> fedora-ds-admin-1.1.6-1.fc6
> >> fedora-ds-admin-console-1.1.2-1.fc6
> >> fedora-ds-console-1.1.2-1.fc6
> >>
> >> Consumer:
> >> fedora-ds-admin-1.1.7-3.fc6
> >> fedora-ds-admin-console-1.1.3-1.fc6
> >> fedora-ds-base-1.2.0-2.fc6
> >> fedora-ds-dsgw-1.1.2-1.fc6
> >> fedora-ds-console-1.2.0-1.fc6
> >> fedora-ds-1.1.3-1.fc6
> >>
> >> I''m at a loss as to how to proceed with troubleshooting
and would
> >> appreciate any suggestions.
> >>
> >> Thanks,
> >> Dan Weintraub
> > <snip>
> > Hi, Dan. Here is a snippet from our internal documentation.  I
apologize
> > that I don''t have time to customize it or analyze your issue
more deeply
> > but perhaps our findings will help you in your environment.  Given
> > Rich''s comment, I wonder if you were stung by the same error
in
> > documentation we noted below:
> > 
> >         Go back to the centos-idm-console on ldap1
> >         Go to the Configuration tab, select the userRoot under the
> >         Replication
> >         object in the left panel.  Left/right client and choose New
> >         Replication
> >         Agreement
> >         The name is "mycompany.com ldap1->ldap2" and the
Description is
> >         "Replicates mycompany.com from ldap1 to ldap2". 
Click Next.
> >         Set the Consumer to ldap2.mycompany.com:389 from the drop down
> >         box (389 is correct even though we are really using 636) -
Oops!
> >         That is not true despite what the documentation says.  Click
> >         other and create a new entry for ldap2.mycompany.com on port
> >         636.
> >         Enable the SSL connection.
> >         Enter cn=repuser,cn=config for the Bind As and enter the
> >         password.
> >         Click Next and then Next again.
> >         We will always keep directories in sync so click Next again.
> >         Choose Initialize Consumer Now and click Next
> >         Click Done
> > 
> > If you need more details, e.g., about how we set up SSL, I posted most
> > of our internal procedure a day or two ago on this mailing list in
> > response to a post entitled "Developting a CentOS-DS setup".
You can
> > find much more detail there.
> > 
> > Good luck - John
> 
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

hi,

Dan Weintraub a écrit :
> Thanks, that''s exactly what I was following. Now that
I''ve got the
> port corrected I''m getting a certificate error despite having the 
> correct certificates setup (or so I thought...) I''ll read through
that
> documentation you posted and see if I can sort it out.
>
> Thanks,
> Dan
>
> PS
> NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind
failed,
> LDAP sdk error 81 (Can''t contact LDAP server), Netscape Portable 
> Runtime error -8172
> (Peer''s certificate issuer has been marked as not trusted by the
user.)
>
Can you post the output of the command :
#certutil -L -d /path/of/directory/where/is/the/certificate/

The path of the directory where is the certificate has 2 files : key3.db 
and cert8.db

For example, on my server the output is :
# certutil -L -d /etc/dirsrv/slapd-aragon/
Certificate Nickname                                         Trust 
Attributes
                                                             
SSL,S/MIME,JAR/XPI

CNRS2-Standard                                               CT,C,C
aragon.dr15.cnrs.fr Cert                                     u,u,u
CNRS-Standard                                                CT,C,C
CNRS                                                         CT,C,C
CNRS2                                                        CT,C,C

I suppose (it''s a hypothesis) that  your certificate doesn''t
have the
tag u,u,u or something like this or the CA can''t trust the certificate
> John A. Sullivan III wrote:
>> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote:
>>> Hi all,
>>>
>>> I''m trying to setup replication over ssl and am running
into
>>> problems. I
>>> first tried it unencrypted and all worked fine. I then copied over
the
>>> consumer''s CA certificate and set up replication with SSL
and Simple
>>> Authentication. It doesn''t work and I now get the
following errors:
>>>
>>> When I set it up:
>>> supplier error log:
>>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin -
agmt="cn=One"
>>> (fds:389): Simple bind failed, LDAP sdk error 81 (Can''t
contact LDAP
>>> server), Netscape Portable Runtime error -5938 (Encountered end of 
>>> file.)
>>>
>>> these appear thereafter:
>>> consumer access log:
>>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from
>>> 10.1.1.100 to 10.1.1.101
>>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71
>>> (Protocol error) - B1
>>>
>>> consumer error log:
>>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message
>>> (tag
>>> 0x80, expected 0x30)
>>>
>>> Versions:
>>> Supplier:
>>> fedora-ds-1.1.2-1.fc6
>>> fedora-ds-dsgw-1.1.1-1.fc6
>>> fedora-ds-base-1.1.3-2.fc6
>>> fedora-ds-admin-1.1.6-1.fc6
>>> fedora-ds-admin-console-1.1.2-1.fc6
>>> fedora-ds-console-1.1.2-1.fc6
>>>
>>> Consumer:
>>> fedora-ds-admin-1.1.7-3.fc6
>>> fedora-ds-admin-console-1.1.3-1.fc6
>>> fedora-ds-base-1.2.0-2.fc6
>>> fedora-ds-dsgw-1.1.2-1.fc6
>>> fedora-ds-console-1.2.0-1.fc6
>>> fedora-ds-1.1.3-1.fc6
>>>
>>> I''m at a loss as to how to proceed with troubleshooting
and would
>>> appreciate any suggestions.
>>>
>>> Thanks,
>>> Dan Weintraub
>> <snip>
>> Hi, Dan. Here is a snippet from our internal documentation.  I
apologize
>> that I don''t have time to customize it or analyze your issue
more deeply
>> but perhaps our findings will help you in your environment.  Given
>> Rich''s comment, I wonder if you were stung by the same error
in
>> documentation we noted below:
>>
>>         Go back to the centos-idm-console on ldap1
>>         Go to the Configuration tab, select the userRoot under the
>>         Replication
>>         object in the left panel.  Left/right client and choose New
>>         Replication
>>         Agreement
>>         The name is "mycompany.com ldap1->ldap2" and the
Description is
>>         "Replicates mycompany.com from ldap1 to ldap2". 
Click Next.
>>         Set the Consumer to ldap2.mycompany.com:389 from the drop down
>>         box (389 is correct even though we are really using 636) -
Oops!
>>         That is not true despite what the documentation says.  Click
>>         other and create a new entry for ldap2.mycompany.com on port
>>         636.
>>         Enable the SSL connection.
>>         Enter cn=repuser,cn=config for the Bind As and enter the
>>         password.
>>         Click Next and then Next again.
>>         We will always keep directories in sync so click Next again.
>>         Choose Initialize Consumer Now and click Next
>>         Click Done
>>
>> If you need more details, e.g., about how we set up SSL, I posted most
>> of our internal procedure a day or two ago on this mailing list in
>> response to a post entitled "Developting a CentOS-DS setup". 
You can
>> find much more detail there.
>>
>> Good luck - John
>
> -- 
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-- 
Jean-Noel Chardron
Délégation CNRS Aquitaine et Limousin
Service du Traitement de l''Information
Avenue des Arts et métiers
BP 105
33402 TALENCE - FRANCE
tél : (33) 5.57.35.58.41
fax : (33) 5.57.35.58.01
MSN : jnc@dr15.cnrs.fr

Rich, et al, hello. Thanks to everybody for all the help to date - quite 
incredible really.

I''ve done my research but have nothing positive to report.

I believe I was mistaken when I thought I could simply configure 
nss_ldap/pam_ldap to use a client SSL cert
when binding to FDS :

http://www.nabble.com/Using-certificate-per-host-to-secure-communication-to-OpenLDAP-td19371786.html

http://www.nabble.com/Using-tls_cert-key-without-rootbinddn-td9089498.html

Apparantly the secure tunel is used, the OS''s certificate is
''validated''
by FDS but no LDAP bind is performed.

I reckon we''ll put the password, in clear text, in the file 
/etc/ldap.conf and protect the file.

Also, I think one must leave the client''s (Linux O/S) secret key-file 
without a password.

Cdlt, Dave
--------------

    Rich, hello and, as ever, thanks for the helpful reply. One very
    quick question and

    a quick technote ''for the record''.
      

    < You write, ''... It probably won''t, unless you either
hardcode the
    clear text password ...'' Q1: Hardcode where ? Is there an attribute
    in /etc/ldap.conf specifically for the keyfile password ? 

I have no idea - all I know is that if you need a password to unlock the 
private key, you need to store it somewhere.

    < You write, ''... or simply have no key password ...''
For the
    record, I reckon I need the ''-noDES'' option if I
don''t want a key
    file password: openssl req -newkey rsa:1024 -keyout ${FN}.key -out
    ${FN}.csr -days 7300 -nodes <<EOF

    ...
    EOF
      

    For reference: http://www.openssl.org/docs/apps/req.html# I''ll let
    you all know if my PAM-LDAP Linux login works when using
    client-certificates for binding to LDAP. 

Ok. Thanks again,

-----


 > Date: Tue, 12 May 2009 09:31:16 -0600
> From: rmegg...@redhat.com
> To: fedora-directory-users@redhat.com
> CC: lamba...@hotmail.com
 > Subject: Re: [389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP 
using a client certificate
>
> lamba...@hotmail.com wrote:
> > Hello everybody and, firstly, thanks for your continued support.
> >
> > I hope I''ve used the correct expression/jargon, ie:PAM-LDAP ?
> >
> > PAM-LDAP works with LDAPS and binding with cn=Directory
> > Manager/password hardcoded in /etc/ldap.conf - great stuff.
> Except for the fact that you have the directory manager clear text
> password hardcoded in ldap.conf :-(
> > This was configured using the GUI
> > ''/usr/sbin/system-config-authentication'' - also
great stuff !
> >
> > Symbolic Link pointing to the CA certificate: Q1. I''ve
searched the
> > web but cannot find what purpose the symbolic link serves.
> > ----------------------------------------
> >
> > # ls -toalr /etc/openldap/cacerts
> > -rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem
> > lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 ->
> > authconfig_downloaded.pem
> >
> >
> > Client Certificate etc.
> > --------------------------
> > I''m now experimenting with client certificates and have found
the
> > following link:
> >
> > http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html
> >
> > and see the following example lines for the file /etc/ldap.conf:
> > tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case)
> > tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me)
> >
> > Q2. ldap.key.pem: Is this file simply the $FN.key file created by the
> > following command ?
 > > Will I have trouble if I specify ''-passout'' ? I
assume it protects the
> > file $FN.key.
> > How will PAM-LDAP open the keystore if I have used a password ?
> It probably won''t, unless you either hardcode the clear text
password,
> or simply have no key password.
> >
 > > openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr
-passout
> > pass:<password> 0<< EOF >/dev/null 2>&1
> > <SNIP>
> >
> > Q3. ldap.pem: Is this file simply the $FN.pem file created by the
> > following command ?
> >
> > openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile
> > $DIR/demoCA/private/cakey.pem \
> > -cert $DIR/demoCA/cacert.pem \
> > -passin pass:<CA PASSWORD> << EOF2 >/dev/null
2>&1
> > <SNIP>
> >
> > Thanks again, cdlt,

Hi all,

I''ve been looking into this and I first found out that your suspicions 
are correct. The trust attributes on my CA certificate are incorrect.

certutil -L shows them as "CT,,"

To fix this I tried the modify command,

certutil -M -n cacert -t CTu,u,u -d .

It gives no error, but unfortunately, does nothing and certutil -L still 
shows me "CT,,"

I thought this might have been because I used openssh tools instead of 
certutil, so I removed all my certificates and created a new CA with 
certutil, specifying "CTu,u,u" on the command line when I created the
CA
cert. I then added the CA with the Certificate Manager and did a 
certutil -L only to find that it was marked "CT,," I tried to modify 
this certificate with certutil -M, but it still doesn''t work.

Do I have some permissions wrong somewhere? Am I using the tools 
incorrectly? Any suggestions?

Thanks in advance,
Dan



jean-Noël Chardron wrote:
> hi,
> 
> Dan Weintraub a écrit :
>> Thanks, that''s exactly what I was following. Now that
I''ve got the
>> port corrected I''m getting a certificate error despite having
the
>> correct certificates setup (or so I thought...) I''ll read
through that
>> documentation you posted and see if I can sort it out.
>>
>> Thanks,
>> Dan
>>
>> PS
>> NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind
failed,
>> LDAP sdk error 81 (Can''t contact LDAP server), Netscape
Portable
>> Runtime error -8172
> 
>> (Peer''s certificate issuer has been marked as not trusted by
the user.)
>>
> Can you post the output of the command :
> #certutil -L -d /path/of/directory/where/is/the/certificate/
> 
> The path of the directory where is the certificate has 2 files : key3.db 
> and cert8.db
> 
> For example, on my server the output is :
> # certutil -L -d /etc/dirsrv/slapd-aragon/
> Certificate Nickname                                         Trust 
> Attributes
>                                                             
> SSL,S/MIME,JAR/XPI
> 
> CNRS2-Standard                                               CT,C,C
> aragon.dr15.cnrs.fr Cert                                     u,u,u
> CNRS-Standard                                                CT,C,C
> CNRS                                                         CT,C,C
> CNRS2                                                        CT,C,C
> 
> I suppose (it''s a hypothesis) that  your certificate
doesn''t have the
> tag u,u,u or something like this or the CA can''t trust the
certificate
> 
>> John A. Sullivan III wrote:
> 
>>> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote:
>>>> Hi all,
>>>>
>>>> I''m trying to setup replication over ssl and am
running into
>>>> problems. I
>>>> first tried it unencrypted and all worked fine. I then copied
over the
>>>> consumer''s CA certificate and set up replication with
SSL and Simple
>>>> Authentication. It doesn''t work and I now get the
following errors:
>>>>
>>>> When I set it up:
>>>> supplier error log:
>>>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin -
agmt="cn=One"
>>>> (fds:389): Simple bind failed, LDAP sdk error 81
(Can''t contact LDAP
>>>> server), Netscape Portable Runtime error -5938 (Encountered end
of
>>>> file.)
>>>>
>>>> these appear thereafter:
>>>> consumer access log:
>>>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection
from
>>>> 10.1.1.100 to 10.1.1.101
>>>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error
71
>>>> (Protocol error) - B1
>>>>
>>>> consumer error log:
>>>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP
message
>>>> (tag
>>>> 0x80, expected 0x30)
>>>>
>>>> Versions:
>>>> Supplier:
>>>> fedora-ds-1.1.2-1.fc6
>>>> fedora-ds-dsgw-1.1.1-1.fc6
>>>> fedora-ds-base-1.1.3-2.fc6
>>>> fedora-ds-admin-1.1.6-1.fc6
>>>> fedora-ds-admin-console-1.1.2-1.fc6
>>>> fedora-ds-console-1.1.2-1.fc6
>>>>
>>>> Consumer:
>>>> fedora-ds-admin-1.1.7-3.fc6
>>>> fedora-ds-admin-console-1.1.3-1.fc6
>>>> fedora-ds-base-1.2.0-2.fc6
>>>> fedora-ds-dsgw-1.1.2-1.fc6
>>>> fedora-ds-console-1.2.0-1.fc6
>>>> fedora-ds-1.1.3-1.fc6
>>>>
>>>> I''m at a loss as to how to proceed with
troubleshooting and would
>>>> appreciate any suggestions.
>>>>
>>>> Thanks,
>>>> Dan Weintraub
>>> <snip>
>>> Hi, Dan. Here is a snippet from our internal documentation.  I
apologize
>>> that I don''t have time to customize it or analyze your
issue more deeply
>>> but perhaps our findings will help you in your environment.  Given
>>> Rich''s comment, I wonder if you were stung by the same
error in
>>> documentation we noted below:
>>>
>>>         Go back to the centos-idm-console on ldap1
>>>         Go to the Configuration tab, select the userRoot under the
>>>         Replication
>>>         object in the left panel.  Left/right client and choose New
>>>         Replication
>>>         Agreement
>>>         The name is "mycompany.com ldap1->ldap2" and
the Description is
>>>         "Replicates mycompany.com from ldap1 to ldap2". 
Click Next.
>>>         Set the Consumer to ldap2.mycompany.com:389 from the drop
down
>>>         box (389 is correct even though we are really using 636) -
Oops!
>>>         That is not true despite what the documentation says. 
Click
>>>         other and create a new entry for ldap2.mycompany.com on
port
>>>         636.
>>>         Enable the SSL connection.
>>>         Enter cn=repuser,cn=config for the Bind As and enter the
>>>         password.
>>>         Click Next and then Next again.
>>>         We will always keep directories in sync so click Next
again.
>>>         Choose Initialize Consumer Now and click Next
>>>         Click Done
>>>
>>> If you need more details, e.g., about how we set up SSL, I posted
most
>>> of our internal procedure a day or two ago on this mailing list in
>>> response to a post entitled "Developting a CentOS-DS
setup".  You can
>>> find much more detail there.
>>>
>>> Good luck - John
>>
>> -- 
>> 389 users mailing list
>> 389-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 
>

Dan Weintraub wrote:
> Hi all,
>
> I''ve been looking into this and I first found out that your
suspicions
> are correct. The trust attributes on my CA certificate are incorrect.
>
> certutil -L shows them as "CT,,"
>
> To fix this I tried the modify command,
>
> certutil -M -n cacert -t CTu,u,u -d .
>
> It gives no error, but unfortunately, does nothing and certutil -L 
> still shows me "CT,,"
>
> I thought this might have been because I used openssh tools instead of 
> certutil, so I removed all my certificates and created a new CA with 
> certutil, specifying "CTu,u,u" on the command line when I created
the
> CA cert. I then added the CA with the Certificate Manager and did a 
> certutil -L only to find that it was marked "CT,," I tried to
modify
> this certificate with certutil -M, but it still doesn''t work.
>
> Do I have some permissions wrong somewhere? Am I using the tools 
> incorrectly? Any suggestions?
CT and CTu are equivalent for a CA cert - that is, the "u"
doesn''t
matter for a CA cert.

What is it that leads you to believe the trust settings are an
issue?
>
> Thanks in advance,
> Dan
>
>
>
> jean-Noël Chardron wrote:
>> hi,
>>
>> Dan Weintraub a écrit :
>>> Thanks, that''s exactly what I was following. Now that
I''ve got the
>>> port corrected I''m getting a certificate error despite
having the
>>> correct certificates setup (or so I thought...) I''ll read
through
>>> that documentation you posted and see if I can sort it out.
>>>
>>> Thanks,
>>> Dan
>>>
>>> PS
>>> NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple
bind failed,
>>> LDAP sdk error 81 (Can''t contact LDAP server), Netscape
Portable
>>> Runtime error -8172
>>
>>> (Peer''s certificate issuer has been marked as not trusted
by the user.)
>>>
>> Can you post the output of the command :
>> #certutil -L -d /path/of/directory/where/is/the/certificate/
>>
>> The path of the directory where is the certificate has 2 files : 
>> key3.db and cert8.db
>>
>> For example, on my server the output is :
>> # certutil -L -d /etc/dirsrv/slapd-aragon/
>> Certificate Nickname                                         Trust 
>> Attributes
>>                                                             
>> SSL,S/MIME,JAR/XPI
>>
>> CNRS2-Standard                                               CT,C,C
>> aragon.dr15.cnrs.fr Cert                                     u,u,u
>> CNRS-Standard                                                CT,C,C
>> CNRS                                                         CT,C,C
>> CNRS2                                                        CT,C,C
>>
>> I suppose (it''s a hypothesis) that  your certificate
doesn''t have the
>> tag u,u,u or something like this or the CA can''t trust the
certificate
>>
>>> John A. Sullivan III wrote:
>>
>>>> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote:
>>>>> Hi all,
>>>>>
>>>>> I''m trying to setup replication over ssl and am
running into
>>>>> problems. I
>>>>> first tried it unencrypted and all worked fine. I then
copied over
>>>>> the
>>>>> consumer''s CA certificate and set up replication
with SSL and Simple
>>>>> Authentication. It doesn''t work and I now get the
following errors:
>>>>>
>>>>> When I set it up:
>>>>> supplier error log:
>>>>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin -
agmt="cn=One"
>>>>> (fds:389): Simple bind failed, LDAP sdk error 81
(Can''t contact LDAP
>>>>> server), Netscape Portable Runtime error -5938 (Encountered
end of
>>>>> file.)
>>>>>
>>>>> these appear thereafter:
>>>>> consumer access log:
>>>>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64
connection from
>>>>> 10.1.1.100 to 10.1.1.101
>>>>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed
error 71
>>>>> (Protocol error) - B1
>>>>>
>>>>> consumer error log:
>>>>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP
>>>>> message (tag
>>>>> 0x80, expected 0x30)
>>>>>
>>>>> Versions:
>>>>> Supplier:
>>>>> fedora-ds-1.1.2-1.fc6
>>>>> fedora-ds-dsgw-1.1.1-1.fc6
>>>>> fedora-ds-base-1.1.3-2.fc6
>>>>> fedora-ds-admin-1.1.6-1.fc6
>>>>> fedora-ds-admin-console-1.1.2-1.fc6
>>>>> fedora-ds-console-1.1.2-1.fc6
>>>>>
>>>>> Consumer:
>>>>> fedora-ds-admin-1.1.7-3.fc6
>>>>> fedora-ds-admin-console-1.1.3-1.fc6
>>>>> fedora-ds-base-1.2.0-2.fc6
>>>>> fedora-ds-dsgw-1.1.2-1.fc6
>>>>> fedora-ds-console-1.2.0-1.fc6
>>>>> fedora-ds-1.1.3-1.fc6
>>>>>
>>>>> I''m at a loss as to how to proceed with
troubleshooting and would
>>>>> appreciate any suggestions.
>>>>>
>>>>> Thanks,
>>>>> Dan Weintraub
>>>> <snip>
>>>> Hi, Dan. Here is a snippet from our internal documentation.  I 
>>>> apologize
>>>> that I don''t have time to customize it or analyze your
issue more
>>>> deeply
>>>> but perhaps our findings will help you in your environment. 
Given
>>>> Rich''s comment, I wonder if you were stung by the same
error in
>>>> documentation we noted below:
>>>>
>>>>         Go back to the centos-idm-console on ldap1
>>>>         Go to the Configuration tab, select the userRoot under
the
>>>>         Replication
>>>>         object in the left panel.  Left/right client and choose
New
>>>>         Replication
>>>>         Agreement
>>>>         The name is "mycompany.com ldap1->ldap2"
and the
>>>> Description is
>>>>         "Replicates mycompany.com from ldap1 to
ldap2".  Click Next.
>>>>         Set the Consumer to ldap2.mycompany.com:389 from the
drop down
>>>>         box (389 is correct even though we are really using
636) -
>>>> Oops!
>>>>         That is not true despite what the documentation says. 
Click
>>>>         other and create a new entry for ldap2.mycompany.com on
port
>>>>         636.
>>>>         Enable the SSL connection.
>>>>         Enter cn=repuser,cn=config for the Bind As and enter
the
>>>>         password.
>>>>         Click Next and then Next again.
>>>>         We will always keep directories in sync so click Next
again.
>>>>         Choose Initialize Consumer Now and click Next
>>>>         Click Done
>>>>
>>>> If you need more details, e.g., about how we set up SSL, I
posted most
>>>> of our internal procedure a day or two ago on this mailing list
in
>>>> response to a post entitled "Developting a CentOS-DS
setup".  You can
>>>> find much more detail there.
>>>>
>>>> Good luck - John
>>>
>>> -- 
>>> 389 users mailing list
>>> 389-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
> -- 
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Hi, Dan.  You might want to remove whatever CA certs you''ve got in the
database and then re-add just in case.  I don''t recall the command to
do
that.  Here is all we did to import our CA cert:
certutil -A -d . -n "CA certificate" -t "CT,," -a -i CA.pem

Are you certain you have the correct CA cert and that it is valid (not
expired, etc.)?

You can try doing:
openssl x509 -in clientcertname.pem -noout -issuer

and compare that to 
openssl x509 -in CA.pem -noout -subject

This would also reveal if your copy of the CA cert is malformed for some
reason.

I''m pulling the syntax off the top of my head so it might be in error.
I might also suggest editing this thread and bottom posting rather than
top posting; it would make it a little easier to follow.  Hope this
helps - John

On Wed, 2009-06-17 at 17:48 -0400, Dan Weintraub wrote:
> Hi all,
> 
> I''ve been looking into this and I first found out that your
suspicions
> are correct. The trust attributes on my CA certificate are incorrect.
> 
> certutil -L shows them as "CT,,"
> 
> To fix this I tried the modify command,
> 
> certutil -M -n cacert -t CTu,u,u -d .
> 
> It gives no error, but unfortunately, does nothing and certutil -L still 
> shows me "CT,,"
> 
> I thought this might have been because I used openssh tools instead of 
> certutil, so I removed all my certificates and created a new CA with 
> certutil, specifying "CTu,u,u" on the command line when I created
the CA
> cert. I then added the CA with the Certificate Manager and did a 
> certutil -L only to find that it was marked "CT,," I tried to
modify
> this certificate with certutil -M, but it still doesn''t work.
> 
> Do I have some permissions wrong somewhere? Am I using the tools 
> incorrectly? Any suggestions?
> 
> Thanks in advance,
> Dan
> 
> 
> 
> jean-Noël Chardron wrote:
> > hi,
> > 
> > Dan Weintraub a écrit :
> >> Thanks, that''s exactly what I was following. Now that
I''ve got the
> >> port corrected I''m getting a certificate error despite
having the
> >> correct certificates setup (or so I thought...) I''ll read
through that
> >> documentation you posted and see if I can sort it out.
> >>
> >> Thanks,
> >> Dan
> >>
> >> PS
> >> NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple
bind failed,
> >> LDAP sdk error 81 (Can''t contact LDAP server), Netscape
Portable
> >> Runtime error -8172
> > 
> >> (Peer''s certificate issuer has been marked as not trusted
by the user.)
> >>
> > Can you post the output of the command :
> > #certutil -L -d /path/of/directory/where/is/the/certificate/
> > 
> > The path of the directory where is the certificate has 2 files :
key3.db
> > and cert8.db
> > 
> > For example, on my server the output is :
> > # certutil -L -d /etc/dirsrv/slapd-aragon/
> > Certificate Nickname                                         Trust 
> > Attributes
> >                                                             
> > SSL,S/MIME,JAR/XPI
> > 
> > CNRS2-Standard                                               CT,C,C
> > aragon.dr15.cnrs.fr Cert                                     u,u,u
> > CNRS-Standard                                                CT,C,C
> > CNRS                                                         CT,C,C
> > CNRS2                                                        CT,C,C
> > 
> > I suppose (it''s a hypothesis) that  your certificate
doesn''t have the
> > tag u,u,u or something like this or the CA can''t trust the
certificate
> > 
> >> John A. Sullivan III wrote:
> > 
> >>> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote:
> >>>> Hi all,
> >>>>
> >>>> I''m trying to setup replication over ssl and am
running into
> >>>> problems. I
> >>>> first tried it unencrypted and all worked fine. I then
copied over the
> >>>> consumer''s CA certificate and set up replication
with SSL and Simple
> >>>> Authentication. It doesn''t work and I now get the
following errors:
> >>>>
> >>>> When I set it up:
> >>>> supplier error log:
> >>>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin -
agmt="cn=One"
> >>>> (fds:389): Simple bind failed, LDAP sdk error 81
(Can''t contact LDAP
> >>>> server), Netscape Portable Runtime error -5938
(Encountered end of
> >>>> file.)
> >>>>
> >>>> these appear thereafter:
> >>>> consumer access log:
> >>>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64
connection from
> >>>> 10.1.1.100 to 10.1.1.101
> >>>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed
error 71
> >>>> (Protocol error) - B1
> >>>>
> >>>> consumer error log:
> >>>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a
non-LDAP message
> >>>> (tag
> >>>> 0x80, expected 0x30)
> >>>>
> >>>> Versions:
> >>>> Supplier:
> >>>> fedora-ds-1.1.2-1.fc6
> >>>> fedora-ds-dsgw-1.1.1-1.fc6
> >>>> fedora-ds-base-1.1.3-2.fc6
> >>>> fedora-ds-admin-1.1.6-1.fc6
> >>>> fedora-ds-admin-console-1.1.2-1.fc6
> >>>> fedora-ds-console-1.1.2-1.fc6
> >>>>
> >>>> Consumer:
> >>>> fedora-ds-admin-1.1.7-3.fc6
> >>>> fedora-ds-admin-console-1.1.3-1.fc6
> >>>> fedora-ds-base-1.2.0-2.fc6
> >>>> fedora-ds-dsgw-1.1.2-1.fc6
> >>>> fedora-ds-console-1.2.0-1.fc6
> >>>> fedora-ds-1.1.3-1.fc6
> >>>>
> >>>> I''m at a loss as to how to proceed with
troubleshooting and would
> >>>> appreciate any suggestions.
> >>>>
> >>>> Thanks,
> >>>> Dan Weintraub
> >>> <snip>
> >>> Hi, Dan. Here is a snippet from our internal documentation.  I
apologize
> >>> that I don''t have time to customize it or analyze
your issue more deeply
> >>> but perhaps our findings will help you in your environment. 
Given
> >>> Rich''s comment, I wonder if you were stung by the
same error in
> >>> documentation we noted below:
> >>>
> >>>         Go back to the centos-idm-console on ldap1
> >>>         Go to the Configuration tab, select the userRoot under
the
> >>>         Replication
> >>>         object in the left panel.  Left/right client and
choose New
> >>>         Replication
> >>>         Agreement
> >>>         The name is "mycompany.com ldap1->ldap2"
and the Description is
> >>>         "Replicates mycompany.com from ldap1 to
ldap2".  Click Next.
> >>>         Set the Consumer to ldap2.mycompany.com:389 from the
drop down
> >>>         box (389 is correct even though we are really using
636) - Oops!
> >>>         That is not true despite what the documentation says. 
Click
> >>>         other and create a new entry for ldap2.mycompany.com
on port
> >>>         636.
> >>>         Enable the SSL connection.
> >>>         Enter cn=repuser,cn=config for the Bind As and enter
the
> >>>         password.
> >>>         Click Next and then Next again.
> >>>         We will always keep directories in sync so click Next
again.
> >>>         Choose Initialize Consumer Now and click Next
> >>>         Click Done
> >>>
> >>> If you need more details, e.g., about how we set up SSL, I
posted most
> >>> of our internal procedure a day or two ago on this mailing
list in
> >>> response to a post entitled "Developting a CentOS-DS
setup".  You can
> >>> find much more detail there.
> >>>
> >>> Good luck - John
> >>
> >> -- 
> >> 389 users mailing list
> >> 389-users@redhat.com
> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > 
> > 
> 
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

On 06/17/2009 02:48 PM, Dan Weintraub wrote:
> Hi all,
>
> I''ve been looking into this and I first found out that your
suspicions
> are correct. The trust attributes on my CA certificate are incorrect.
>
> certutil -L shows them as "CT,,"
>
> To fix this I tried the modify command,
>
> certutil -M -n cacert -t CTu,u,u -d .
>
> It gives no error, but unfortunately, does nothing and certutil -L 
> still shows me "CT,,"
Try CTu,Cu,Cu or CT,C,C
You can verify your cert chain with a
certutil -V -d <nss-dir> -n <ssl-server-nickname> -eu CVS
which should return:
certutil: certificate is valid
or
certificate is invalid: Peer''s Certificate issuer is not recognized.
Use certutil -O to display the certificate chain.
M.
>
> I thought this might have been because I used openssh tools instead of 
> certutil, so I removed all my certificates and created a new CA with 
> certutil, specifying "CTu,u,u" on the command line when I created
the
> CA cert. I then added the CA with the Certificate Manager and did a 
> certutil -L only to find that it was marked "CT,," I tried to
modify
> this certificate with certutil -M, but it still doesn''t work.
>
> Do I have some permissions wrong somewhere? Am I using the tools 
> incorrectly? Any suggestions?
>
> Thanks in advance,
> Dan
>
>
>
> jean-Noël Chardron wrote:
>> hi,
>>
>> Dan Weintraub a écrit :
>>> Thanks, that''s exactly what I was following. Now that
I''ve got the
>>> port corrected I''m getting a certificate error despite
having the
>>> correct certificates setup (or so I thought...) I''ll read
through
>>> that documentation you posted and see if I can sort it out.
>>>
>>> Thanks,
>>> Dan
>>>
>>> PS
>>> NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple
bind failed,
>>> LDAP sdk error 81 (Can''t contact LDAP server), Netscape
Portable
>>> Runtime error -8172
>>
>>> (Peer''s certificate issuer has been marked as not trusted
by the user.)
>>>
>> Can you post the output of the command :
>> #certutil -L -d /path/of/directory/where/is/the/certificate/
>>
>> The path of the directory where is the certificate has 2 files : 
>> key3.db and cert8.db
>>
>> For example, on my server the output is :
>> # certutil -L -d /etc/dirsrv/slapd-aragon/
>> Certificate Nickname                                         Trust 
>> Attributes
>>                                                             
>> SSL,S/MIME,JAR/XPI
>>
>> CNRS2-Standard                                               CT,C,C
>> aragon.dr15.cnrs.fr Cert                                     u,u,u
>> CNRS-Standard                                                CT,C,C
>> CNRS                                                         CT,C,C
>> CNRS2                                                        CT,C,C
>>
>> I suppose (it''s a hypothesis) that  your certificate
doesn''t have the
>> tag u,u,u or something like this or the CA can''t trust the
certificate
>>
>>> John A. Sullivan III wrote:
>>
>>>> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote:
>>>>> Hi all,
>>>>>
>>>>> I''m trying to setup replication over ssl and am
running into
>>>>> problems. I
>>>>> first tried it unencrypted and all worked fine. I then
copied over
>>>>> the
>>>>> consumer''s CA certificate and set up replication
with SSL and Simple
>>>>> Authentication. It doesn''t work and I now get the
following errors:
>>>>>
>>>>> When I set it up:
>>>>> supplier error log:
>>>>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin -
agmt="cn=One"
>>>>> (fds:389): Simple bind failed, LDAP sdk error 81
(Can''t contact LDAP
>>>>> server), Netscape Portable Runtime error -5938 (Encountered
end of
>>>>> file.)
>>>>>
>>>>> these appear thereafter:
>>>>> consumer access log:
>>>>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64
connection from
>>>>> 10.1.1.100 to 10.1.1.101
>>>>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed
error 71
>>>>> (Protocol error) - B1
>>>>>
>>>>> consumer error log:
>>>>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP
>>>>> message (tag
>>>>> 0x80, expected 0x30)
>>>>>
>>>>> Versions:
>>>>> Supplier:
>>>>> fedora-ds-1.1.2-1.fc6
>>>>> fedora-ds-dsgw-1.1.1-1.fc6
>>>>> fedora-ds-base-1.1.3-2.fc6
>>>>> fedora-ds-admin-1.1.6-1.fc6
>>>>> fedora-ds-admin-console-1.1.2-1.fc6
>>>>> fedora-ds-console-1.1.2-1.fc6
>>>>>
>>>>> Consumer:
>>>>> fedora-ds-admin-1.1.7-3.fc6
>>>>> fedora-ds-admin-console-1.1.3-1.fc6
>>>>> fedora-ds-base-1.2.0-2.fc6
>>>>> fedora-ds-dsgw-1.1.2-1.fc6
>>>>> fedora-ds-console-1.2.0-1.fc6
>>>>> fedora-ds-1.1.3-1.fc6
>>>>>
>>>>> I''m at a loss as to how to proceed with
troubleshooting and would
>>>>> appreciate any suggestions.
>>>>>
>>>>> Thanks,
>>>>> Dan Weintraub
>>>> <snip>
>>>> Hi, Dan. Here is a snippet from our internal documentation.  I 
>>>> apologize
>>>> that I don''t have time to customize it or analyze your
issue more
>>>> deeply
>>>> but perhaps our findings will help you in your environment. 
Given
>>>> Rich''s comment, I wonder if you were stung by the same
error in
>>>> documentation we noted below:
>>>>
>>>>         Go back to the centos-idm-console on ldap1
>>>>         Go to the Configuration tab, select the userRoot under
the
>>>>         Replication
>>>>         object in the left panel.  Left/right client and choose
New
>>>>         Replication
>>>>         Agreement
>>>>         The name is "mycompany.com ldap1->ldap2"
and the
>>>> Description is
>>>>         "Replicates mycompany.com from ldap1 to
ldap2".  Click Next.
>>>>         Set the Consumer to ldap2.mycompany.com:389 from the
drop down
>>>>         box (389 is correct even though we are really using
636) -
>>>> Oops!
>>>>         That is not true despite what the documentation says. 
Click
>>>>         other and create a new entry for ldap2.mycompany.com on
port
>>>>         636.
>>>>         Enable the SSL connection.
>>>>         Enter cn=repuser,cn=config for the Bind As and enter
the
>>>>         password.
>>>>         Click Next and then Next again.
>>>>         We will always keep directories in sync so click Next
again.
>>>>         Choose Initialize Consumer Now and click Next
>>>>         Click Done
>>>>
>>>> If you need more details, e.g., about how we set up SSL, I
posted most
>>>> of our internal procedure a day or two ago on this mailing list
in
>>>> response to a post entitled "Developting a CentOS-DS
setup".  You can
>>>> find much more detail there.
>>>>
>>>> Good luck - John
>>>
>>> -- 
>>> 389 users mailing list
>>> 389-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
> -- 
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users