Score:0

Why does my 389-ds configuration work over LDAP but not LDAPS?

kr flag

Sorry if this has been asked before, but when I searched for similar issues, I got results like these (that make no sense to me).

I've been trying to set up 389-ds using Red Hat's Directory Server 11 documentation on two fully-updated Rocky Linux 8.6 servers. My servers are supplier1.example.com and supplier2.example.com and are on the same subnet. I've set up each server's /etc/hosts file using their private IP and hostname, and have verified connectivity by pinging the other server's IP and hostname. Ports 389 and 636 are open for TCP. The suffixes being shared are "dc=example,dc=com.

The directory server instances were created using dscreate's interactive mode (LDAP over TCP 389, LDAPS over TCP 636, self-signed certificates, etc.). I suspect that the issue lies somewhere with those self-signed certs and a lack of trust between the two systems, but I don't know how to even begin correcting that.

Thank you for reading this.

Using the example commands below, I was able to create replication agreements...

Server 1:

sudo dsconf -D "cn=Directory Manager" ldap://supplier1.example.com replication \
    enable --suffix="dc=example,dc=com" --role="supplier" --replica-id=2 \
    --bind-dn="cn=replication manager,cn=config" --bind-passwd="password"

sudo dsconf -D "cn=Directory Manager" ldap://supplier1.example.com repl-agmt \
     create --suffix="dc=example,dc=com" --host="supplier2.example.com" --port=389 \
     --conn-protocol=LDAP --bind-dn="cn=replication manager,cn=config" \
     --bind-passwd="password" --bind-method=SIMPLE --init \
     example-agreement-supplier1-to-supplier2

Server 2:

dsconf -D "cn=Directory Manager" ldap://supplier2.example.com replication \
    enable --suffix="dc=example,dc=com" --role="supplier" --replica-id=1 \
    --bind-dn="cn=replication manager,cn=config" --bind-passwd="password"

sudo dsconf -D "cn=Directory Manager" ldap://supplier2.example.com repl-agmt \
     create --suffix="dc=example,dc=com" --host="supplier1.example.com" --port=389 \
     --conn-protocol=LDAP --bind-dn="cn=replication manager,cn=config" \
     --bind-passwd="password" --bind-method=SIMPLE --init \
     example-agreement-supplier2-to-supplier1

The documentation originally called for the replication agreement commands to use LDAPS over 636, but when I tried that replication would always fail. Here is an excerpt from running

$ ldapsearch -x -b "cn=mapping tree,cn=config" -D "cn=Directory Manager" -w  password objectClass=nsDS5ReplicationAgreement -LL

...
nsds5replicaLastUpdateStatus: Error (-2) Problem connecting to replica - LDAP error: Local error (connection error)
nsds5replicaLastUpdateStatusJSON: {"state": "red", "ldap_rc": "-2", "ldap_rc_text": "Local error", "repl_rc": "16", "repl_rc_text": "connection error", "date": "2022-05-26T21:58:31Z", "message": "Error (-2) Problem connecting to replica - LDAP error: Local error (connection error)"}
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20220526212655Z
nsds5replicaLastInitEnd: 19700101000000Z
nsds5replicaLastInitStatus: Error (-2) - LDAP error: Local error - no response received
nsds5replicaLastInitStatusJSON: {"state": "red", "ldap_rc": "-2", "ldap_rc_text": "Local error", "repl_rc": "255", "repl_rc_text": "no response received", "conn_rc": "0", "conn_rc_text": "operation success", "date": "2022-05-26T21:27:10Z", "message": "Error (-2) - LDAP error: Local error - no response received"}

Score:0
kr flag

I got replication to work over LDAPS by generating new self-signed certificates outside of 389-ds, and importing them on each server with the following command:

dsconf -D "cn=Directory Manager" ldap://host.domain.com security certificate add --file host_domain.com.crt --name "Server-Cert" --primary-cert .

Restarting the instances afterward resolved the issue.

NB: I have very little experience with 389-ds outside of this, so there probably is a better way to do this.

U. Windl avatar
it flag
One of the important point is that even when importing the certificates with `dsconf`, the server needs to be restarted afterwards.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.