[389-users] Re: Replcation failing since update to 389-ds-base-2.0.15-1.module_el8+14185+adb3f555.x86_64

Wed, 20 Jul 2022 06:12:07 -0700 

Hi Brian,

I can think about several possibilities:
   [1] the value of nsslapd-validate-cert config attribute may have changed
   (i.e: now the certificate chain is verified while it was not the case
before)
     Turning off nsslapd-validate-cert should then solve the issue.
   [2] DNS resolution issue: i.e:  fully qualified hostname associated with
the supplier ip address differs on both machines (But upgrading RHDS should
not impact the DNS resolution ... )
   [3] Problem in the way the certificate gets generated ...
           certutil -L -d /etc/dirsrv/slapd-*inst*  [name]    is your
friend to display the certificate(s).

Good luck !
   Pierre


On Tue, Jul 19, 2022 at 9:52 PM Brian Collins <[email protected]>
wrote:

> Good day,
>
> We have an LDAP cluster on RHEL 8.  We were
> running 1.4.4.17-1.module_el8+13163+e27841f7.x86_64 and recently updated
> to 2.0.15-1.module_el8+14185+adb3f555.x86_64.
>
> Since then, replication fails from any server to any other server.  What I
> am seeing in /var/log/dirsrv/slapd-pro01/errors is:
> [19/Jul/2022:15:20:20.174222661 -0400] - ERR - NSMMReplicationPlugin -
> bind_and_check_pwp - agmt="cn=pro01topro02" (pro02:636) - Replication bind
> with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) (TLS:
> hostname does not match subjectAltName in peer certificate)
> and
> [19/Jul/2022:15:46:41.092806631 -0400] - ERR - slapi_ldap_bind - Could not
> send bind request for id [cn=replication manager,cn=config] authentication
> mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error
> -5987 (Invalid function argument.), network error 0 (Unknown error, host "
> pro02.example.com:636")
>
> I regenerated and reinstalled the certs for pro01 and pro02, adding the
> SAN.  But that did not help things any.
>
> Did I miss something in the update to v2?
> Thanks in advance,
> Brian Collins
> _______________________________________________
> 389-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/[email protected]
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>


-- 
--

389 Directory Server Development Team

_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to